- Case Number: a20110310.1
- Status: running
Claimants: Mario Lipinski (for CAcert Inc.)
Respondents: UlrichSchroeter (as Arbitrator of case a20100212.2)
Initial Case Manager: UlrichSchroeter
Initial Case Manager 2: AlexRobertson
Case Manager: PhilippDunkel (supervising arbitrator)
Arbitrator: AlexRobertson (in training / under supervision)
- Date of arbitration start: 2012-10-28
- Date of ruling: 2013-03-03
- Case closed: 2013-11-05
Complaint: Appeal on case a20100212.2
- Relief: TBD
Before: Arbitrator AlexRobertson (A), Respondent: UlrichSchroeter (R), Claimant: Mario Lipinski (C), Claimant: CAcert Inc. (C2), Case: a20110310.1
History Log
- 2011-03-10 (issue.c.o) case [s20110310.77]
- 2011-03-12 (iCM): added to wiki, request for CM / A
- 2012-10-25 (iCM2): Note from (C) added
2012-10-28 (A) AlexRobertson takes case as (A) appoints PhilippDunkel as (CM)
- 2012-11-01 (A) Emails from Werner Dworak and Ian Grigg added
- 2012-11-01 (A) Part of email from (R) added
- 2012-11-01 (A) Email from Ian Grigg and (R) added
- 2012-11-01 (A) Intermediate Ruling 1,2,3
- 2012-11-01 (A) Execution 3 added
- 2012-11-02 (A) Objection to IR3 from (R), Response to objection from (A)
- 2012-11-02 (A) Observations regarding IR3 from Ian Grigg, Response to observations from (A)
- 2012-11-03 (A) More Observations regarding IR3 from Ian Grigg, Response to observations from (A)
- 2012-11-06 (A) Email from (R), Response to objection from (A)
- 2012-11-07 (A) Email from Ian Grigg, Response from (A)
- 2012-11-10 (A) Email from Werner Dworak
- 2012-11-10 (A) Email from Ian Grigg, Observation from (A)
- 2012-11-12 (A) Email from Ian Grigg to cacert-board list (filed as Discovery 4A)
- 2012-11-12 (A) Intermediate Ruling 4
- 2013-03-03 (A) Final Ruling
Original Dispute, Discovery (Private Part)
Link to Arbitration case a20110310.1 (Private Part)
EOT Private Part
Discovery 1
- (A) 2012-11-01 From Werner Dworak (CACert Board Member)(email RE: Arbitration case a20110310.1 - Appeal on case a20100212.2 dated 2012-10-29 06:01)
Hello Alex Robertson, > This was an appeal filed by Mario on behalf of CACert Inc regards > R/L/O of deceased members per board motion > https://community.cacert.org/board/motions.php?motion=m20101212.2 Then we should reconsider the working practice of arbitration. On the one side, private information of involved persons should be protected, no doubt. On the other side, everything that is not really private, should be in the public part of an arbitration, so everyone can see what it is about and what is going on. At present, way too much is concealed in the private part, so you see nearly no relevant information. This not only applies to the general public but as well to concerned people that should know more. Alternatively, Board, Support and other parties with a justified concern should have partial or full access to the private part of an arbitration. Kind regards, Werner CAcert Board Member and Support
Intermediate Ruling 1 (confirmed by Supervising-Arbitrator)
- (A) 2012-11-01
- There are no privacy issues apparent in this appeal although there are some in the original case. In accordance with the principle that CACert operates openly, I am moving the elements of this case previously in the private area into the public area.
Original Dispute
---- Forwarded message from Mario Lipinski <mario@cacert.org> --- From: Mario Lipinski <mario@cacert.org> To: support@cacert.org Cc: cacert-board-private@lists.cacert.org Subject: Appeal on case a20100212.2 Date: 2011-03-10 20:50:57 > Dear Support, > > we, CAcert Inc., hereby file a Dispute against the ruling of arbitration > case a20100212.2 [1] as decided by [2]. > > CAcert Inc. is convinved, that taking over all R/L/O of a member is > inappropriate as it might e.g. not be involved in contracts between the > deceases member and other community members and has no influence on > this. Probably most of the R/L/O can be voided. > > However, CAcert Inc. accepts that this special case might introduce new > R/L/O at its disadvantage. This is a risk CAcert Inc. has to carry for > operating a CA, but whether this requires it to be help liable for this > should be decided on a case by case basis. > > A wildcard delegation of R/L/O might introduce R/L/O for CAcert Inc. > which are out of its control and so inappropriate. > > Another issue is that CAcert Inc. was not represented in the dispute. > > As the appeal will have to be handled by the board this introduces a > COI. To maintain the spirit of independence and transparancy of CAcerts > arbitration system, CAcert Inc. directs its powers resulting from § 3.4 > DRP for case a20100212.2 to the arbitrator re-opening the case [3]. > > CAcert Inc. accepts to be bound to the DRP and CCA for this case. > > [1] http://wiki.cacert.org/Arbitrations/a20100212.2 > [2] https://community.cacert.org/board/motions.php?motion=m20101212.2 > [3] https://community.cacert.org/board/motions.php?motion=m20101212.1 > > -- > Mit freundlichen Grüßen / Best regards > > Mario Lipinski > Board member, E-Mail: mario@cacert.org > Arbitrator/Case manager, Internet: http://www.cacert.org > Organisation Assurer (Germany), > Infrastructure team leader, Wiki/Issue admin > CAcert > > Support CAcert: http://www.cacert.org/index.php?id=13 > http://wiki.cacert.org/wiki/HelpingCAcert > > > ---- End forwarded message --- No further infos from within OTRS
Discovery 2
(iCM2) 2012-10-25 - Following received from Mario (C) - Real claimant should probably be secretary@cacert.org as the case was raised on behalf of CAcert inc.
-- Kind Regards Alex Robertson Case Manager ---- Forwarded message from Mario Lipinski <mario@cacert.org> --- From: Mario Lipinski <mario@cacert.org> To: support@cacert.org Subject: Regarding a20110310.1 Date: 2012-07-02 03:00:35 > Hello, > > regarding a20110310.1: please remove myself as claiment. I am no > longer a representative. > > -- > Mit freundlichen Grüßen / Best regards > > Mario Lipinski > Infrastructure Team Leader, E-Mail: mario@cacert.org > Organisation Assurer (Germany), Internet: http://www.cacert.org > Arbitrator / Case Manager > CAcert > > Support CAcert: http://www.cacert.org/index.php?id=13 > http://wiki.cacert.org/wiki/HelpingCAcert > > > ---- End forwarded message ---
Intermediate Ruling 2 (confirmed by Supervising-Arbitrator)
- (A) 2012-11-01
- Mario should never have been named as claimant in this case - at all times it has been clearly filed as "on behalf of CAcert Inc." which organisation is both a legal entity and a member of the CAcert community in its own right and therefore entitled to present this appeal. I therefore release Mario from the role of Claimant (C) and formally join CACert Inc. to the case as claimant and (C2). I invite CACert Inc. to formally nominate a representative, but until such time as a representative is appointed, I will send all communications to board-private-list@
Discovery 3
- (A) 2012-11-01 Received from Ian Grigg (Board member CAcert Inc.)
As per my post of the other day, I think appeals are no longer business of the board. Does this address the issue or am I off-track? New text with Philipp's proposal incorporated and policy decision as below. https://wiki.cacert.org/PolicyDecisions#p20110108 https://svn.cacert.org/CAcert/Policies/DisputeResolutionPolicy.html#s3.4 3.4 Review for Appeal In the event of clear injustices, egregious behaviour or unconscionable Rulings, a review may be requested by filing a dispute. The new Arbitrator reviews the new dispute, re-examines and reviews the entire case, then rules on whether the case may be re-opened or not. If the Review Arbitrator rules the case be re-opened, then the Review Arbitrator refers the case to an Appeal Panel of 3. The Appeal Panel is led by a Senior Arbitrator, and is formed according to procedures established by the DRO from time to time. The Appeal Panel hears the case and delivers a final and binding Ruling.
- 2012-11-01 From (R) - part of an email "RE: Arbitration case a20110310.1 init mailing" dated 2012-10-31 15:45
>> As the appeal will have to be handled by the board this introduces a >> COI. To maintain the spirit of independence and transparancy of CAcerts >> arbitration system, CAcert Inc. directs its powers resulting from § 3.4 >> DRP for case a20100212.2 to the arbitrator re-opening the case [3]. The appeal procedure has been updated in policy voted by policy group https://wiki.cacert.org/PolicyDecisions#p20110108 DRP #3.4 Appeal handled by Arbitrators and is no longer an issue. So current DRP #3.4 supersedes last directs of power given in above order in dispute filing of the appeal.
- (A) 2012-11-01 part of email from Ian Grigg (CACert Inc. Board member)(dated 2012-11-01 01:13)
Let's check out PoP which rules over this issue... 4. DRAFT status 4.1 On completion, a document moves to DRAFT status. 4.2 A DRAFT is a policy-in-effect for the Community and is to be distributed and treated as such. 4.3 As far as the Community is concerned, the DRAFT is policy. Challenges and concerns can be addressed to the policy group, and policy group discussions on a DRAFT may be presented in Dispute Resolution. 4.4 Revisions of DRAFTs must be treated as decisions on the policy group. ... So, the change to appeal method meets 4.4. in that it was a decision of the policy group. However, all of 4 applies to the whole document, not to any individual decisions. See 4.1. Therefore, I think you are right (and I was wrong) ... decisions within the draft process are not sufficient to meet the intent of clause 4.3, that will only be triggered for an entire document going to DRAFT. FWIW, we also saw this happen with the Security Policy. So, why haven't the changes in DRP been finished off? And the document gone to DRAFT? I think it was mostly because I didn't have time to pursue it. That task is open and desperate for some TLC if anyone can help.
