Policy-Discussion

[Ian G <iang AT iang.org>]

On 22/03/2010 15:01, Peter Williams wrote:
> I work in  audit, and this may colour my view, but the standard there is
> trust your tick sheet. There is correct and not correct, under the rules.

Indeed, the auditor's view would be, the forms should be completed. 
Later on there is plenty of ability to allocate zero points or to file a 
dispute.

> -----Original Message-----
> From: Barry Berg 
> [mailto:barry.berg AT charter.net]
> Sent: Sunday, March 21, 2010 7:19 PM
> To: 
> cacert-policy AT lists.cacert.org
> Subject: Re: stopping the Assurance
>
> My point is that the assurer is someone that we trust... So let's trust
> them.  I do some work in anti-terrorism, and that may color my view, but the
> standard there is trust your gut, if something seems off, than it probably
> is.


I think as far as personal safety is concerned, all bets are off.  We 
have rules that the Access Engineer must watch the Critical System 
Administrator as she types in the commands ... but if the building is 
crashing down around them, the Access Engineer is not expected to hang 
around just coz the sysadm has a death wish and an obsession with 
"command-completion."

The problem with this area is that we can't really provide good advice 
because these circumstances are too unpredictable.  So maybe the "trust 
your instincts" call is appropriate.


> As far as document forgery goes, to truly preserve the chain of
> evidence one should confiscate the document, and it should be done with a
> witness, the document should go in a sealed pouch, to guarantee that it
> remains in the state that it was obtained, and then to a secure storage
> medium.  Determining if a document is forged requires training as a forensic
> document specialist.


All these things are true, but I would argue their scope is out of 
place.  Because we aren't those people, we are not criminal 
investigators, we take more of a civil/privacy line (record what we 
need), we don't do those things.

But, that doesn't mean we can't modify our procedures to help where we 
can.  We are more on the "civil" side of law, and in that place, our 
evidence can help.  A signed & witnessed CAP form with names and DoB 
represents useful evidence for (our) civil cases, and it may still be 
useful in an external (criminal) Fraud case, because it is a claim or 
statement which is one of the elements of Fraud.  Indeed, a properly 
conducted Arbitration that declares that a CAP form was materially 
fraudulent would likely be accepted as useful evidence in a criminal case.

> Since we do not require any of those skills, we simply
> ask our assurers to trust their gut as to the authenticity of the documents.
> So it is the assurer (i.e. the document examiner's) sole determination as to
> the authenticity of the assurance.

We require *two* things:  collect some evidence, and make a judgement 
call.  Certainly, we rely on the document examiner's sole determination 
in allocating the points.  But, in any later dispute, we (wisely?) have 
a signed and witnessed CAP form to back up proceedings.


> Thus I maintain if the stop the
> assurance they have assured CA Cert that this was not a valid claim.

Hmmm... how do we know that?  If there is an absence of evidence, could 
the stop be caused by illness?  A phone call from the irate spouse?

> There
> should be a place for them to comment, and that should be extremely good
> evidence for the settlement of the dispute.

Right, I would say:  on their CAP form.  Elsewise, there is no other 
place for the evidence.

(Which does raise a question in my mind ... who owns the CAP form?  I 
would say that the Assurer must own it.  But a prepared CAP form starts 
out as under the ownership of the Assuree.  Hmmm... something for the AO 
to think about ;-)


> After all how many assurers do
> stop mid-assurance.  Again its all about trusting our staff, or not.

Indeed, rare that this happens.  (This is one of those edge cases that 
tells us we have the basics right, now let's clean up the details.)

However, it is not only about trusting our Assurers:  it is also about 
us giving them the guidance -- training -- in how to act.

To echo Nathan's comment ... if Assurer decides forged documents, the 
advice to stop the Assurance may actually be bad for them.  It may be 
better for them to carry on, and to claim their right to allocate any 
points later on.  Then seek safety.

On the other hand, when we are talking about serious crims with no 
difficulties of using false docs, we're on a one-way trip to Dubai.  It 
could be that no matter what we do, this ends badly.

iang