CAcert Code Development list.

["dirk astrath" <dastrath AT gmx.de>]

hiya ted,

> those DB changes look quite good to me. One thing that just jumped to my 
> mind: Maybe we should provide the possibility to keep a *rejected* answer 
> (at least temporarily), so maybe an additional boolean "accepted" column 
> would be nice to have.

hm ... if you reject the CCA by not clicking the checkbox, the corresponding 
function will not be called ... and therefore there will no new entry in the 
table ... ;-)

(e.g. without acceptance of CCA you will not be able to generate 
certificates/assure/...

> > ... which means: during an assurance two records are created ... one for
> > the assurer (active) and one for the applicant (passive)
> I'm not very happy about "implicit acceptance" of the CCA by doing an 
> Assurance.

since there is a 'i agree to the cca' on the cap-form, the applicant agreed 
to it ... and this should be honored ...

... the assurer himself has to agree to it, too ... (see above) ...

> At least there should be two checkboxes, one for "The applicant did accept 
> the CCA" and "I accept the CCA". And maybe those Checkboxes should only be 
> shown if there is no "accepted" record of the relevant type in the 
> agreements-table.

hm ... this (maybe) brings up a problem ...

... now you have to check all checkboxes to key in an assurance ... who 
ensures, that the 'applicant accepted cca' is not set faulty?

but maybe it makes sense to ask for it and store the result of this checkbox 
in the database without requiring it ...

> As described below I'd prefer the explicit acceptance of the CCA during 
> the login process.

this causes a problem:

you have to accept the cca while you login (set a checkbox on the 
login-page) ... but ... if you use a certificate-login, you don't have to 
key in username and password.

the software itself can' t easily being changed in a way, that there is a 
special page telling the user 'and now please agree to the cca' since you 
can access various pages when you logged in ... ;-(

... and ... if you don't want to agree to the cca and use the webform to 
write to support to get your account deleted ... you would not be able to do 
it, if you don't agree to the cca ... ;-(

>    * At every login the users_agreements table is checked whether all
>      "important" agreements (currently only the CCA) have been accepted.
>    * If agreements have been rejected a message is shown, maybe there
>      could be the possibility for the user to change his mind now and
>      accept the agreement.
>    * If there is neither an accepted not a rejected agreement record
>      the user is shown the agreement and asked to "accept and continue"
>      or "reject and resign from CAcert"
>    * If an accepted agreement is found the login continues as usual

this should be noted down for the new software ... imho it's not possible to 
patch this waterproof in the actual software ... ;-(

> I prefer this idea to the idea of "implicitly accepting" by signing CAP 
> forms because it leaves less loopholes for the user to say "but you did 
> not tell me this"... Of course the "implicit accepting" would still be 
> better than the current situation (nothing).

after doing the changes i'll put the patched files on test1 ... we should 
then test it there and think about the patches, we can implement in the NEAR 
future ...

... if the first bunch of patches is done, we should think about, how we can 
make it perfect ... ( e.g. after login etc. ...)

> But maybe this is probably a topic for the policy list anyway...

;-)

have a nice day ...