cacert-policies/OrganisationAssurancePolicy/OrganisationAssurancePolicyNew.html

737 lines
30 KiB
HTML
Raw Permalink Normal View History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
<TITLE> Organisation Assurance Policy </TITLE>
<META NAME="CHANGEDBY" CONTENT="Teus Hagen">
<META NAME="CHANGED" CONTENT="20090210;14412600">
<style type="text/css">
<!--
H1 {
text-align: center;
}
.comment {
color : steelblue;
}
.first-does-not-work {
color : red;
}
.q {
color : green;
font-weight: bold;
text-align: center;
font-style:italic;
}
.change {
color : blue;
font-weight: bold;
}
.change2 {
color : steelblue;
}
.change3 {
color : purple;
}
.strike {
color : orange;
text-decoration:line-through;
}
-->
</style>
</HEAD>
<BODY>
<p style="text-align: center;">
<big>
<br /><b>WARNING:</b><br />
The proper policy document is located<br />
<a href="//www.cacert.org/policy/OrganisationAssurancePolicy.php">
on the CAcert website </a>.<br />
</big>This document is a <b>work-in-progress</b> to include future revisions only,<br />
and is currently <b>only relevant for the [policy] group</b>.<br />
<span class="change">Additions in BLUE</span> <span class="strike">strikes in ORANGE</span> now up for <a href="//wiki.cacert.org/PolicyDecisions#p20101009">vote in PG</a>,.<br />
</p>
<a href="http://validator.w3.org/check?uri=referer"><img style="float: right; border-width: 0" src="http://www.w3.org/Icons/valid-xhtml11" alt="Valid XHTML 1.1" height="31" width="88" /></a>
<ul>
<li>Ulrich Schroeter <span class="change">20110804</span>: marked all changes after <a href="//wiki.cacert.org/PolicyDecisions#p20080401.1">p20080401.1</a></li>
<li>Ulrich Schroeter <span class="change">20110804</span>: minimalistic link corrections incl. replaced all wiki.cacert.org/wiki/ by wiki.cacert.org/ links</li>
<li>Ulrich Schroeter <span class="change">20110804</span>: updated policy header with new style, add Licence info <a href="//wiki.cacert.org/PolicyDecisions#p20100722">p20100722 License our Policies under CC-BY-SA-3.0-AU</a></li>
<li>INOPIAE <span class="change">20110731</span>: Attempt to review the policy starting with the first part Preliminaries. </li>
<li>Teus Hagen : Next status: proposal will replace former Draft OA Policy of 2008</li>
<li>Teus Hagen : Status: Changed for Feb 2009 OA WoT concept, sync with (individual) AP.</li>
<li>Policy Group <span class="change">20080401</span>: <a href="//wiki.cacert.org/PolicyDecisions#p20080401.1">p20080401.1</a> Vote to DRAFT with changes</li>
<li>Policy Group <span class="change">20110804</span>: m20070918.x Vote to POLICY</li>
</ul>
</P>
<hr>
<!-- $Date: 2008-01-18 22:56:31 $ -->
<div class="comment">
<table width="100%">
<tr>
<td>
Name: OAP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11</a><br />
Status: POLICY <a style="color: steelblue" href="http://wiki.cacert.org/TopMinutes-20070917">m20070918.x</a> <br />
-------- with DRAFT <a style="color: steelblue" href="https://wiki.cacert.org/PolicyDecisions#p20080401.1">p20080401.1</a><br />
Editor: Jens Paul<br />
Licence: <a style="color: steelblue" href="//wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br />
</td>
<td align="right">
<a href="//www.cacert.org/policy/PolicyOnPolicy.php"><img src="/images/cacert-policy.png" alt="OAP Status - POLICY" height="31" width="88" style="border-style: none;" /></a>
<!-- XXXXXXXXXXXXXX delete this going to DRAFT -->
<br />
<a href="//www.cacert.org/policy/PolicyOnPolicy.php"><img src="/images/cacert-draft.png" alt="OAP Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>
<br />
<a href="//www.cacert.org/policy/PolicyOnPolicy.php"><img src="/images/cacert-wip.png" alt="OAP Status - WIP" height="31" width="88" style="border-style: none;" /></a>
</td>
</tr>
</table>
</div>
<H1>Organisation&nbsp;Assurance&nbsp;Policy</H1>
<H2><A NAME="0"></A>0. Preliminaries </H2>
<P>This policy describes how Organisation Assurers (&quot;OAs&quot;)
conduct Assurances on Organisations. It fits within the overall
web-of-trust or Assurance process of CAcert.<br />
<br />
<span class="strike">This policy is not a Controlled document, for purposes of Configuration Control Specification ("CCS").</span>
</P>
<H3><span class="change">0.1. Definition of Terms</span></H3>
<DL>
<DT><I><span class="change">Organisation Member </span><span class="change">(Organisation)</span></I>
</DT><DD>
<span class="change">A<span class="change">n Organisation</span> Member is an organisation who has agreed to the CAcert Community
Agreement (<span class="change"><A HREF="//www.cacert.org/policy/CAcertCommunityAgreement.php" TARGET="_blank">CCA</A></span>)
and has created successfully a CAcert login account on the CAcert
web site.</span>
</DD><DT>
<I><span class="change">Organisation Assurance <span class="change">(OrgA)</span></span></I>
</DT><DD>
<span class="change">A<span class="change">n Organisation</span> Assurance is the process by which a Member of CAcert Community
(Organisation Assurer) identifies an organisation (Assuree).</span>
</DD><DT>
<I><span class="change">Prospective Organisation Member</span></I>
</DT><DD><span class="change">
An organisation who participates in the process of an Organisation
Assurance, but has not yet created a CAcert login account.</span>
</DD><DT>
<I><span class="change">Organisation Name</span></I>
</DT><DD><span class="change">
An Organisation Name is the full name of the organisation.</span>
</DD><DT>
<span class="change"><I>Organisation Assurer (OA)</I></span>