- (A) 2012-11-01 email from (R) dated 2012-11-01 02:16
Hi, mhh, > Let's check out PoP which rules over this issue... > 4. DRAFT status > 4.1 On completion, a document moves to DRAFT status. > 4.2 A DRAFT is a policy-in-effect for the Community and is to be distributed and treated as such. > 4.3 As far as the Community is concerned, the DRAFT is policy. Challenges and concerns can be addressed > to the policy group, and policy group discussions on a DRAFT may be presented in Dispute Resolution. > 4.4 Revisions of DRAFTs must be treated as decisions on the policy group. > ... state of DRP => POLICY m20070919.3 https://www.cacert.org/policy/DisputeResolutionPolicy.php so https://www.cacert.org/policy/PolicyOnPolicy.php 5. POLICY status comes in ... ok, in special section 5.2 and 5.3 5.2 Once POLICY, the Community may only challenge the document in Dispute Resolution. 5.3 Policy group may propose changes to a POLICY document in order to update it. When changes move to DRAFT status, they may be included in the POLICY document, but must be clearly indicated within as DRAFT not POLICY. so the next step was https://wiki.cacert.org/PolicyDecisions#p20110108 => Resolved so DRP 3.4 changes are incorporated in DRP as Draft the only problem, no one takes care about to edit the document in another later policy group vote on CPS change https://wiki.cacert.org/PolicyDecisions#p20111113 "CPS #7.1.2 "Certificate Extensions" adjustments" => Resolved have been updated in https://www.cacert.org/policy/CertificationPracticeStatement.php under bug #540 https://bugs.cacert.org/view.php?id=540 by Software-Assessment team upgrade procedure into the policy repository in the critical system. source for the policy group proposal https://wiki.cacert.org/PolicyDrafts/CPSKeyUsageChanges changes incorporated: https://www.cacert.org/policy/CertificationPracticeStatement.php#p7.1 So, why changes that have been voted in by policy group 10 months later have been incorporated into the documents and now are in effect overwrites a clear vote by policy group not yet incorporated into any official document 'caused by mess of an functional update procedure for any policy document that resides under www.cacert.org/policy in the critical system ?!? No one did take care, to pass the policy group vote into the DRP document, but the decision made passed policy group vote 22 months ago see https://wiki.cacert.org/PolicyDecisions Policy Officer shall take care about appropiate document updates, but PO is currently vacant, so references back to Board but did know Board that his duty is to take care about Policy document updates ?!?!? probably not .... so this opens up several questions: 1. why no one did update the document yet ? 2. how can policy in effect varies for one document counts where the other documents policy group vote doesn't count ? Same problem I've had with the OAP document under arbitration case https://wiki.cacert.org/Arbitrations/a20120121.1 where changes voted in by Policy Group had not been updated in the "official" directory probably its to difficult to correct the policy documents appropiate in the critical system If nobody sends a request to the Critical team to edit the document on the console or if nobody files a new bug# to get the documents updated, the update process of policy documents stalls. Back in - was it 2010 ?!? we had a project "policy directory migration" within the Software-Assessment project team to move the "official" policy document directory out of the "critical area" to a place, where PO can easier update documents w/o any critical system updates. but the project did not move forward .... Despite the fact we have policies in effect, the practice has shown, that policy updates didn't work as expected. Especialy changes aren't updated properly. From all the policy decisions Policy Group made since about 2008/2009 only 1 or 2 changes have been incorporated once the main document resides under www.cacert.org once located in the SVN https://svn.cacert.org/CAcert/Policies/ the documents have been updated .... 'cause its simple to update the documents in the SVN, but its to complicate, to get changes passed into the directory under the critical system .... > iang -- mit freundlichen Gruessen / best regards Ulrich Schroeter - CAcert Assurance Team Leader, CAcert Case Manager, CAcert Arbitrator CAcert.org - Free Certificates E-Mail: ulrich@cacert.org
Intermediate Ruling 3 (altered and confirmed by Supervising Arbitrator)
- (A) 2012-11-01
There are some serious problems with the issue of "which version" of the DRP here. The changes to policy above were occasioned by this case, but, as far as I can determine, the only places that this update has actually been implemented are in the in the board and policy committee minutes and the SVN repository and, nearly two years later, the changes have still not been carried through into the "official" master policy document at http://www.cacert.org/policy/DisputeResolutionPolicy.php - which is also the document referenced in the CCA.
- The svn repository clearly states that:
WARNING: The proper policy document is located on the CAcert website . This document is a work-in-progress to include future revisions only, and is currently only relevant for the [policy] group.
- and links back to the document referenced above.
- Why this has happened is a matter outside the immediate scope of this appeal but needs urgent addressing by the relevant groups. Certainly the changes to DRP should by now have been included in the master document flagged as Draft and I intend to raise this as a separate dispute.
. Since this appeal (like any dispute) ultimately depends on the CCA, and the commitment members of the community take on under the terms of that agreement, I am, without the intention of setting any precedent, going to to treat this appeal as being under the effects of the version of the DRP as referenced in the CCA and as being at http://www.cacert.org/policy/DisputeResolutionPolicy.php (the alleged official master copy!) as at the date of this appeal starting into arbitration (2012-10-28)
. and as modified by the board in the Original Dispute.
. I believe that this approach is actually to the benefit of all concerned in that it avoids the need to find three arbitrators not previously involved with the case (Do we have that many active arbitrators?) but since it means that I can potentially render a "final and binding ruling" on this case, I require that any objections by any party to this intermediate ruling be filed with myself as arbitrator by 22:00 UTC 2012-11-15.
. Should this appeal go forward the decision on which version to use will have to be decided, yet since the appeals process is identical up to the point where a case is actually reopened this decision can be deferred until that decision is reached. (added by Supervising Arbitrator)
Execution 3
- (A) 2012-11-01 (A)
I have raised the separate arbitration case a20121101.1 (Discrepancies between policy group agreed drafts and published documents) as per Intermediate Ruling 3.
Discovery 4
- 2012-11-02 (A) Formal objection from (R) (2012-11-02 00:17)
I hereby officialy object to the intermediate ruling #3 given as it completely ignores the role of the status of https://wiki.cacert.org/PolicyDecisions list that has been implemented back in 2010 to track current state of policies. "According to Policy on Policy, Policy Group can make decisions concerning policies. This list tracks formal (voted) decisions made in most-recent-first order. See also Policy and DecisionNumbers." This "policydecisions" page can be seen as the "practicle" answer to the problem, that policy changes did not get updated and implemented into the "official" documents in a timely fashion manner Samples: Subpolicies that have been voted by policy group to state DRAFT p20100119 PoJAM to DRAFT https://wiki.cacert.org/PolicyDecisions#p20100119 that is DRAFT and binding https://blog.cacert.org/2010/02/457.html "PoJAM - PolicyOnJuniorAssurersMembers moves to DRAFT" p20100913 TTP Assisted Assurance Subpolicy https://wiki.cacert.org/PolicyDecisions#p20100913 that is DRAFT and binding https://blog.cacert.org/2010/09/487.html "New TTP-Assisted-Assurance to Draft - one more milestone in Policy!" p20100710 License root under Root Distribution License https://wiki.cacert.org/PolicyDecisions#p20100710 that is DRAFT and binding and replaces previous NDPDaL Non-related Parties - Disclaimer and Licence https://blog.cacert.org/2010/07/478.html root certificates under free license, RDL There is one with the latter document, that CCA still lists NRPDaL instead of RDL that is caused by Policy Group work back in 2010 not to only replace NRPDaL with RDL in the CCA p20101009 Changes to CCA for RDL https://wiki.cacert.org/PolicyDecisions#p20101009 but to update CCA with addtl. changes. RootDistributionLicense.php replaced the NRPDaL document in the critical system directory, but the reference in CCA had not been updated yet as it was expected to get further changes of CCA passed so also the RDL change (read policy group discussion around July 2010) So the most valuable document we have currently is the https://wiki.cacert.org/PolicyDecisions wiki page, that tracks all the "current" state of any policy document. -- mit freundlichen Gruessen / best regards Ulrich Schroeter - CAcert Assurance Team Leader, CAcert Case Manager, CAcert Arbitrator
- 2012-11-02 (A) Response from (A) (2012-11-02 08:02)
I note the objection. However I also note that all the sample decisions you use were also disseminated to the membership at large via the blog as well as the decision page in the Wiki. This does NOT appear to have been the case with the DRP 3.4 change. There is no linkage that I can find between CCA and the Wiki Policy Decisions page and even the Policy on Policies fails to reference it directly as a formal repository of changes. I note that authority of the Arbitration system derives from the CCA and it is this document that represents the "Contractual Agreement" under which disputes are resolved. This document specifically references the DRP as discussed in Interim Ruling 3. The CCA (and the linked documents such as DRP) do not mention anywhere that they may be modified by decisions recorded elsewhere. I draw the parallel of such as a Credit Card agreement, in which there is an obligation on the card provider to notify the cardholder of a change of contractual terms and conditions which is normally done by letter to the cardholder (since it cannot be assumed that any individual will monitor the provider for changes) as well as publication in appropriate media. The current situation with regard to CAcert publishing decisions that affect the membership is poor; it is arguable that the blog represents "publishing" the changes to the membership, but I am not convinced that the unreferenced (sic) wiki page on policy decisions is sufficient on its own to "vary the contract" between members and CAcert that is set up by the acceptance of CCA. It also highlights the issue that procedures (such as there may be) do not appear to have been followed regarding this particular decision and it is arguable that Policy Group have been seriously negligent in ensuring that the master policy documents have been properly updated to reflect the current status - particularly in view of the 22 months since the decision was made. I reserve making a final decision on this matter until 15th November to allow other objections to be considered. Alex Robertson CACert Arbitrator
- 2012-11-02 (A) Observations from Ian Grigg (CACert Inc. Board Member) (2012-11-02 02:32)
