View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001216 | Main CAcert Website | web of trust | public | 2013-10-24 13:35 | 2013-10-24 18:01 |
Reporter | Uli60 | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | new | Resolution | open | ||
Summary | 0001216: Assure Someone Page Broken; TTP Assurer is pushed to make a false statement, assurance clashes regarding F2F confirmation | ||||
Description | while testing bug 1065 I'm running in a problem while testing the TTP assurance: As this bug appeared somewhere around Sept 2013 and a clear reference under which bug this problem started is not clear identifyable, and this bug affects a couple of other bugs (closed, solved, wip) I've file this new bug: checked F2F -> ok checked TTP -> fail x1) x1) by following TTP-assisted-assurance documentation instructions entering a TTP-assisted-assurance documentation * https://wiki.cacert.org/TTP/TTPadmins * https://wiki.cacert.org/TTP/TTPadmins#Entering_TTP-assisted-assurances_into_the_Online_system the line [ ] I certify that [username] has appeared in person had to be unchecked. Using the test procedure, this throws an error "ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert" ?!? Under https://bugs.cacert.org/view.php?id=1054 "Review the code regarding the new point calculation in ./includes/general.php" there was still long ongoing discussions regarding the "I certify that [username] has appeared in person" checking or not. Around 2012-08-29 "Only tick the next box if the Assurance was face to face." disappeared. ........ F2F TTP i certify . + - i believe . + + i have read + + pages/wot/6.php assure someone, methods F2F and TTP note under 1023/1054 agenda item: "assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting " https://bugs.cacert.org/view.php?id=888 to add new assurance method TTP its still to uncheck as 1054 gets stalled around March 2013, plan B was introduced to a step by step implementation Checkbox required changed somewhere between https://bugs.cacert.org/view.php?id=1137#c4199 test 9 (2013-07-31), https://bugs.cacert.org/view.php?id=1137#c4239 (2013-08-20) and https://bugs.cacert.org/view.php?id=1137#c4290 (2013-09-05) "I certify that user has appeared in person." I cannot confirm/state that the user appeared in person (in front of me) like in a face2face meeting I have to do as an Assurer (!= TTP assurer) Previously note "Only tick the next box if the Assurance was face to face" did clarify this topic in the way, that the F2F assurance was F2F and the TTP assurance isn't F2F, so the person didn't appeared in person to me as TTP assurer so the current software implementation (that requires a checkbox here) pushes a TTP assurer to make a false statement !!! According to http://svn.cacert.org/CAcert/Policies/TTPAssistedAssurancePolicy.html section "3b. The Assurance" defines * The TTP and the Member must meet face-to-face. This is documented on the TTP CAP form, that the TTP assurer has to confirm by the Assurance Statement 3d. The Assurer makes a reliable statement to confirm the Assurance Statement. that is requestable by paper documentation via the TTP assurers Not more, nor less. TTP assurer (probably) never meets the Assuree face-2-face !!! so I never can confirm that the assuree did appeared in person !!! Ok ... go to the next checkbox .. "I verify that user has accepted the CAcert Community Agreement." (... as per TTP CAP form documentation) whats with "I certify that user has appeared in person." (... as per TTP CAP form documentation) x2) ??? The fact is: The Assure Someone page gots broken! well ... a few lines later comes the line "Only tick the next box if the Assurance was face to face." !!! This is a clear signal, that by restructuring the Assure Someone form the "Only tick the next box if the Assurance was face to face." and "I certify that user has appeared in person." gets broken. and the form has to be read: Only tick the next box if the Assurance was face to face. (move line 11 to line 7) (line 7 moved to line 8) "I certify that user has appeared in person." (new line 8) The essential part in the TTP assurance is the TTP-Assurers Assurance Statement: "I believe that the assertion of identity I am making is correct, ... (confidence/no confidence) complete and verifiable. (I have the TTP CAP form) I have seen original documentation attesting to this identity. (original documentation is the TTP CAP form as received from TTP) I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute, and I may be held responsible." This cannot be mean by the current line above "Only tick the next box if the Assurance was face to face." (TTP-assurers assurance statement part 2) -and- "I have read and understood the CAcert Community Agreement (CCA), Assurance Policy and the Assurance Handbook. I am making this Assurance subject to and in compliance with the CCA, Assurance policy and handbook." AP 1.1 The Assurance Statement The Assurance Statement makes the following claims about a person: 1. The person is a bona fide Member. In other words, the