View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001216||Main CAcert Website||web of trust||public||2013-10-24 13:35||2013-10-24 18:01|
|Summary||0001216: Assure Someone Page Broken; TTP Assurer is pushed to make a false statement, assurance clashes regarding F2F confirmation|
|Description||while testing bug 1065 I'm running in a problem while testing the TTP assurance:|
As this bug appeared somewhere around Sept 2013 and a clear reference under which bug this problem started is not clear identifyable, and this bug affects a couple of other bugs (closed, solved, wip) I've file this new bug:
checked F2F -> ok
checked TTP -> fail x1)
x1) by following TTP-assisted-assurance documentation instructions
entering a TTP-assisted-assurance documentation
[ ] I certify that [username] has appeared in person
had to be unchecked.
Using the test procedure, this throws an error
"ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert"
"Review the code regarding the new point calculation in ./includes/general.php"
there was still long ongoing discussions
regarding the "I certify that [username] has appeared in person" checking or not.
Around 2012-08-29 "Only tick the next box if the Assurance was face to face." disappeared.
........ F2F TTP
i certify . + -
i believe . + +
i have read + +
assure someone, methods F2F and TTP
note under 1023/1054 agenda item:
"assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting "
to add new assurance method TTP
its still to uncheck
as 1054 gets stalled around March 2013, plan B was introduced to a step by step
changed somewhere between https://bugs.cacert.org/view.php?id=1137#c4199 test 9 (2013-07-31),
and https://bugs.cacert.org/view.php?id=1137#c4290 (2013-09-05)
"I certify that user has appeared in person."
I cannot confirm/state that the user appeared in person (in front of me) like in
a face2face meeting I have to do as an Assurer (!= TTP assurer)
"Only tick the next box if the Assurance was face to face"
did clarify this topic in the way, that the F2F assurance was F2F
and the TTP assurance isn't F2F, so the person didn't appeared in person
to me as TTP assurer
so the current software implementation (that requires a checkbox here)
pushes a TTP assurer to make a false statement !!!
According to http://svn.cacert.org/CAcert/Policies/TTPAssistedAssurancePolicy.html
section "3b. The Assurance" defines
* The TTP and the Member must meet face-to-face.
This is documented on the TTP CAP form, that the TTP assurer
has to confirm by the Assurance Statement
3d. The Assurer makes a reliable statement to confirm the Assurance Statement.
that is requestable by paper documentation via the TTP assurers
Not more, nor less.
TTP assurer (probably) never meets the Assuree face-2-face !!!
so I never can confirm that the assuree did appeared in person !!!
Ok ... go to the next checkbox ..
"I verify that user has accepted the CAcert Community Agreement." (... as per TTP CAP form documentation)
"I certify that user has appeared in person." (... as per TTP CAP form documentation) x2)
The fact is:
The Assure Someone page gots broken!
well ... a few lines later comes the line
"Only tick the next box if the Assurance was face to face." !!!
This is a clear signal, that by restructuring the Assure Someone form
the "Only tick the next box if the Assurance was face to face."
and "I certify that user has appeared in person." gets broken.
and the form has to be read:
Only tick the next box if the Assurance was face to face. (move line 11 to line 7)
(line 7 moved to line 8)
"I certify that user has appeared in person." (new line 8)
The essential part in the TTP assurance is the TTP-Assurers Assurance Statement:
"I believe that the assertion of identity I am making is correct, ... (confidence/no confidence)
complete and verifiable. (I have the TTP CAP form)
I have seen original documentation attesting to this identity. (original documentation is the TTP CAP form as received from TTP)
I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute,
and I may be held responsible."
This cannot be mean by the current line above
"Only tick the next box if the Assurance was face to face."
(TTP-assurers assurance statement part 2)
"I have read and understood the CAcert Community Agreement (CCA), Assurance Policy
and the Assurance Handbook. I am making this Assurance subject to and in compliance
with the CCA, Assurance policy and handbook."
