Policy-Discussion

[Philipp Gühring <pg AT futureware.at>]

Hi,

> What follows is a cut/paste of an email exchange I had with someone (a
> CAcert Assurer) who reported that his Assurance Form archive was stolen
> (from his parked car).
>
> Question: is there any policy rule on this?

Not yet.

I think at first we should investigate, and try to answer the following 
questions:

* How many papers/people are affected?
* Are the assurances entered into the system yet?
* When and where was the meeting?
* When and where were the forms stolen?
* The names (+ email addresses) of the other assurers that were at the same 
assurance event
* How likely is it that the information on the papers could be abused by the 
thief?
* How likely is it that the information on the papers were actually the 
intended target of the thief?
* People from which nationalities were affected?
* Were just the forms of one single event lost, or all forms?
* Is the account data leaked as well? (Username+password) ?
* Is the assurer still able to login to the account?


The following procedure has been developed for generally lost or otherwise 
unavailable assurance forms:
As soon as CAcert gets knowledge about unavailable assurance forms, CAcert 
tries to inform all affected users, that their assurances might not be 
verifyable anymore, and that could therefore get deleted in the future. Since 
this could cause their assurance points to drop under the necessay level for 
the certificates they issued, their certificates are in danger of being 
revoked. Therefore the users are told that they should try to get assured to 
collect reserve points, to protect against the loss of points.

Now with the problem of stolen assurance forms, the topic gets a bit more 
complicated:
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
http://www.cippic.ca/en/bulletin/BreachNotification_9jan07-web.pdf

On the one hand, it only applies to California (have other countries adopted 
that bill too, afterwards?), but on the other hand, I think that personally 
thinkt that it might be a good idea for CAcert to adopt it for CAcert 
worldwide.

(Hmmm, does ROT13 on paper count as encrypted?)

The things that should be done now:
* Inform the users whose identities are affected
  * Inform them that the papers have been lost
  * Inform them that they should meet another assurer in case they might not 
have enough points, when the points you already issued are revoked


Assurances are only revoked when we have any good reason to believe that they 
were wrong in itself. (is perhaps a better definition than "material 
evidence")



One open question is, whether we should publically announce the breach, or 
just contact the affected people directly.

In the mean time, our PR department (thanks Henrik!) has developed a concept 
for how we could announce the breach:
-------------------
Assurance forms have been stolen

At a theft in XX the real aim was computer parts and cash the thief took
along in the enthusiasm also approx. 20 CAcert CAP forms. There are only
the forms merely names, date of birth and necessary e-mail addresses on
the forms and there don't have further material value. We therefore ask
anybody to contact us at references to the whereabouts of these forms
under 
support AT cacert.org.
 CAcert will contact the affected people within the 
next few days to inform them that they should make the Assurence up once 
again.
-----------------


Any other ideas, suggestions, ...?


Best regards,
Philipp Gühring