Hi Alex, Hi Ulrich, An interesting debate, one in which we need to tread carefully because of the issues involved. We are now at a point where all three "heads of power" within CAcert are involved in a jurisdictional issue, so this is right at the very crux of our governance arrangement. On 1/11/12 04:32 AM, Alex Robertson wrote: > [snip] >> So current DRP #3.4 supersedes last directs of power given in above >> order in dispute filing of the appeal. > Which DRP - the current official DRP still has the old rules. > > I know of the board ruling but the published and "official" DRP is > still at the old version.... and this is what people have agreed to! I'm not sure there is support for the word "official". The PoP rules in this area and goes to quite considerable extent to allow policies to be live and improving. It understands that policy work is hard, and it takes a lot of effort to get the final document done. Within PoP, any "official" monika is defined by the words POLICY and DRAFT, and not by the location of the documents. Customarily we move the documents across to website but that is more to create a line of convenience, so it is simpler to read for newcomers. In the alternate, if for example the website were to be seen as "official" or some other status, then this would become difficult. It is rather hard to get those documents put on there. As it stands, this would then mean that the system administration teams and the software development teams would now have an effective veto on policy - because we can't get the documents on there without their say-so. (Yes, we've been trying to get independence for some time, but all this requires work. We basically need our own Apache setup or somesuch.) OTOH, obviously this is a confusing area. For this, Policy also leans heavily on Arbitration in that process - to make some judgement calls on whether the emerging changes agreed by the policy group reduce the rights of members in any particular case due to notification or acceptance issues. So an Arbitrator is within rights to question the particular state of any policy. Indeed, Arbitrators can interpret and even knock down Policies where they are found to have unfortunate consequences. I suppose the ultimate test is if a particular ruling were to be tested in courts of another jurisdiction. I guess that might be an issue for the present case. So in that case, I would suspect a court would look at the options involved and ask whether the due process was reasonable, transparent, fair, etc (one would need to look at the Arbitration Act of each jurisdiction to find the list of tests). Anyways, very interesting debate :) > (NB the new version is in the svn repository but note well the heading > of https://svn.cacert.org/CAcert/Policies/DisputeResolutionPolicy.html > which clearly and explicitly states "WARNING: The proper policy > document is located on the CAcert website . This document is a > work-in-progress to include future revisions only, and is currently > only relevant for the [policy] group." and provides a link to > http://www.cacert.org/policy/DisputeResolutionPolicy.php for the > "proper policy document" which has NOT been updated. [See attached > image for current info from the link to the "proper document"] Right, yes it says that. That's more a warning for the WIP changes. As it stands, that document does however include some completed DRAFT additions in dark blue. So the top-warning is literally incorrect. But I'd still leave it in place because we want cherry-picking limited to the Arbitrators not the parties ;-) > I'm not convinced that the new version can apply until the "official" > version of the policy is updated... (This should really have been done > long since and not hidden in the svn version as a "new colour" Yes, it should have been. > If it's handled under the "new" rules, it might be difficult to > finally resolve! That is a separate issue - sure, but one of "implementation" not Policy. I will note from a Policy perspective that this is what the combined voices of consensus from Arbitration, Policy Group and Board wanted - to reduce the Board's potential for CoIs in any case. This has been unanimously agreed by all, I don't think anyone ever argued in recent times that the Board-as-Appeal was a good idea. So if there is a finding that the Arbitration group can't mount an effective Appeal, I suspect the Policy Group will shrug :) Your problem, guys! > Option 1 - I can rule that it be reopened in which case we will then > need to find three arbitrators not previously connected with either > the original case or the first stage of the appeal - which immediately > takes out you and AlexanderPrinsier, myself and Philipp and who is > left?? Ted? Is anyone else actually active? > Option 2 - I rule it inadmissible to re-open which means that the > issues above won't get resolved. > > If the currently published rules apply, the waiver of DRP 3.4 applies > and it can (possibly!) be disposed of by myself. I don't follow that. If the old DRP 3.4 applies, review Arbitrator decides to re-open the case, in which case it is then referred to the Board. iang -----
- 2012-11-02 (A) Response from (A) (2012-11-02 10:25)
I ask the question "Would CACert exist without its members??" Assuming that the answer is that CACert needs its members, we then need to determine how those members and the community interact - our answer is the CCA! The CCA is the contract between members and the community at large and is effectively the "root" of all of CAcert's policies; for the contract to be "fair" all its terms and conditions should be readily available to the person entering into it and the current version needs to be accessible to existing contractees. So how does the "man in the street" find and read CCA (and DRP etc) (in other words how does he find what he is agreeing to if he chooses to join)? 1) Starting at the front page of cacert.org there is a link to the CCA. 2) The CCA has a link to DRP (old version) (and some other policies) and a mention of PoP. (NB all these documents are flagged as either "policy" or "draft" so (according to your reasoning) they must be "official") 3) There is no mention in any of these documents of alternate places where the CCA/Policy changes are recorded. 4) These specific documents form the basis of the contact between a member and the community. 5) Variation of the contract originally entered into needs to be "properly notified" to the membership (it could be argued that the "blog" post does this) and the relevant pages need to be updated as soon as possible after the change has been agreed. As an alternative to updating pages, a repository of changes (such as the existing wiki pages on agreed policy changes) would need to be included within the basic agreement - ie the CCA - to cover both the CCA itself and linked documents such as DRP. I appreciate that implementing changes to "controlled documents" may be difficult , but this arbitrator (to quote IanG) "shrugs :) and says "Your problem, guys"!" [snip] > have an effective veto on policy - because we can't get the documents > on there > without their say-so. (Yes, we've been trying to get independence for some > time, but all this requires work. We basically need our own Apache > setup or > some such.) [/snip] There are many content and/or document management systems out there - both payware and freeware/open-source. Perhaps some of the Policy Group need to be looking at these.... [snip] > I don't follow that. If the old DRP 3.4 applies, review Arbitrator > decides to re- open the case, in which case it is then referred to the Board.[/snip] The Board specifically for this appeal directed its powers under DRP3.4 to "the arbitrator re-opening the case". I reserve making a final decision on this matter until 15th November to allow other objections to be considered. Alex Robertson CACert Arbitrator
- 2012-11-03 (A) Further observations from Ian Grigg (2012-11-03 04:39)
Hi Alex, Hi Ulrich More observations! > On 2/11/12 21:27 PM, Alex Robertson wrote: > I ask the question "Would CACert exist without its members??" > Assuming that the answer is that CACert needs its members, we then need to > determine how those members and the community interact - our answer is the > CCA! > The CCA is the contract between members and the community at large and is > effectively the "root" of all of CAcert's policies; for the contract to be > "fair" all its terms and conditions should be readily available to the > person entering into it and the current version needs to be accessible to > existing contractees. Fairness is in the eye of the beholder, what we instead propose is not fairness which is a wishy-washy thing subject to capture by whoever can argue the most prettily, but: dispute resolution before our own Arbitrators. and, as I'll outline below: member control and say and transparency over our own contracts. > So how does the "man in the street" find and read CCA (and DRP etc) (in > other words how does he find what he is agreeing to if he chooses to join)? > 1) Starting at the front page of cacert.org there is a link to the CCA. (User agrees to CCA on joining, on issuing cert, on Assurance, etc.) > 2) The CCA has a link to DRP (old version) (and some other policies) and a > mention of PoP. (NB all these documents are flagged as either "policy" or > "draft" so (according to your reasoning) they must be "official") > 3) There is no mention in any of these documents of alternate places where > the CCA/Policy changes are recorded. > 4) These specific documents form the basis of the contact between a member > and the community. OK so far... > 5) Variation of the contract originally entered into needs to be "properly > notified" to the membership (it could be argued that the "blog" post does > this) and the relevant pages need to be updated as soon as possible after > the change has been agreed. As an alternative to updating pages, a > repository of changes (such as the existing wiki pages on agreed policy > changes) would need to be included within the basic agreement - ie the CCA - > to cover both the CCA itself and linked documents such as DRP. OK, so point 5 is a popular and classical claim in anglo common law. It also happens to be a pain in the neck. (For whatever reason.) So the end result is a lot of legal changes being published and then ignored -- which leads to lots of gameplay. Which really isn't fair :) You started off by saying that the contract should be fair. You've now proceeded to show that the classical contract isn't fair, because it requires the user to undertake compliance steps -- keeping up with notifications -- that no sane user does. Saying that the user has to do things that we already know they won't do is a pretty poor definition of fair. Instead CAcert takes a different approach. Call us crazy, but this is what we do, in CCA#4.2: "This agreement and controlled documents above are primary, and may not be replaced or waived except by formal policy channels and by Arbitration." We define how the documents can change (and we explicitly and deliberately don't say anything about websites or promulgation or notification). Instead, we make our process of change "fair" or at least open and transparent: The policy group can be joined by anyone, and it frequently is. Anyone can propose a change, and they sometimes do. We need strong agreement to make a change, see EggPol for comments on how strong. The result is much better. It's much stronger, it's proven itself. Policy Group acts as the guardian of user interests in writing the changes. To that end -- operating as the guardian of the user interests in policy -- policy group carves out a sort of half-way house in which *DRAFTs are binding on the community* but aren't fully finished. And it then solves the grey area of what "fully finished" means or lacks by throwing the whole mess over to the Arbitrator. In this case, you. So, in this entire context, actually, you've done what was requested. You've looked at it and demurred. For whatever reasons. The process of decision making -- going one way or the other -- is what we want. We might disagree on the merits. But even disagreeing on the reasons, that is simply more incentive to hurry up the changes so they go to POLICY. So the system has its built in feedback (negative feedback for engineers, positive feedback for marketeers :) ). > I appreciate that implementing changes to "controlled documents" may be > difficult , but this arbitrator (to quote IanG) "shrugs :) and says "Your > problem, guys"!" Right, so the call is made. Policy group should finish the job. OK. (Note that I'm not looking at the merits of the decision, but at the meta-process.) > [snip] > I don't follow that. If the old DRP 3.4 applies, review Arbitrator > decides to re- open the case, in which case it is then referred to the > Board.[/snip] > The Board specifically for this appeal directed its powers under DRP3.4 to > "the arbitrator re-opening the case". Hmmm... did it? How can it do that? The board can't or shouldn't go against policy (famous exceptions aside). The board is just a party to the dispute, it can't rewrite policy. Or, if it can, then anyone can :) > I reserve making a final decision on this matter until 15th November to > allow other objections to be considered. Sure. The other possibility is to talk directly to policy group. That is - send an email to policy group outlining the issues, and ask for comment and/or action? (We can't do that. Reason being that it is not kosher to interfere with the process of the Arbitration.) > Alex Robertson > CACert Arbitrator
- 2012-11-03 (A) Response from (A) (2012-11-03 16:41)
