View Issue Details

IDProjectCategoryView StatusLast Update
0001216Main CAcert Websiteweb of trustpublic2013-10-24 18:01
ReporterUli60 Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Summary0001216: Assure Someone Page Broken; TTP Assurer is pushed to make a false statement, assurance clashes regarding F2F confirmation
Descriptionwhile testing bug 1065 I'm running in a problem while testing the TTP assurance:
As this bug appeared somewhere around Sept 2013 and a clear reference under which bug this problem started is not clear identifyable, and this bug affects a couple of other bugs (closed, solved, wip) I've file this new bug:

checked F2F -> ok
checked TTP -> fail x1)

x1) by following TTP-assisted-assurance documentation instructions
entering a TTP-assisted-assurance documentation
 * https://wiki.cacert.org/TTP/TTPadmins
 * https://wiki.cacert.org/TTP/TTPadmins#Entering_TTP-assisted-assurances_into_the_Online_system
the line
  [ ] I certify that [username] has appeared in person
had to be unchecked.

Using the test procedure, this throws an error
"ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert"

?!?

Under https://bugs.cacert.org/view.php?id=1054
"Review the code regarding the new point calculation in ./includes/general.php"
there was still long ongoing discussions
regarding the "I certify that [username] has appeared in person" checking or not.
Around 2012-08-29 "Only tick the next box if the Assurance was face to face." disappeared.
 ........ F2F TTP
i certify . + -
i believe . + +
i have read + +

pages/wot/6.php
assure someone, methods F2F and TTP

note under 1023/1054 agenda item:
"assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting "

https://bugs.cacert.org/view.php?id=888
to add new assurance method TTP
its still to uncheck

as 1054 gets stalled around March 2013, plan B was introduced to a step by step
implementation

Checkbox required
changed somewhere between https://bugs.cacert.org/view.php?id=1137#c4199 test 9 (2013-07-31),
https://bugs.cacert.org/view.php?id=1137#c4239 (2013-08-20)
and https://bugs.cacert.org/view.php?id=1137#c4290 (2013-09-05)


"I certify that user has appeared in person."
I cannot confirm/state that the user appeared in person (in front of me) like in
a face2face meeting I have to do as an Assurer (!= TTP assurer)
Previously note
"Only tick the next box if the Assurance was face to face"
did clarify this topic in the way, that the F2F assurance was F2F
and the TTP assurance isn't F2F, so the person didn't appeared in person
to me as TTP assurer
so the current software implementation (that requires a checkbox here)
pushes a TTP assurer to make a false statement !!!

According to http://svn.cacert.org/CAcert/Policies/TTPAssistedAssurancePolicy.html
section "3b. The Assurance" defines
 * The TTP and the Member must meet face-to-face.
This is documented on the TTP CAP form, that the TTP assurer
has to confirm by the Assurance Statement
 3d. The Assurer makes a reliable statement to confirm the Assurance Statement.
that is requestable by paper documentation via the TTP assurers
Not more, nor less.
TTP assurer (probably) never meets the Assuree face-2-face !!!
so I never can confirm that the assuree did appeared in person !!!

Ok ... go to the next checkbox ..
"I verify that user has accepted the CAcert Community Agreement." (... as per TTP CAP form documentation)

whats with
"I certify that user has appeared in person." (... as per TTP CAP form documentation) x2)
???

The fact is:
The Assure Someone page gots broken!

well ... a few lines later comes the line
"Only tick the next box if the Assurance was face to face." !!!

This is a clear signal, that by restructuring the Assure Someone form
the "Only tick the next box if the Assurance was face to face."
and "I certify that user has appeared in person." gets broken.

and the form has to be read:

Only tick the next box if the Assurance was face to face. (move line 11 to line 7)
(line 7 moved to line 8)
"I certify that user has appeared in person." (new line 8)

The essential part in the TTP assurance is the TTP-Assurers Assurance Statement:
"I believe that the assertion of identity I am making is correct, ... (confidence/no confidence)
 complete and verifiable. (I have the TTP CAP form)
 I have seen original documentation attesting to this identity. (original documentation is the TTP CAP form as received from TTP)
 I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute,
 and I may be held responsible."

This cannot be mean by the current line above
"Only tick the next box if the Assurance was face to face."

(TTP-assurers assurance statement part 2)
-and-
"I have read and understood the CAcert Community Agreement (CCA), Assurance Policy
 and the Assurance Handbook. I am making this Assurance subject to and in compliance
 with the CCA, Assurance policy and handbook."