AP 1.1 The Assurance Statement
The Assurance Statement makes the following claims about a person:
1. The person is a bona fide Member. In other words, the person is a member of the CAcert Community as defined by the CAcert Community Agreement (CCA);
2. The Member has a (login) account with CAcert's on-line registration and service system;
3. The Member can be determined from any CAcert certificate issued by the Account;
4. The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement;
5. Some personal details of the Member are known to CAcert: the individual Name(s), primary and other listed individual email address(es), secondary distinguishing feature (e.g. DoB).
The confidence level of the Assurance Statement is expressed by the Assurance Points.
The sentence " I have seen original documentation attesting to this identity."
may arise problems for the TOPUP assurer, that the TOPUP assurance procedure
(that needs to be deployed anyway) requires the transfer of the original TTP CAP form
to the TOPUP assurer
the problem word here is "original documentation". This is ok for the TTP assurer
who receives the originaly TTP CAP form from the TTP, but its not ok for
the TOPUP assurer if he only receives scans or photocopies.
But this is subject to the TOPUP deployment
so the problem has probably been introduced under bug https://bugs.cacert.org/view.php?id=1208
that has been transfered recently
this bug has no other references, so it can be assumed, that the changes did happen here
but bug 1208 doesn't give any indication, that TTP assurance has been tested under bug 1208
and that this problem did appear in a testing scenario
further bug references from bug 1054
bug 1134 Delete the board flag thourougly in all parts of our software (closed)
bug 1177 Combine wot.inc.php, notary.inc.php and temp-function.php (solved)
bug 1137 Record the CCA acception for entering an assurance (needs review & testing)
still to be continued
before last adjustments and rearrange regarding CCA checkbox for Assuree made
|Tags||No tags attached.|
|related to||0001054||needs review & testing||Ted||Review the code regarding the new point calculation in ./includes/general.php|
|related to||0001208||closed||BenBE||Improve readability of "Assure someone" page|
|related to||0000988||needs review & testing||Eva||TTP CAP form deployment|
|related to||0001123||closed||BenBE||Add the Check CCA acception to all certificate creation processes|
|parent of||0001177||closed||BenBE||Combine wot.inc.php, notary.inc.php and temp-function.php|
"Please check the following details match against what you witnessed when you met Hans in person.
You MUST NOT proceed unless you are sure the details are correct. You may be held responsible
by the CAcert Arbitrator for any issues with this Assurance."
=> requires a change to meet F2F _and_ TTP assurances requirements
"when you met Hans in person" !!!
... match against what has been witnessed by you when met USER in person
or TTP met the USER in person that is documented in the related CAP form
the second part is ok for F2F assurances and TTP assurances
part 2: name -> ok
part 3: DoB -> ok
part 4: method -> ok
part 5: I certify that Hans Dampf has appeared in person
mhh .. for F2F this section is NOD
TTP-CAP form doesn't give any statement, that the meeting was F2F
(the Assuree appeared in person) at least not on the documentation page
on page 2 (notes/instructions to the TTP) the following applies:
"The purpose of this document is to validate that the person who appears
in front of you is actually who they say they are.
Please verify the individuals identity documents as per your states
part 6: I certify that User has accepted CCA
F2F-Assurer: did ask, documented on CAP
TTP-Assurer: did ask, documented on TTP-CAP
part 4: location -> ok
still to continue ...
|2013-10-24 13:35||Uli60||New Issue|
|2013-10-24 13:35||Uli60||Relationship added||parent of 0001177|
|2013-10-24 13:36||Uli60||Relationship added||parent of 0001137|
|2013-10-24 13:36||Uli60||Relationship added||related to 0001054|
|2013-10-24 13:36||Uli60||Relationship added||related to 0001208|
|2013-10-24 13:38||Uli60||Additional Information Updated||View Revisions|
|2013-10-24 13:38||Uli60||Relationship added||related to 0000988|
|2013-10-24 13:41||Uli60||Additional Information Updated||View Revisions|
|2013-10-24 13:41||Uli60||Relationship added||related to 0001123|
|2013-10-24 17:15||Uli60||Additional Information Updated||View Revisions|
|2013-10-24 18:01||Uli60||Note Added: 0004414|
|2013-11-04 21:00||INOPIAE||Relationship deleted||parent of 0001137|