Hi All. > OK, so point 5 is a popular and classical claim in anglo common law. It also happens to be a pain in the neck. (For whatever reason.) So the end result is a lot of legal changes being published and then ignored -- which leads to lots of gameplay. Which really isn't fair :) > You started off by saying that the contract should be fair. You've now proceeded to show that the classical contract isn't fair, because it requires > the user to undertake compliance steps -- keeping up with notifications -- that no sane user does. Saying that the user has to do things that we > already know they won't do is a pretty poor definition of fair. Agreed – which is why such as Credit Card companies spend huge amounts mailing all their users each time there is a change to their conditions. It essentially requires a “push” system rather than a “pull” one. Would they do this if they didn’t have to? So we need to be careful about this. I agree it’s a pain in the neck though. > Instead CAcert takes a different approach. Call us crazy, but this is what we do, in CCA#4.2: > "This agreement and controlled documents above are primary, > and may not be replaced or waived except by formal policy > channels and by Arbitration." Which is where I’m coming from – the documents are “primary”. They may be replaced by formal policy channels – which although agreed, has not been done – which leaves the “in place” documents as binding [NB nitpicking! Should probably read “except by formal policy channels OR by Arbitration."] However as these are also “contractual documents”, I’m not convinced that the our existing system for publicising changes made to the “primary documents” is actually robust enough to stand up in a court of law. This might warrant a revisit by Policy Committee at some point. > And it then solves the grey area of what "fully finished" means or lacks by throwing the whole mess over to the Arbitrator. In this case, you. So, in > this entire context, actually, you've done what was requested. You've looked at it and demurred. For whatever > reasons. The process of decision making -- going one way or the other -- is what we want. OK – and that’s why I threw the issue open – it’s too important to get “wrong” – in either direction. My final decision on this matter will probably not please everybody whichever way I go > I appreciate that implementing changes to "controlled documents" may be > difficult , but this arbitrator (to quote IanG) "shrugs :) and says "Your > problem, guys"!" > Right, so the call is made. Policy group should finish the job. OK. Neither a call nor a ruling (yet!) but may become one in due course either here or as a result of the dispute I’ve raised separately about the issue. Perhaps “advice” is the best description at the moment. > (Note that I'm not looking at the merits of the decision, but at the meta-process.) Understood. > The Board specifically for this appeal directed its powers under DRP3.4 to > "the arbitrator re-opening the case". > Hmmm... did it? How can it do that? The board can't or shouldn't go against policy (famous exceptions aside). The board is just a party to the > dispute, it can't rewrite policy. Or, if it can, then anyone can :) The board has not rewritten policy as I see it – it has effectively appointed a sub-committee (“the arbitrator re-opening the case”) to act on its behalf in this case because of the conflict of interest here. The “old” DRP says that “the Board hears the case and delivers a final and binding ruling” but does not define how this should be done, so, as I see it, the Board may take any approach that it sees fit. > The other possibility is to talk directly to policy group. That is - send an email to policy group outlining the issues, and ask for comment and/or > action? > (We can't do that. Reason being that it is not kosher to interfere with the process of the Arbitration.) Actually, Policy Group could raise an objection here – I used the words “any objections by any party” quite deliberately! Equally I could approach them if I believed they had anything material to offer, or if I wanted their advice or opinion as part of the process of Arbitration. However there is no issue that Policy Group agreed the change or that it has not been implemented in the relevant primary document. Why this has happened (or should that be “not happened”!) is not really relevant to this arbitration – merely the fact that it has happened. It needs addressing – but that’s probably for a matter for another arbitration. > I reserve making a final decision on this matter until 15th November to > allow other objections to be considered. And continue to do so…. Alex Robertson CACert Arbitrator
- (A) 2012-11-06 Email from (R)
Dear Alex, Some historical facts on meta policy work in the past and today: The main policies have been written in Ian's Vienna time period back around 2007 (probably starting 2005?!?), 2008 At Top Pirmasens around 2007-09-19 the basis of rule sets have been voted in (at ths time no policy group was working) Only a small group of policy writers, probably Ian and Philipp as the main authors prepared those. Top Pirmasens can be seen as the Policy install party, where all the main policies have been voted in by CAcert Inc board, later this year confirmed at CAcert Inc AGM The basis has forseen some update procedures for policies, but this all was written at the green table. Same examples have been played around at Pirmasens Top, so Assurances following Assurance Policy have been introduced. The first two disputes have been filed and ruled to see that DRP is working in general https://wiki.cacert.org/Arbitrations/a20070921.1 https://wiki.cacert.org/Arbitrations/a20070921.2 Then, about 1 1/2 year all these policies were in place not much did happen in the Community to move forward with the Audit (Audit - especialy DRP required the policies to be installed), so an auditor can check something what was written, and what has been followed or not. By end of 2008 - the New Roots ceremony has been passed following SP. with one followup dispute: https://wiki.cacert.org/Arbitrations/a20090301.1 "CAcert disk destruction procedure has changed compared to the CAcert Board decision" (this is one of the essential samples in an ABC interview, to signal to the new candidate, that he can break policy rules under special conditions) Despite the fact it was tried to roll out the Assurance Policy it has not been followed in full. The sea-shift in this area did happen with a couple of arbitration cases https://wiki.cacert.org/Arbitrations/a20090303.1 "Assurance made on an unproper form" https://wiki.cacert.org/Arbitrations/a20090306.1 "CAP form on the official website doesn't conform the Assurance Policy" So this was also the time, the AP has been pushed to the Community by the ATE series and also by arbitrations and board motions (the result can be also seen in the count of arbitration cases 4 in 2007, 4 in 2008 and the explosion in 2009 with 108 (!!) read arbitration stats: https://wiki.cacert.org/OverviewProjectsBoard/Arbitration so in Q2/2009 (April-June) we've received the overall peak of 38 cases Despite the fact, the Policies have been in effect since around 2007, practicle work started in 2009. This was also the time Audit stopped (June 2009) https://blog.cacert.org/2009/06/393.html One topic here was: Community wasn't ready by this time "Ian’s work was a primary element in the audit project, which started in the beginning of 2008. The one and a half years project is almost at the point of the second of the three mile stones. Because of the long time it takes for getting policies accepted in the far-flung CAcert Community and CAcert Board, a board run in the spare time of its members, the end date of the project has shifted greatly. The true amount of work was underestimated." So in 2009 deployment of Policies into practice has started. Eg with the backlog of arbitration cases that received Arbitration the handling of cases following DRP by using Support-Engineers as CM and selecting an arbitrator didn't realy worked as defined under DRP. CM's no longer available, disputes not transfered, and so on. So we discovered an Arbitration crisis, that also related to a Support crisis. By end of 2009, Ian stepped in as temporary Support t/l and with me as liason from Arbitration (as nobody other did) Ian re-deployed a running Support team and I did the same with Arbitration (as results, the Support training pages and the Arbitration training pages have been deployed) Back in Dec 2009, I've invited Assurance team and Ian as the master of policies to an Assurance top in Hamburg. Here we've prepared the continous work of policy work in Assurance area -> PoJAM and TTP-assisted-assurance. https://blog.cacert.org/2010/01/454.html At the same time, I ruled on one case, that I've splitted into 3 cases: https://wiki.cacert.org/Arbitrations/a20091118.1 "Assurances while TTP program frozen" https://wiki.cacert.org/Arbitrations/a20091118.4 "Arbitrator slow" https://wiki.cacert.org/Arbitrations/a20091118.5 "Code changes regarding TTP program" The interesting one is the .1 that states, that the push of policies did not realy happen before around mid of 2009 (!) So one of the intermediate rulings was the order to critical team to add a "Warning: TTP frozen" warning onto all pages under the critical system So this supported Boards motion(s) https://community.cacert.org/board/motions.php?motion=m20090912.1 https://blog.cacert.org/2009/12/448.html (related article in the blog) Announcement to the community, did not realy happen before so this also was a starter of the monthly wiki community updates https://wiki.cacert.org/Community/Update To push out the AP subpolicies, I saw no other way, to post it everywhere where its become practicle. This was the Blog and therefor the main CAcert website. Ian as the de-facto Policy officer by this time with access to the svn policy directory did updates on policies that did reside under the SVN directory but couldn't make changes to the policy directory under the critical system. Until mid of June 2010 a couple of various policy decisions (resolved, unresolved) passed the policy group, so probably around or before June 2010 Ian started the policydecision wiki page https://wiki.cacert.org/PolicyDecisions to keep track of all the smaller and bigger policy decisions that did happen around this time (and there was a lot) https://wiki.cacert.org/PolicyDecisions?action=info (starts with revision # 170, dated 27.06.2010) by following the arbitration numbering schema and tracking under first under https://wiki.cacert.org/Arbitrations, then splitted into https://wiki.cacert.org/Arbitrations (open/running cases) and https://wiki.cacert.org/Arbitrations/ArbitrationsClosed -> https://wiki.cacert.org/Arbitrations/ArbitrationsClosed?action=info ) (probably did happen in 2009 by the mass of new running cases, and more and more completed cases) wiki info starts at revision 205 / 1000-something. So the exact date I cannot discover. (sidenote Arbitration cases often Support tickets under OTRS -> issue.cacert.org) So this numbering schema follows board motions tracking https://wiki.cacert.org/Brain/CAcertInc/Committee section Historical Record that moved to https://community.cacert.org/board/motions.php?motion= database, started by Board 2009 1st half and first Board motion https://community.cacert.org/board/motions.php?motion=m20090609.1 Also motions from previous boards are listed under https://svn.cacert.org/CAcert/CAcert_Inc/Board/board_review_actions_200408 20_20070525.html To get an overview of the several numbering schemas, have a look under https://wiki.cacert.org/DecisionNumbers this table lists the different decision tables by many (if not all) of the CAcert teams and groups So also decisions by the widely unknown "Management SubCommittee" that worked back around 2007 had their own decision tables https://wiki.cacert.org/ManagementSubCommitteeDecisions This is of special interest, 'cause this group prepared the Audit framework eg. msc20080117.1 msc20080117.1 MoU on Funding for audit (signed final document) now on svn, remove the older HTML discussion document because it is completely replaced by the PDF. So, Decisions tracking has a long tradition within CAcert's work by the several teams. Some are unknown, some are better known - all to keep track on the decisions that have passed and to get not lost by missing implementation rules (eg for Policy group decisions) Despite the fact, PoP doesn't references directly to the https://wiki.cacert.org/PolicyDecisions document, one has to read policy mailing list about resolved decisions, the wiki page https://wiki.cacert.org/PolicyDecisions assists members to get an overview what has happened with a proposed policy change and if it is in effect. As said, policy and practice may differ, especialy if policies are still under development (eg CCA is such one that is under development to implement the changes passed by other policies (eg RDL) and to reflect current practice Termination 3.3, exact contract partner naming: CAcert Inc vs. CAcert Community) This work has started back in 2010 but didn't get finished (why did Auditor resign ?-) -> one of the causes: slow working policy group ) One more topic comes to my mind: as written above, communication was and is in a mess ... one only reads mailing lists, another only reads blog posts, the next one receives wiki update notes by using the .