person is a member of the CAcert Community as defined by the CAcert Community Agreement (CCA); 2. The Member has a (login) account with CAcert's on-line registration and service system; 3. The Member can be determined from any CAcert certificate issued by the Account; 4. The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement; 5. Some personal details of the Member are known to CAcert: the individual Name(s), primary and other listed individual email address(es), secondary distinguishing feature (e.g. DoB). The confidence level of the Assurance Statement is expressed by the Assurance Points. The sentence " I have seen original documentation attesting to this identity." may arise problems for the TOPUP assurer, that the TOPUP assurance procedure (that needs to be deployed anyway) requires the transfer of the original TTP CAP form to the TOPUP assurer the problem word here is "original documentation". This is ok for the TTP assurer who receives the originaly TTP CAP form from the TTP, but its not ok for the TOPUP assurer if he only receives scans or photocopies. But this is subject to the TOPUP deployment so the problem has probably been introduced under bug https://bugs.cacert.org/view.php?id=1208 that has been transfered recently this bug has no other references, so it can be assumed, that the changes did happen here but bug 1208 doesn't give any indication, that TTP assurance has been tested under bug 1208 and that this problem did appear in a testing scenario further bug references from bug 1054 bug 1134 Delete the board flag thourougly in all parts of our software (closed) bug 1177 Combine wot.inc.php, notary.inc.php and temp-function.php (solved) bug 1137 Record the CCA acception for entering an assurance (needs review & testing) still to be continued | ||||
Additional Information | http://www.cacert.org/policy/AssurancePolicy.php http://svn.cacert.org/CAcert/Policies/TTPAssistedAssurancePolicy.html https://wiki.cacert.org/TTP/TTPadmins https://wiki.cacert.org/TTP/TTPadmins#Entering_TTP-assisted-assurances_into_the_Online_system https://wiki.cacert.org/Software/Assessment/20120904-S-A-MiniTOP https://wiki.cacert.org/Software/Assessment/20131022-S-A-MiniTOP http://wiki.cacert.org/TTP/TTPadmins?action=AttachFile&do=get&target=TTP-assurance.jpg before last adjustments and rearrange regarding CCA checkbox for Assuree made | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
related to | 0001054 | needs review & testing | Ted | Review the code regarding the new point calculation in ./includes/general.php |
related to | 0001208 | closed | BenBE | Improve readability of "Assure someone" page |
related to | 0000988 | needs review & testing | Eva | TTP CAP form deployment |
related to | 0001123 | closed | BenBE | Add the Check CCA acception to all certificate creation processes |
parent of | 0001177 | closed | BenBE | Combine wot.inc.php, notary.inc.php and temp-function.php |
|
part 1: "Please check the following details match against what you witnessed when you met Hans in person. You MUST NOT proceed unless you are sure the details are correct. You may be held responsible by the CAcert Arbitrator for any issues with this Assurance." => requires a change to meet F2F _and_ TTP assurances requirements "when you met Hans in person" !!! ... match against what has been witnessed by you when met USER in person or TTP met the USER in person that is documented in the related CAP form the second part is ok for F2F assurances and TTP assurances part 2: name -> ok part 3: DoB -> ok part 4: method -> ok part 5: I certify that Hans Dampf has appeared in person mhh .. for F2F this section is NOD TTP-CAP form doesn't give any statement, that the meeting was F2F (the Assuree appeared in person) at least not on the documentation page on page 2 (notes/instructions to the TTP) the following applies: "The purpose of this document is to validate that the person who appears in front of you is actually who they say they are. Please verify the individuals identity documents as per your states Notarial requirements." part 6: I certify that User has accepted CCA F2F-Assurer: did ask, documented on CAP TTP-Assurer: did ask, documented on TTP-CAP part 4: location -> ok still to continue ... |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-10-24 13:35 | Uli60 | New Issue | |
2013-10-24 13:35 | Uli60 | Relationship added | parent of 0001177 |
2013-10-24 13:36 | Uli60 | Relationship added | parent of 0001137 |
2013-10-24 13:36 | Uli60 | Relationship added | related to 0001054 |
2013-10-24 13:36 | Uli60 | Relationship added | related to 0001208 |
2013-10-24 13:38 | Uli60 | Additional Information Updated | |
2013-10-24 13:38 | Uli60 | Relationship added | related to 0000988 |
2013-10-24 13:41 | Uli60 | Additional Information Updated | |
2013-10-24 13:41 | Uli60 | Relationship added | related to 0001123 |
2013-10-24 17:15 | Uli60 | Additional Information Updated | |
2013-10-24 18:01 | Uli60 | Note Added: 0004414 | |
2013-11-04 21:00 | INOPIAE | Relationship deleted | parent of 0001137 |