AP 1.1 The Assurance Statement
 The Assurance Statement makes the following claims about a person:
 1. The person is a bona fide Member. In other words, the person is a member of the CAcert Community as defined by the CAcert Community Agreement (CCA);
 2. The Member has a (login) account with CAcert's on-line registration and service system;
 3. The Member can be determined from any CAcert certificate issued by the Account;
 4. The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement;
 5. Some personal details of the Member are known to CAcert: the individual Name(s), primary and other listed individual email address(es), secondary distinguishing feature (e.g. DoB).
The confidence level of the Assurance Statement is expressed by the Assurance Points.



The sentence " I have seen original documentation attesting to this identity."
may arise problems for the TOPUP assurer, that the TOPUP assurance procedure
(that needs to be deployed anyway) requires the transfer of the original TTP CAP form
to the TOPUP assurer
the problem word here is "original documentation". This is ok for the TTP assurer
who receives the originaly TTP CAP form from the TTP, but its not ok for
the TOPUP assurer if he only receives scans or photocopies.
But this is subject to the TOPUP deployment

so the problem has probably been introduced under bug https://bugs.cacert.org/view.php?id=1208
that has been transfered recently
this bug has no other references, so it can be assumed, that the changes did happen here
but bug 1208 doesn't give any indication, that TTP assurance has been tested under bug 1208
and that this problem did appear in a testing scenario

further bug references from bug 1054
bug 1134 Delete the board flag thourougly in all parts of our software (closed)
bug 1177 Combine wot.inc.php, notary.inc.php and temp-function.php (solved)
bug 1137 Record the CCA acception for entering an assurance (needs review & testing)

still to be continued
Additional Informationhttp://www.cacert.org/policy/AssurancePolicy.php
http://svn.cacert.org/CAcert/Policies/TTPAssistedAssurancePolicy.html
https://wiki.cacert.org/TTP/TTPadmins
https://wiki.cacert.org/TTP/TTPadmins#Entering_TTP-assisted-assurances_into_the_Online_system

https://wiki.cacert.org/Software/Assessment/20120904-S-A-MiniTOP
https://wiki.cacert.org/Software/Assessment/20131022-S-A-MiniTOP

http://wiki.cacert.org/TTP/TTPadmins?action=AttachFile&do=get&target=TTP-assurance.jpg
before last adjustments and rearrange regarding CCA checkbox for Assuree made
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0001054 needs review & testingTed Review the code regarding the new point calculation in ./includes/general.php 
related to 0001208 closedBenBE Improve readability of "Assure someone" page 
related to 0000988 needs review & testingEva TTP CAP form deployment 
related to 0001123 closedBenBE Add the Check CCA acception to all certificate creation processes 
parent of 0001177 closedBenBE Combine wot.inc.php, notary.inc.php and temp-function.php 

Activities

Uli60

2013-10-24 18:01

updater   ~0004414

part 1:
"Please check the following details match against what you witnessed when you met Hans in person.
 You MUST NOT proceed unless you are sure the details are correct. You may be held responsible
 by the CAcert Arbitrator for any issues with this Assurance."

=> requires a change to meet F2F _and_ TTP assurances requirements
           "when you met Hans in person" !!!

... match against what has been witnessed by you when met USER in person
or TTP met the USER in person that is documented in the related CAP form

the second part is ok for F2F assurances and TTP assurances


part 2: name -> ok
part 3: DoB -> ok
part 4: method -> ok
part 5: I certify that Hans Dampf has appeared in person
 mhh .. for F2F this section is NOD
 TTP-CAP form doesn't give any statement, that the meeting was F2F
 (the Assuree appeared in person) at least not on the documentation page
 on page 2 (notes/instructions to the TTP) the following applies:
 "The purpose of this document is to validate that the person who appears
  in front of you is actually who they say they are.
  Please verify the individuals identity documents as per your states
  Notarial requirements."

part 6: I certify that User has accepted CCA
 F2F-Assurer: did ask, documented on CAP
 TTP-Assurer: did ask, documented on TTP-CAP
part 4: location -> ok

still to continue ...

Issue History

Date Modified Username Field Change
2013-10-24 13:35 Uli60 New Issue
2013-10-24 13:35 Uli60 Relationship added parent of 0001177
2013-10-24 13:36 Uli60 Relationship added parent of 0001137
2013-10-24 13:36 Uli60 Relationship added related to 0001054
2013-10-24 13:36 Uli60 Relationship added related to 0001208
2013-10-24 13:38 Uli60 Additional Information Updated
2013-10-24 13:38 Uli60 Relationship added related to 0000988
2013-10-24 13:41 Uli60 Additional Information Updated
2013-10-24 13:41 Uli60 Relationship added related to 0001123
2013-10-24 17:15 Uli60 Additional Information Updated
2013-10-24 18:01 Uli60 Note Added: 0004414
2013-11-04 21:00 INOPIAE Relationship deleted parent of 0001137