Skip to Content.
Sympa Menu

cacert-devel - Re: Auditing/fighting abuse of CAcert systems in regard of adding domain/email addresses (a20100527.1)

Subject: CAcert Code Development list.

List archive

Re: Auditing/fighting abuse of CAcert systems in regard of adding domain/email addresses (a20100527.1)


Chronological Thread 
  • From: Ian G <iang AT cacert.org>
  • To: cacert-devel AT lists.cacert.org
  • Cc: Cacert List SE <cacert-se AT lists.cacert.org>
  • Subject: Re: Auditing/fighting abuse of CAcert systems in regard of adding domain/email addresses (a20100527.1)
  • Date: Wed, 14 Jul 2010 10:16:06 +1000
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none

On 13/07/10 8:46 PM, Mario Lipinski wrote:
Hi developers,

working on the above mentioned arbitration I came about the topic how to
handle abuse of the CAcert systems in regard of adding domain/email
addresses. This means a user adding a domain or email address he is not
authorized to add and the ping test is subject to fail.

Questions about current status: The support team only has access to
information about domains/email addresses for which the period to answer
the ping has not expired. Are these kept for a longer time in the
database? When are they deleted? What is deleted?


Support team doesn't really have access to any useful information, AFAIK.

https://wiki.cacert.org/comma/Support/Triage skim for "abuse reports";

What happens is that a URL is put in the ping mail going out to a user. If the user decides this is an abuse, they can click that URL and send a mail. But the mail that arrives at Support@ does not contain enough information to be useful.

Also, there is no interface in the system that I know of to help. So effectively, Support can do nothing.

During the arbitration I drew up the following:

Thinking about this more generally, from arbitration point of view, the
process of adding domains (and email addresses) has to be more
auditable. Software team is encouraged to provide input on current
implementation or development efforts to rethink the procedure described
here. Each automatic mail sent out has to contain an unique identifier
by subject and sender/return address. So if a mail is returned CAcert
itself can identify: what domain/email, what account, when a possible
abuse was tried to be commited. Depending on the volume this handling
can be done by support or has to be automated. This also requires a log
of the ping mail actions to be kept to identify abuse. The domain/email
address additions/verifications for me require auditing functionality to
identify abuse and so to protect CAcert from abuse in the long term.


OK, we certainly need something like that. Right now, we can't handle abuse except when reported out of band, such as occurred in the 2009 Arbitration.


Another thought: When sending this mail out it should contain more
information about reporting abuse (for recipients who do not have added
the domain themselves). Also the web page which opens when the link is
clicked should be more explaining.


Another issue related is that the checking of domains verification is this: in CPS, domain checking requires *TWO* checks, not one. So the system as it is is not in compliance with CPS.

https://wiki.cacert.org/PolicyDecisions#p20090105.1

iang

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page