* schema, and the 4th uses rss feeds This problem is not new, we've faced in pushing the ATE series out to the community, so I've by the time, in role of Events officer filed a dispute to get the scripted mailing process installed into the strictly secured critical system http://wiki.cacert.org/Arbitrations/a20090525.1 "Event officer request recurrent notification to assurers near the location of the following ATEs - Precedent Case" this script derived from the scripted mailing source also to use for the scripted rollout of CCA (see below) first tested by end of last year mailing to _all_ members with the Tverify points to expire https://blog.cacert.org/2011/11/536.html A quarterly newsletter mailing has been discussed within the Software-Assessment project team https://wiki.cacert.org/Software/Assessment around and before Nov 2011, but hadn't picked up by the PR team yet :-P One Audit requirement is to push the CCA acceptance out to the Community http://wiki.cacert.org/AuditToDo - Outstanding Tasks - Notifications outstanding since 20070830 (!) notify all Members of CCA. See RolloutCommunityAgreement http://wiki.cacert.org/RolloutCommunityAgreement and http://wiki.cacert.org/AuditToDo - Outstanding Tasks - Software Changes to Website outstanding since 200806xx (!) b. add checkboxes "I agree to CCA." to cert creation; c. drop wrong/out-of-date contract text; See RolloutCommunityAgreement So all we can assume is, that member who have been assured after February 2009 have agreed to the CCA. All members who issue certificates or have created their account after around April 2009, have agreed to the CCA. We currently have probably around 10.000 active members, so the CCA agreement covers about 5% of all potential members base (database has about 200.000 accounts) One topic that I've discussed with Ian outside this arbitration case some months ago was about the CCA rollout and the requirement about. What do we want to achive ? That if something becomes active and interacts with our system either way, he has to be bound to arbitration. So, as long the member accepted arbitration, CAcert is on the save side As inactive members probably doesn't relate to any disputes, the requirement to bind them to Arbitration cannot be totaly ignored (at least by the time of termination this comes back to topic), but has not that high priority as long the active and working community has agreed to the CCA. So here there are 3 essential topics (by Audit requirement), so the Assurers in assurance have to disclose to new members - this is the R/L/O topic. Once an old member tries to create a new certificate, has has to accept CCA by clicking the checkbox. Accepting CCA in the assurance process is a bit tricky. By default Events officer was requested to have a CCA printout at hand at every event. But consider assurance practice: only one time we had one guy sitting down at Cebit 2009, reading the full 4 pages of the CCA before accepting it. This is very unusual in practice, as the guy reads it 45 min's ... and most assurees do not have that much time, to get an assurance at a big event or assurance party. So here comes the Assurers duty, to disclose (at least) the 3 essential topics -> R/L/O beside of all the rest that is written in the CCA PoJAM and TTP-assisted-assurance are probably the first practice droven subpolicies, as they've first checked against practice in WIP state (PoJAM) or for TTP we had the old TTP assurance process, but that missed a policy so was frozen back in 2009 ... here we collected the long time experience into the policy With PoP we hadn't such experience, as those documents was written from scatch. This you can see also in the principles as referenced by CCA -> http://svn.cacert.org/CAcert/principles.html, also Privacy Policy -> http://www.cacert.org/policy/PrivacyPolicy.html these documents were written before all other documents, so therefor may lack some details check For active policy group work, one has to push actively into the policy group, that changes gets prepared and later on voting takes place. So for PoP no one noticed, that some practicle work didn't work in full as first written back around 2007, 2008 as changes didn't made it into policies in an appropiate time period into the documents, so a workaround has been installed back in 2010 but didn't pushed it into policies (remember: the strict audit work has been stopped back in mid 2009 - since then, also Policies are still under development and review ... but all this still works very slow ....). So before next audit starts, all Policy documents requires to get in sync with the policy decisions made Ok, one more topic ... as shown ... communication is in a mess, so back in 2010 we've introduced the Community/Updates, but the last written ones are back in Oct 2010 :-P other publication takes place, often (but not in every case) in the blog, in the wiki, by scripted mailing, in the wiki or elsewhere ... ok, take the Policy decisions as under https://wiki.cacert.org/PolicyDecisions starting early 2010 p20100113 Stop issuing class3 certificates - Not carried, NO consensus. -> no blog post p20100119 PoJAM to DRAFT - decision is carried -> blog post: https://blog.cacert.org/2010/02/457.html => includes link to policydecision page https://wiki.cacert.org/PolicyDecisions#p20100119_PoJAM_to_DRAFT p20100120 Assurance Policy: require government ID - Not carried -> no blog post p20100306 Policy Officer makes minor adjustments - Option 3 is carried -> blog post: within community update https://blog.cacert.org/2010/03/471.html => includes link to policydecision page http://wiki.cacert.org/PolicyDecisions#p20100306 p20100326 Security Policy to remain in DRAFT - Carried -> no blog post once a blog post has been published about any policy decision, also the link to the policydecision page is included to reference the decision. Minor changes or not carried decisions tends to be not published, where assurance area related decisions have been published in full (this also relates to arbitration rulings especialy cases with precedent - eg read hyphen's to handle optional ruling) Why had DRP 3.4 change not been published - well, by the time the DRP change have been pushed to the policy group, all active people in the mailing list also voted about this policy change proposal. DRP 3.4 change has not that much influence in the assurance or work under SP, so therefor was a beside change that other documents undergo too until all policy documents have been brought in sync with current practice and work was it 2010 ?!? where I've asked in policy group to pickup the topic that CM wasn't any longer from the Support team, but from the Arbitration team, but nobody responded or nobody did take care about so still open issue ... Regarding CCA ... I've started several runs on details changes of new CCA revision, made some pre-voting for or against a change, so to go through the full document, section by section, to present the changes in full to the policy group ... so that was the cause why the RDL to change in CCA vote didn't passed by the time the voting has been brought to agenda, as we've in policy group expected a finishing within a time period of 1-2 months, so the RDL change would probably pass 1 or 2 months later, together with the big change One interesting topic I've found while researching above stories around policies in practice, I've stumbled over: https://www.cacert.org/policy/CertificationPracticeStatement.php#p8.5 but this isn't the only point that opens up potential exceptions to the standards defined by the policies itself regarding the policydecisions page, probably Ian started this page (as he did take care about policy changes and to keep track of them in a de-facto Policy officers role, but not accepted by board of 2009 2nd half (was there a motion about?!?) As the motions database isn't the easily searchable, its difficult to find any reference about this topic For OAP I had a similar problems under http://wiki.cacert.org/Arbitrations/a20120121.1 that I've questioned and answered by doing a deep research where I've also inspected SVN revision numbers and dates to get this question answered I encourage you, the arbitrator in current case to read the research path of named case "to find the answer to the question which OAP revision is CURRENT (either DRAFT or POLICY) and therefor in effect". DRP 4.4 Revisions of DRAFTs must be treated as decisions on the policy group. so this apply to http://wiki.cacert.org/PolicyDecisions#p20110108 Compiling the full document "5.3 Policy group may propose changes to a POLICY document in order to update it. When changes move to DRAFT status, they may be included in the POLICY document, but must be clearly indicated within as DRAFT not POLICY. " applies, but current version had not been compiled (caused by missing Policy Officer?), so have to be done by the policy reader as p20110108 is the 2.3 Decisions are taken by "Rough Consensus." A vote may be called to clarify. In consequence of "1.4 The Policy Officer manages all policies and the policy group." and PO is currently vacant and referenced to Board as the fallback, I have first to ask, that Board in their duty in role as PO first have to bring the policy documents in a good working order as PoP 1.4 states: The Policy Officer manages all policies and the policy group. once they want the appeal process picked up As there is no explicite definition when policies comes into effect once voted the only definition in this direction is given under "PoP 2.3 Decisions are taken by "Rough Consensus." A vote may be called to clarify. " so takes in effect once the decision has been carried. One may read "PoP 3.1 An Editor is identified. This person is responsible for drafting the document, following the consensus of the policy group. " as the guy whos duty is to implement the changes into the document. Is there any procedure defined, how I, as editor can achive this? a) How to update a document if the main document resides under www.cacert.org/policies ? b) How to update a document if the main document resides under svn.cacert.org/CAcert/policies ? probably: a) 1. download the source package from the main cacert website under About CAcert 2. edit the php or html document 3. file a bug, attach the update to the bug filed 4. notify software-assessment team, to review, test and transfer the patch to critical team b) 1. request a SVN account, ask for write permissions into the policies directory 2. download a SVN client 3. download the main document source 4. implement the changes 5. commit the changes into the svn directory Shall either procedure a) or b) apply to all editors ?!? or only to the PO ? The missing part either way is, that there are no clearly defined publishing channels outside policy group. But policy group (that is the full mailing list archive) is defined. So any passed vote on policy group (mailing list) is the minimum requirement that a policy change has been carried. Your problem as arbitrator: you have to reread all the mails in policy group if not using a simplier practicle solution - that is the policydecisions wiki page. For PoJAM we have the paperwork workaround to apply the carried draft subpolicy into practice - checkbox PoJAM happened isn't yet implemented into the online system - but this doesn't blocks the policy to become in effect, nor is there any definition that this policy only comes into effect once put in the critical system. The principle is, that a policy vote, once started and carried changes a policy state (except a special vote .. policy remains draft) and therefor also applies to the content. The review process of policies as expected under PoP didn't get that active support in Policy group that Policy documents in Draft gets passed to Policy so therefor half of the policies still are marked with state DRAFT one idea was, to move Policies once sitting 1 year at DRAFT passes automaticly to POLICY (don't know if there was a voting about this topic or just discussed) About topic "pass appeal authority over to one arbitrator" isn't probably that was expected by the policy writers ... First in writing DRP, the topic appeal comes in place there was not that much time, to have a wider discussion about this topic, so therefor, to allow appeals in general, a quick'n dirty solution has been written under 3.4, in short: to be handled by board - a group of people, familiar with the policies, rules where decisions didn't pass to only one person. As board of CAcert has by default 7 seats, so 7 members have to decide over an appeal (old version). This has been adjusted by Policy Group by their decision p20110108 in a similar way, a group of arbitrators have to decide once accepted as appeal so as this motion has been carried: http://wiki.cacert.org/PolicyDecisions#p20110108 Motion is CARRIED. Voting closed 20110126 the new 3.4 did overwrite the "authority transfer" clause, as Board in role as (C) had a CoI by the time the board motion has been accepted: https://community.cacert.org/board/motions.php?motion=m20101212.2 (this was before 2011-01-08) but that leads to the appeal arbitration case a20110310.1 (that comes later) The conflict, that exist by the time of board motion solved by policy group decision, later passed under Arbitration a20110310.1 By default, the dispute filing a20110310.1 has to be rejected as the Board motion text: "CAcert Inc. appeals on the ruling of a20100212.2 as it is convinced that taking over risks, liabilities and obligations of a deceased member is incorrect because Cacert is not a party in disputes between the deceased member and other community members." (there is no authority transfer clause here) Dispute filing: above board motion text and "As the appeal will have to be handled by the board this introduces a COI. To maintain the spirit of independence and transparancy of CAcerts arbitration system, CAcert Inc. directs its powers resulting from § 3.4 DRP for case a20100212.2 to the arbitrator re-opening the case [3]." as board isn't in the role under DRP 3.4 current version since Motion is CARRIED. Voting closed 20110126 to transfer any authority over to a single arbitrator. So this passus of dispute filing is incorrect. However DRP 1.4 Contents allows "If the filing is inadequate for lack of information or for format, the Case Manager may refile with the additional information, attaching the original messages." the original dispute to be modified to become a valid dispute filing so the part "As the appeal will have to be handled by the board this introduces a COI. To maintain the spirit of independence and transparancy of CAcerts arbitration system, CAcert Inc. directs its powers resulting from § 3.4 DRP for case a20100212.2 to the arbitrator re-opening the case [3]." to be removed
