View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000826Main CAcert Websiteaccount administrationpublic2010-07-20 23:262013-07-20 08:40
Reporterlaw Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Summary0000826: Auditing features for fighting abuse of CAcert systems in regard of adding domain/email addresses
DescriptionFrom http://wiki.cacert.org/Arbitrations/a20100527.1:

CAcert Inc. and its vicarious agents should update their systems to be able to track abuse considering the comments from the discovery which also have been extended and forwarded to cacert-devel.

Proposed solution:

Thinking about this more generally, from arbitration point of view, the process of adding domains (and email addresses) has to be more auditable. Software team is encouraged to provide input on current implementation or development efforts to rethink the procedure described here. Each automatic mail sent out has to contain an unique identifier by subject and sender/return address. So if a mail is returned CAcert itself can identify: what domain/email, what account, when a possible abuse was tried to be commited. Depending on the volume this handling can be done by support or has to be automated. This also requires a log of the ping mail actions to be kept to identify abuse. The domain/email address additions/verifications for me require auditing functionality to identify abuse and so to protect CAcert from abuse in the long term.

When sending this mail out it should contain more
information about reporting abuse (for recipients who do not have added
the domain themselves). Also the web page which opens when the link is
clicked should be more explaining.
Additional Informationhttps://lists.cacert.org/wws/arc/cacert-devel/2010-07/msg00004.html
https://lists.cacert.org/wws/arc/cacert-devel/2010-07/msg00005.html
https://lists.cacert.org/wws/arc/cacert-devel/2010-07/msg00006.html
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000223 confirmed Auditor Interface 
related to 0000592 confirmed The domain name checking have to be improved to be auditable 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2010-07-20 23:26 law New Issue
2012-12-20 18:41 Werner Dworak Relationship added related to 0000223
2013-07-20 08:40 INOPIAE Relationship added related to 0000592