Policy-Discussion

[Barry Berg <barry.berg AT charter.net>]

My point is that the assurer is someone that we trust... So let's trust
them.  I do some work in anti-terrorism, and that may color my view, but the
standard there is trust your gut, if something seems off, than it probably
is.  As far as document forgery goes, to truly preserve the chain of
evidence one should confiscate the document, and it should be done with a
witness, the document should go in a sealed pouch, to guarantee that it
remains in the state that it was obtained, and then to a secure storage
medium.  Determining if a document is forged requires training as a forensic
document specialist.  Since we do not require any of those skills, we simply
ask our assurers to trust their gut as to the authenticity of the documents.
So it is the assurer (i.e. the document examiner's) sole determination as to
the authenticity of the assurance.  Thus I maintain if the stop the
assurance they have assured CA Cert that this was not a valid claim.  There
should be a place for them to comment, and that should be extremely good
evidence for the settlement of the dispute.  After all how many assurers do
stop mid-assurance.  Again its all about trusting our staff, or not.

Barry


On 3/21/10 11:14 AM, "Nathan Edward Tuggy" 
<nathantuggy AT sti.net>
 wrote:

> You raise some good points, but I have to wonder (as a non-assurer, mind
> you) how often an assurance is broken off because of personal safety,
> and how often because of documents that look suspicious.
>  From iang's description, it does not sound like there was any physical
> danger, and it does sound like the documents appeared to be forged. In
> such a case, I do consider it sub-optimal to stop the assurance -- as
> much evidence should be collected as possible, and a dispute filed to
> indicate negative confidence.
> 
> On the other hand, it's obviously foolish to put our Assurers into
> harm's way, and if they feel threatened and can escape by stopping the
> assurance, then by all means let them do so! Perhaps even include a
> special disclaimer after iang's recommendation note -- something like
> "Once started, always complete the process (except in cases where life
> or property is in immediate danger)." (this is just a strawman, but
> captures most of what I'm thinking of).
> 
> On the first hand again, is it not possible that breaking off an
> assurance could be more dangerous than continuing it smoothly and
> reassuringly, mentioning at the end how you'll have to go home and
> finish the assurance there, then filing a dispute as soon as possible?
> If you're in physical danger, I'd expect that danger to become a great
> deal more up close and personal if you said you were stopping the assurance.
> If this type of situation is considered a significant possibility,
> perhaps the training should add a short section on what to do to avoid
> confrontations over documents you believe to be forged or tampered with.
> 
>> By requiring the assurance to continue, you are siding with the person
>> seeking assurance, rather than the assurer.
> 
> I would agree, and what is more say (as someone intending to become an
> assurer as soon as possible) "Amen! Let's do more of that!" Assurers
> should try, IMHO, to do as much as possible for assurances, and minimize
> the upfront demands on assurees. This is logical; assurers are
> experienced, trained, dedicated; assurees may be random men off the
> street who know relatively little about CAcert, cryptography, or even
> security. So assurers should try to serve the assurees as far as possible.
> Obviously, this does not extend to putting themselves in danger. But I
> suspect this to be something of a corner case -- important, and
> receiving extra attention because of the drama involved, but rare.
> 
> 
> On 2010-03-21 08:35, Barry Berg wrote:
>> I heartily disagree.  Since an assurer is a volunteer (unless I am 
>> mistaken)
>> since when does that require that they continue the assurance.  I can think
>> of many reasons, why an assurer would choose to break off the assurance,
>> most of them decidedly dealing with the assurer's own feelings of safety.
>> While the assurer does have the option of selecting the place of assurance
>> they do not have the choice of who will attend, and don't forget you are
>> meeting someone who you do not know for the purpose of identifying them.
>> 
>> I think that the focus is on the wrong side.  By requiring the assurance to
>> continue, you are siding with the person seeking assurance, rather than the
>> assurer.  Any reason that an assurer wants to break the process is
>> important, and their right.  It should be noted, and that tells subsequent
>> assurers to perhaps be wary.  Since when is it a right to be assured, if
>> that were the case then there should only be positive assurances for all
>> people.  We have a duty to protect and backup our assurers not the whims of
>> the assured.  In fact there may be a legal liability to the organization if
>> the assurer is harmed.
>> 
>> The hole point of an assurance is using a trusted party, some one we know,
>> to verify someone we do not know.  We have to trust the instincts of the
>> person we trust.  If they feel uneasy, and want to stop the process, what
>> does that tell you.  Instead of saying go through with the process, and 
>> give
>> them 0 points, change the system to allow them to say that they aborted the
>> process, and state the reason why.
>> 
>> Assurance is about trust, and who would we trust, some one we know, and 
>> have
>> verified them to be a person of integrity and trust -- i.e. It is only 
>> their
>> word on the assurance after all, or someone we do not know, who has
>> something to gain (i.e. An assurance) from us.
>> 
>> Trust your people!
>> 
>> barry
>> On 3/21/10 4:12 AM, "Ian 
>> G"<iang AT cacert.org>
>>   wrote:
>> 
>>    
>>> I was engaged in a recent assurance in which the Assurer decided to stop
>>> the assurance.  This was annoying.  There are several reasons for my
>>> annoyance.
>>> 
>>> 1.  It blew my process of co-auditing away ... ok, I can accept that as
>>> merely annoying, but,
>>> 
>>> 2.  As the Assurance was STOPPED, the evidence gathered was incomplete.
>>>    In this case, the person freaked because he assumed the documents to
>>> be forged.  Now, it would seem to me that in the case of real fraudulent
>>> documents, we want the *maximum* evidence possible to deal with this.
>>> Not to stop things, and tear up the evidence...
>>> 
>>> 3.  Assurance Policy states quite clearly that if there is zero
>>> confidence, then zero points should *allocated*.  Not that the Assurance
>>> should be stopped.
>>> 
>>> 4.  Also, if there is negative confidence ... like, this dude is on a
>>> fast plane to dubai ... the Assurance Policy says "consider filing a
>>> dispute."  OK, it doesn't then say it in plain words, but that would
>>> seem to imply that we want all the evidence possible...
>>> 
>>> Against that, there is only one reason I can think of for "stopping" an
>>> Assurance:
>>> 
>>> 5.  The Assurance is at the Assurer's option.
>>> 
>>> 
>>> 
>>> OK, so open question:  is there any good reason to stop an assurance
>>> during a meeting?
>>> 
>>> Or, more precisely, is there any good reason to recommend a stopped
>>> Assurance?
>>> 
>>> And, can we put in the training doco a recommendation [1]:
>>> 
>>>       "Once started, always complete the process."
>>> 
>>> (Where completion includes full, partial, zero points or a dispute.)
>>> 
>>> 
>>> 
>>> iang
>>> 
>>> [1] reviewing the ATE dox, hence the question.......
>>> 
>>>

Attachment: smime.p7s
Description: S/MIME cryptographic signature