- (A) 2012-11-06 Response from (A)
It all comes back to the question "Which version of DRP is in force?" and I think it is important to separate intent from result. I agree that the intent of Board and Policy Group is to change it - I even agree with the change.... However I still disagree with your premise that the publishing of the Policy Group decision somewhere in the wiki is sufficient in and of itself to bring the change into effect and "deep research" isn't necessary CCA 0.1.14 defines "CACert Official Documents" and makes clear that "changes are managed and controlled" - this includes DRP. CCA 4.2 specifies that "This agreement and controlled documents above are primary, and may not be replaced or waived except by formal policy channels and by Arbitration." - at this point the changes to the "primary documents" have been approved by formal policy channels but the current CAcert official document has NOT been replaced for whatever reason. I also note the example at the end of CCA 4.3 on the Assurer Handbook "The Handbook is not however an agreement, and is overruled by this agreement and others listed above." which clearly separates the primary documents from other material. Since the published and controlled versions of the CCA and the documents listed at CCA 4.2 represent the contract between members and the community at large and the primary basis for arbitration, I see them as the "binding documents" - it is the responsibility of the Policy Officer, Policy Group and the Board to ensure that this happens and to keep raising the issue if it does not. I also see great danger to the community in allowing change and variation to creep in from other sources however official they might seem to be - the whole point of using a controlled document for this is to stop (for example) someone inserting an apparent motion in the wiki stating that "All parties to the CAcert Community Agreement agree to immediately pay 250 Euros to Ulrich" and then claiming it is binding because it is now part of the CCA I also believe that the ordinary member has a right to know what they have agreed to, and what the current state is - and they shouldn't be expected to have to search all around the main wiki and other areas such as SVN to find all the little changes that may or may not be in force. (I go back to my Credit Card analogy - The banks wouldn't pay all the money they do to notify their customers of changes if they didn't believe it was necessary to their contract? I don't know how we can move changes to a "push" publish but that's for another day. As to the Board's waiver, the Board is entitled to handle its business in any way it sees fit to - this could be by delegation, subcommittee, individual responsibilities - as long as the whole Board approve it.
- (A) 2012-11-07 From Ian Griggs (CAcert Board Member)
On 7/11/12 04:26 AM, Alex Robertson wrote: > It all comes back to the question "Which version of DRP is in force?" and I > think it is important to separate intent from result. No only important, essential. The Arbitrator decides, full stop. > I agree that the intent of Board and Policy Group is to change it - I even > agree with the change.... > > However I still disagree with your premise that the publishing of the Policy > Group decision somewhere in the wiki is sufficient in and of itself to bring > the change into effect and "deep research" isn't necessary It isn't, and it isn't even relevant, as you state below. > CCA 0.1.14 defines "CACert Official Documents" and makes clear that "changes > are managed and controlled" - this includes DRP. > CCA 4.2 specifies that "This agreement and controlled documents above are > primary, and may not be replaced or waived except by formal policy channels > and by Arbitration." - at this point the changes to the "primary documents" > have been approved by formal policy channels That's it. They have to be done by formal policy channels. Which is defined by PoP. > but the current CAcert official > document has NOT been replaced for whatever reason. Right -- because the formal policy channels being PoP do not include publication. It is an open question that policy group should possibly look at - is there any implication that publication is a part of the formal policy change process? Should there be? We note that e.g. credit card contracts would change by mail, is this appropriate? Or? > I also note the example at the end of CCA 4.3 on the Assurer Handbook "The > Handbook is not however an agreement, and is overruled by this agreement and > others listed above." which clearly separates the primary documents from > other material. > Since the published and controlled versions of the CCA and the documents > listed at CCA 4.2 represent the contract between members and the community > at large and the primary basis for arbitration, I see them as the "binding > documents" - it is the responsibility of the Policy Officer, Policy Group > and the Board to ensure that this happens and to keep raising the issue if > it does not. What is "this" in the above? It seems that this amounts to a challenge to the words: "This agreement and controlled documents above are primary, and may not be replaced or waived except by formal policy channels and by Arbitration." Especially the notion of formal policy channels. > I also see great danger to the community in allowing change and variation to > creep in from other sources however official they might seem to be - the > whole point of using a controlled document for this is to stop (for example) > someone inserting an apparent motion in the wiki stating that "All parties > to the CAcert Community Agreement agree to immediately pay 250 Euros to > Ulrich" and then claiming it is binding because it is now part of the CCA That's why we have the policy decisions wiki page. It is strongly scrutinised by all on the policy group. Indeed, there has been one attempt to steamroller a change, and it failed. There has also been an exciting attempt at a board veto - and it succeeded, thus slowing us down by a month or two. We have our process and we've followed it. > I also believe that the ordinary member has a right to know what they have > agreed to, and what the current state is - and they shouldn't be expected to > have to search all around the main wiki and other areas such as SVN to find > all the little changes that may or may not be in force. (I go back to my > Credit Card analogy - The banks wouldn't pay all the money they do to notify > their customers of changes if they didn't believe it was necessary to their > contract? I don't know how we can move changes to a "push" publish but > that's for another day. OK, so let's distance ourselves from the banks. When Banks change contracts they are doing it for their benefit - the banks. They are intending to take more money from customers. When we change contracts, we are doing it for the benefit of our community. Check the record - every change we have made has not resulted in fees going up :) Of course banks have to then publish their contracts - because courts won't back them raping their customers if they don't give their customers at least a publication. We aren't in that business. We are not going to a court and asking them to force a fee increase over the customer. The notion that we would try and force an unpopular change over our customers -- our community -- by just a publication ... is really not germane. We took a different path. Publication isn't the issue, our "formal policy channel" is. > As to the Board's waiver, the Board is entitled to handle its business in > any way it sees fit to - this could be by delegation, subcommittee, > individual responsibilities - as long as the whole Board approve it. OK, delegation works. As long as the Arbitrator accepts it. Not sure about that, complicated question, but nicely not a question I have to answer :)
- (A) 2012-11-07 Response from (A)
Hi Ian >> but the current CAcert official >> document has NOT been replaced for whatever reason. > Right -- because the formal policy channels being PoP do not include publication. PoP 5.3 "Policy group may propose changes to a POLICY document in order to update it. When changes move to DRAFT status, they may be included in the POLICY document, but must be clearly indicated within as DRAFT not POLICY." So what should have happened is that there should have been that DRP 3.4 should have had the new text inserted and that section flagged as "DRAFT". Nothing has been included in the "POLICY document" to date 22 months after the Policy Group voted that change in. >> and the Board to ensure that this happens and to keep raising the >> issue if it does not. > What is "this" in the above? I'd edited a chunk and then got distracted and failed to complete the update (sounds familiar :) ) Should have read " it is the responsibility of the Policy Officer to organise updating the relevant documents and Policy Group and the Board to ensure that this happens and to keep raising the issue if it does not. > It seems that this amounts to a challenge to the words: > "This agreement and controlled documents above are primary, and may > not be replaced or waived except by formal policy channels and by Arbitration." > Especially the notion of formal policy channels. Not intended as such - the challenge is that the formal policy channels have not been followed through properly to completion > That's why we have the policy decisions wiki page. It is strongly > scrutinised by all on the policy group. Excellent - this is necessary > We have our process and we've followed it. I assume you mean the "Board Veto" example for this and that "our" means "Policy Group's" - so.. Where is "our process" fully documented - and I mean the actual process itself - and how can you demonstrate that you've followed it in any given scenario?? Think in terms of ISO9001! Think about the issues raised by this case! > OK, so let's distance ourselves from the banks. When Banks change > contracts they are doing it for their benefit - the banks. > They are intending to take more money from customers. > > When we change contracts, we are doing it for the benefit of our community. > Check the record - every change we have made has not resulted in fees going up :) I'm not sure that the reason for a contractual change matters - you are forcing an unilateral change to many existing contracts AND you are not making it easy for an uninformed member to understand or find out what the current status of that contract actually is. I just typed "DRP" into the Wiki search - on titles nothing was returned and on a full text search more that 10 pages of references were returned. > Of course banks have to then publish their contracts - because courts > won't back them raping their customers if they don't give their > customers at least a publication. > We aren't in that business. We are not going to a court and asking > them to force a fee increase over the customer. Again, it doesn't really matter - what is important is the principal that contracts cannot and should not be changed without at least the knowledge of all parties involved. Publication of change is part of satisfying that process - Banks use a push process (mailing to the last known address usually) for precisely the reason you state - there may be more flexibility in how we choose to approach the concept - but I am of the opinion that this falls outside the remit or immediate needs of this case and thus should fall back to Policy Group to consider at their convenience.
- (A) 2012-11-10 Email from Werner Dworak (CACert Board Committee member)
Hello Alex, > PoP 5.3 "Policy group may propose changes to a POLICY document in > order to update it. When changes move to DRAFT status, they may be > included in the POLICY document, but must be clearly indicated within > as DRAFT not POLICY." > So what should have happened is that there should have been that DRP > 3.4 should have had the new text inserted and that section flagged > as "DRAFT". Nothing has been included in the "POLICY document" to > date 22 months after the Policy Group voted that change in. This I regard as unacceptable. But I assume it is due to the missing Policy Officer. And now you run into problems which version of the DRP you can regard as valid. > Should have read " it is the responsibility of the Policy Officer to > organise updating the relevant documents and Policy Group and the > Board to ensure that this happens and to keep raising the issue if it > does not. Indeed. But seemingly no one did anything. I start to feel sorry for Megan about the backlog she has to cope with. But I am confident she can cope with it. > Not intended as such - the challenge is that the formal policy > channels have not been followed through properly to completion Seemingly. And I am happy this will come to an end soon. > I'm not sure that the reason for a contractual change matters Indeed. That there is a change at all does count. > you are forcing an unilateral change to many existing contracts AND > you are not making it easy for an uninformed member to understand or > find out what the current status of that contract actually is. That is the point. And that should change. > I just typed "DRP" into the Wiki search - on titles nothing was > returned and on a full text search more that 10 pages of references > were returned. This I call really confusing. > what is important is the principal that contracts cannot and should > not be changed without at least the knowledge of all parties > involved. Publication of change is part of satisfying that process Indeed. CCA 3.4 clearly states "Changes will be notified to you by email to your primary address.", but this never happened up to now. So generally our regulations are right but the practice lacks. Kind regards, Werner
- (A) 2012-11-10 From Ian Grigg (CAcert Board member)
I suggest that we separate the tasks here somewhat. Any changes to the policy and any clarifications should be debated on policy group. Any comments made concerning the current Arbitration can continue here. But I think everything's been said, really :) or at least I don't think we can help by rehashing arguments. iang
- (A) 2012-11-10 Observation from (A) noted here "for the record"
This is what has already effectively happened - there have been a load of emails that have not been forwarded to the "offical lists" as copied, only to cacert-policy@c.o which I've not included here. With the exception of the one from Werner above, none have had anything new to offer.
Discovery 4a
- (A) 2012-11-12 (A) Mail from IanG (CACert Board Member to cacert-board list
In motion https://community.cacert.org/board/motions.php?motion=m20101212.2 CAcert Inc appealed against a ruling that brought it some increased liabilities. This caused a problem because CAcert Inc (as its board) was then the hearer of any appeals. It cannot appeal to itself. So at the time, the Board proposed in motion https://community.cacert.org/board/motions.php?motion=m20101212.1 a novel fix: Resolved, that the board directs its powers resulting from § 3.4 DRP for case a20100212.2 to the arbitrator re-opening the case and, that the policy group amends § 3.4 DRP to specify what are appropriate solutions when the board is a party. In my opinion, the first part, that is, directing its powers to another party, is impossible. It lacks foundation. It isn't in the powers of an Arbitrator or an Arbitration Panel to simply hand on its powers. All it can really do is hear the case, or not. To my mind, this leaves the case in deadlock. It leaves the board unable to appeal because it is then forced to not hear the case, because of conflict of interest. Oh well, such is life? In the alternate, if the Board as Arbitration Panel does this, it also sets a precedent that any Arbitrator can also do it for any other case. Philipp could direct his powers to the Catholic Church of which he's very fond, Ulrich can direct his powers to the MAD, and I as Arbitrator could direct my powers to my cat. In the other alternate, in Associations Act 2009 there is a clause that says that any decision exercised by the board is deemed to stand, even if there is defect in the form of it. That is, even if we make a mistake about minutes or quorums, our decisions stand if not challenged. This gives us substantial latitude to make things work. But, I think we also need to be wiser and not make things harder for ourselves. This above decision makes Arbitration messier and riskier. As Arbitration is an extremely powerful and important part of our overall governance equation, I think it better for the Board to not interfere and weaken it. Therefore I propose to repeal the above motion. Comments?
Intermediate Ruling 4 (Reviewed and not confirmed by Supervising Arbitrator)
. With regard to the email referenced in Discovery 4A
. Since this appeal is currently underway, this represents an attempt to interfere with the course of a running arbitration, and I therefore rule that this proposal is out of order.
- This ruling were it to stand would be unconscionable. It would prohibit parties to an arbitration to hold their own council and act on their own behalf. The standard to apply to a party to a case interfering needs to be considerably higher. Such a bar in a court of law would be for example "tampering with evidence". Under no circumstance does holding ones own council, discussing a case or coming to a conclusion or decision that affects the case rise to that level.
- A case could be made that a board decision as proposed does interfere with the case at hand, and an arbitrator could then choose to rule that the decision will only apply to future cases. However ruling that the board does not have the right to make such a decision or take on the discussion that might lead to such a decision would rise to an egregious miscarriage of justice. As such this intermediate ruling does not stand.
Discovery
Ruling
Discovery
- (A) 2012-11-01 (R) Statement of position.
Hi, > -----Original Message----- > From: Alex Robertson [mailto:alex-uk@cacert.org] > Sent: Monday, October 29, 2012 9:01 AM > To: ulrich@cacert.org; 'Mario Lipinski'; secretary@cacert.org; cacert-board-private@lists.cacert.org > Cc: alex-uk@cacert.org; p.dunkel@cacert.org; arbitration-archives@cacert.org > Subject: Arbitration case a20110310.1 init mailing 5. The next thing I would like both sides to do is to prepare a short email that outlines their viewpoint. No longer than a page, please! By accepting the CAcert Community Agreement, the member accepts a contract between himself and CAcert Inc, where CAcert Inc is the legal representive of the CAcert Community. https://www.cacert.org/policy/CAcertCommunityAgreement.php 0. Introduction This agreement is between you, being a registered member ("Member") within CAcert's community at large ("Community") and CAcert Incorporated ("CAcert"), being an operator of services to the Community. so its fact, that CAcert Inc is the contract partner of each individual CAcert Community Agreement accepted by a community member. Current CAcert Community Agreement defines procedures if someone resigns, but doesn't include any definitions if a member deceases https://www.cacert.org/policy/CAcertCommunityAgreement.php 3.3 Termination ......................................................................... You may terminate this agreement by resigning from CAcert. You may do this at any time by writing to CAcert's online support forum and filing dispute to resign. All services will be terminated, and your certificates will be revoked. However, some information will continue to be held for certificate processing purposes. The provisions on Arbitration survive any termination by you by leaving CAcert. That is, even if you resign from CAcert, you are still bound by the DRP (COD7), and the Arbitrator may reinstate any provision of this agreement or bind you to a ruling. Only the Arbitrator may terminate this agreement with you. ......................................................................... The topic "all services will be terminated and your certificates will be revoked" is an essential part in termination of the given contract. This also relates to members who deceased. The second part of this CCA topic "The provisions on Arbitration survive any termination by you by leaving CAcert. That is, even if you resign from CAcert, you are still bound by the DRP (COD7), and the Arbitrator may reinstate any provision of this agreement or bind you to a ruling." makes it complicated, in the case a member deceased. The member can no longer be bound to CCA/DRP (he is no longer available) also the arbitrator can no longer reinstate any provision of this agreement. This is mostly no problem, if the notification that a member deceased receives CAcert and the case is handled in a proper time (eg within 14 days ?!?) But this didn't happen under referenced case https://wiki.cacert.org/Arbitrations/a20100212.2 The notification that the member deceased receives CAcert at 2010-02-12, has been transfered into the disputes queue at 2010-02-15 but has been picked up first 9 months later at 2010-11-03 No one from Support, no one from Arbitration team, no one from CAcert board did takes care about this "special" case and the problems that may araise, if the account will be kept open without any interaction (that is: lock the account, revoke all remaining certificates) So this "non-action taken" issue leads to the part in the final ruling, that the passed time w/o any action needs a definition how the remaining R/L/O's within this time period needs to be defined. As CCA gives no answer nor any other policies, I've tried to find an answer by a similiar real life case: using a life-insurance contract as a sample, where the defined parties in the contract are no longer available and how this case probably will be handled ... The contract probably goes back to the company who is the remaining contract partner. The contract will be set on hold until a recipient can be identified and discovered, at least infinite. In relation to the CCA contract between a member and CAcert Inc, this means, the contract is still held by CAcert Inc and CAcert Inc is responsible to pass the remaining steps that are required to close the issue. This includes the termination of the account, revoke of remaining certificates that the R/L/O's can be closed. As this didn't happen in a 9 months period, the potential R/L/O are still open, so to be kept by the remaining contract party, that is CAcert Inc. As the CAcert membership is not transferable to a relation or another named party CAcert Inc is the only one to name. At the time, the a20100212.2 case was running, we had not realy a defined procedure how to handle such deceased cases. Support was in a mess, Arbitration was in a mess Support just has restarted working and building up experience. In 2011 Arbitration and Support deployed a series of precedent cases, where Support engineers can handle cases appropiate. At the time a20100212.2 has been filed, no one of the Support crew had enough experience to pickup the case at Support level, to lock the account, to revoke the remaining certificates. Also from Arbitration team nobody takes care about this special case and the potential risk this case did enclose. Today such a case will be probably handled properly as Support has built up enough experience to take care about such "special" cases so the problems that did appear with the named case no longer will happen. From my PoV, most of CAcert community and also of CAcert Inc wasn't and aren't aware, that some issues that receives CAcert Inc and also CAcert Community needs immideate interactions to prevent any harm from the CAcert Community and CAcert Inc. "Member deceased" is such an issue, that needs intermediate action - lock the account, revoke remaining certificates, file a dispute (that is a default SP procedure) As nothing did happen that way under a20100212.2 this case brought me to the ruling as given. >> CAcert Inc. is convinved, that taking over all R/L/O of a member is >> inappropriate as it might e.g. not be involved in contracts between the >> deceases member and other community members and has no influence on >> this. Probably most of the R/L/O can be voided. The board motion https://community.cacert.org/board/motions.php?motion=m20101212.2 CAcert Inc. appeals on the ruling of a20100212.2 as it is convinced that taking over risks, liabilities and obligations of a deceased member is incorrect because Cacert is not a party in disputes between the deceased member and other community members. is incorrect as CAcert Inc is the contract partner of the CCA (see above) between each member as contract partner 1 and CAcert Inc as contract partner 2 (on behalf of CAcert Community). As such, has CAcert Inc been named in the ruling. >> However, CAcert Inc. accepts that this special case might introduce new >> R/L/O at its disadvantage. This is a risk CAcert Inc. has to carry for >> operating a CA, but whether this requires it to be help liable for this >> should be decided on a case by case basis. The R/L/O that still remains until a notification has been received by CAcert and the case will be handled gives no option to decide on a case by case basis. The R/L/O still remains open until the case will be handled appropiate, that is to lock the account, to revoke all remaining certs. As long this did not happen, CAcert Inc becomes liable caused by the contract and CCA definition itself. >> A wildcard delegation of R/L/O might introduce R/L/O for CAcert Inc. >> which are out of its control and so inappropriate. CAcert and CAcert Inc has its under control, as long procedures exist or becomes deployed, that "deceased member notifications" will be handled as "emergency issue" ... to be handled asap. This brings no extra burden to CAcert Inc and the Community except to handle such cases immediately >> Another issue is that CAcert Inc. was not represented in the dispute. This topic is still an open topic within arbitration, how to name the "unknown" party in administrative disputes. eg member as Claimant against whom ? In delete my account cases by default Respondent is named "CAcert", this is all times CAcert Inc as a contract partner. CAcert Inc will be seldom contacted and heard in such a case as the procedures are delegated to Arbitration (CCA 3.3 termination) The lack of definition what happens with the R/L/O in a case a member deceased and the account will not be handled properly in an appropiate short time after receiving the notification is a situation that isn't and wasn't yet defined in a policy. As Arbitration is the fallback for such unforseen issues it was handled by me under a20100212.2 The option CAcert Inc and the CAcert Community has in the future is to define procedures for intermediate actions with a list of issues that fall under this regime. One other known issue are "external" disputes that requires intermediate action by Arbitration within about 14 days, at least with an intermediate ruling. For Arbitration such a "High Priority Cases" procedure has been defined under https://wiki.cacert.org/Arbitrations/Training/Lesson25 Lesson 25 - High Priority Disputes dated 2012-03-08 that gives some background info, why such cases needs to be handled asap So I've picked up all such "High Priority Disputes" within the last 2 years (no one of the other arbitrators still picked up such cases) to bring them at least to an intermediate ruling state. Probably this needs some education in the Support and Arbitration teams but this is up to their team leaders >> As the appeal will have to be handled by the board this introduces a >> COI. To maintain the spirit of independence and transparancy of CAcerts >> arbitration system, CAcert Inc. directs its powers resulting from § 3.4 >> DRP for case a20100212.2 to the arbitrator re-opening the case [3]. The appeal procedure has been updated in policy voted by policy group https://wiki.cacert.org/PolicyDecisions#p20110108 DRP #3.4 Appeal handled by Arbitrators and is no longer an issue. So current DRP #3.4 supersedes last directs of power given in above order in dispute filing of the appeal. -- mit freundlichen Gruessen / best regards Ulrich Schroeter - CAcert Assurance Team Leader, CAcert Case Manager, CAcert Arbitrator CAcert.org - Free Certificates E-Mail: ulrich@cacert.org
Ruling
I find no evidence of any of clear injustices, egregious behaviour or unconscionable Rulings in the initial case and therefore rule that this case may not proceed to a full appeal!
Action placed on Policy Group - The CCA and related documents need to be updated to allow for the death of a member of the community - preferably regardless of whether or not CAcert is notified.
The issue of the lack of maintainance of the COD controlled policy master documents needs addressing as a matter of some urgency. I have therefore filed a separate dispute a20121101.1 although Policy Group may wish to pick this up prior to that case being heard.
Background.
The original case arose because of the notification of the death of a member.
It was not picked up or processed in a timely manner by “the CAcert system”
A decision to transfer the R/L/O to CAcert Inc. was made.
Reasoning.
In the general case of the death of a member, the original arbitrator has ruled that the Risks, Liabilities and Obligations (R/L/O) fall back on the CACert Inc. as the other party to the CCA contract which seems a reasonable decision. It is also one of the (necessary) corollaries of running a CA - or any other organisation. It should not be an issue if the notification of the death of a member is processed in a sensible timeframe (<14 days!)
The transfer of liability to CAcert Inc. in this specific case was primarily because of the failure of “the system” to process the case to close down the member’s account in a timely manner after the notification was received “so this is CAcert’ s administrative fault.” It is also arguable that this may set a precedent for future cases involving deceased members of the community.
There is a potential risk arising from the original ruling that CACert Inc. could be brought into arbitration in the window between receiving notification of a member’s death and the account being closed. The original arbitrator has recognised this and has stated “This said, I strongly propose to take care about future Dispute filings with notification, that a member deceased. To handle these cases immediately, with an intermediate ruling, a quick arbitration process, so the community keeps protected.”
That said, the risk of such an action is low and arbitrators are (or at least should be!) sensible enough to realise when one of the parties to a case is a dead person represented either directly by his executors or indirectly by some other interested party (such as CAcert Inc. on behalf of the community).
The potential liabilities incurred do not actually change CAcert Inc.’s possible liability - all members (including the legal member CACert Inc.) are limited to a total maximum of 1000 Euros.
In the event of other members dying and CAcert being notified, an arbitration is currently necessary to close the member’s account. It may be necessary for the claimant to be CAcert Inc. as the “other party” in the CAcert Community Agreement since the deceased is not really in a position to request this action. This “close account” arbitration also provides a point at which a further query about actions in that particular case could be raised if the Board (or any other party) has further concerns.
Whilst the Board were very quick to progress a proposal to change the DRP section on appeals to allow for the potential for “conflict of interest”, one wonders why they have not followed the appealed case in a similar manner by proposing (and following through!) changes to the CCA and related documents to Policy Group to allow for the death of a member of the community and therein to clarify what is to happen when the community is notified that a member has died. This is a direction that is still open to them and something that probably needs to be done - we are all likely to die at some point!
From a more pragmatic viewpoint, there is no clear definition of what happens when we are NOT notified when the death of a community member occurs. I would expect such notification to be unusual - CAcert is unlikely to be high in anyone’s viewpoint in processing the affairs of the dead person if it is considered at all.
Obviously the deceased person is not monitoring their primary email and falls foul of CCA 3.5 - but, since they will not respond, how is the “close account” case to proceed. A greater concern is where such a person has made assurances in the past seven years since it is very possible that we will lose the “paper trail” that underpins our web of trust - in a normal “close account” case, the paperwork relating to assurances is expected to be returned to an Arbitrator to be held in the event of any query relating to those assurances. If we are not notified, it is very possible that this paperwork will get lost or destroyed in the closing of the decedent’s affairs.
The non-notified death could also be potentially covered if the CCA were updated to clarify what should be done in this case.
Therefore I place an action on Policy Group to update the CCA and related documents to cater for the death of a community member.
Since this ruling is against the appeal, it transpires that the prior discussions about “which version of the DRP applies” are redundant, although it does leave the issues raised (ie the lack of maintainance of the master policy documents) as a potential problem that needs fairly urgent resolution. To that end, I’ve filed a separate dispute a20121101.1 to get this issue examined and hopefully resolved.
Alex Robertson
CAcert Arbitrator
Crewe, UK
3rd March, 2013
Execution
Similiar Cases
and please add one of the following Topics, delete the rest