</DT><DD>
<span class="change">A Member of CAcert Community who identifies an organisation.</span>
</DD><DT>
<span class="change"><I>Organisation Administrator (OrgAdmin)</I></span>
</DT><DD><span class="change">
An Assurer that is appointed by the organisation to administer the
certificates in behalf of the organisation.</span>
</DD><DT>
<span class="change"><I>Organisation Assurance Officer (OAO)</I></span>
</DT><DD><span class="change">
The Organisation Assurance Officer manages this policy and reports to the
CAcert Inc. Committee ("Board").</span>
</DD><DT>
<span class="change"><I>Prospective Organisation Assurer (pOA)</I></span>
</DT><DD><span class="change">
An Assurer who is being trained to become an Organisation Assurer and is
supervised by Organisation Assurers.</span>
</DD></DL>
<H3><span class="change">0.2. The CAcert Web of Trust</span></H3>
<P><span class="change">An Organisation Assurer <span class="strike">allocates a number of Assurance
Points to the (Organisation) Member being Assured. CAcert combines the
Assurance Points into a global</span><span class="change"> verifies that the
Organisation exists and that the applicant for the assurance is in the power to
sign the COAP form to make sure that the process is included in the</span></span>
<span class="change"><I>Web-of-Trust</I> (or &quot;WoT&quot;).</span>
</P>
<P><span class="change">CAcert explicitly chooses to meet its various goals by
construction of a Web-of-Trust of all Members.</span>
</P>
<H3><span class="change">0.3. Related Documentation</span></H3>
<P><span class="change">Documentation on Organisation Assurance is split between this Organisation
Assurance Policy (OAP) and the <span class="strike">(organisation)</span> <span class="change"><A HREF="//wiki.cacert.org/AssuranceHandbook2" TARGET="_blank"></span><span class="change">Organisation </span> Assurance Handbook</A>.
The policy is controlled by Configuration Control Specification (<span class="change"><A HREF="//svn.cacert.org/CAcert/Policies/ConfigurationControlSpecification.html" TARGET="_blank">CCS</A></span>)
under Policy on Policy (<span class="change"><A HREF="//www.cacert.org/policy/PolicyOnPolicy.php" TARGET="_blank">PoP</A></span>)
policy document regime. Because Organisation Assurance is an active
area, much of the practice is handed over to the Assurance Handbook,
which is not a controlled policy document, and can more easily
respond to experience and circumstances. It is also more readable.</span>
</P>
<P><span class="change">See also Assurance Policy (<span class="change"><A HREF="//www.cacert.org/policy/AssurancePolicy.php" TARGET="_blank">AP</A></span>)
and <span class="strike">CAcert Policy Statement (<A HREF="http://svn.cacert.org/CAcert/policy.htm" TARGET="_blank">CPS</A>)</span>
<span class="change">Certification Practice Statement (<A HREF="//www.cacert.org/policy/CertificationPracticeStatement.php" TARGET="_blank">CPS</a>)</span>.</span>
</P>
<p><span class="q">Not yet reviewed:</span></p>
<H2><A NAME="1"></A>1. <span class="change">Organisation Assurance</span> Purpose </H2>
<P>Organisations with assured status can issue certificates <span class="change">via their
O-Admin</span> directly with their own domains within.
</P>
<P>The purpose and statement of the certificate remains the same as
with ordinary users (natural persons) and as described in the CPS.
</P>
<UL>
<LI><P >The organisation named within is identified. </P>
<LI><P >The organisation has been verified according to this policy. </P>
<LI><P>The organisation is within the jurisdiction and can be taken to CAcert Arbitration. </P>
</UL>
<H3><span class="change">1.1.The Organisation Assurance Statement</span></H3>
<P><span class="change">The Assurance Statement makes the following claims about the organisation:</span>
</P>
<OL>
<LI><P><span class="change">The organisation is a bona fide (organisation) Member. In
other words, the organisation is a member of the CAcert Community as
defined by the CAcert Community Agreement (<span class="change"><A HREF="//www.cacert.org/policy/CAcertCommunityAgreement.php" TARGET="_blank">CCA</A></span>);</span>
</P>
<LI><P><span class="change">The Member has a (login) account with CAcert's on-line registration and service system; </span></P>
<LI><P><span class="change">The Member can be determined from any CAcert certificate issued by the Account; </span></P>
<LI><P><span class="change">The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement; </span></P>
<LI><P><span class="change">Some information on the Organisation Member are known and
verified by CAcert: the Organisation Name(s), form of organisation,
domain names, Individual Members for contact and liaison purpose,
secondary distinguishing feature (e.g. corporate number).</span></P>
</OL>
<P><span class="change">The confidence level of the Assurance Statement is expressed by the (Organisation) Assurance Points. </span>
</P>
<P><span class="change">Organisations can expect the normal privacy provisions provided to
Individuals.&nbsp; However, any business arrangements that are not
strictly provided for in this policy are likely outside normal
privacy.&nbsp;</span></P>
<H3><A NAME="1.2"></A><span class="change">1.2. Relying Party Statement</span></H3>
<P><span class="change">The primary goal of the Organisation Assurance Statement is for
the express purpose of certificates to meet the needs of the <I>Relying
Party Statement</I>, which latter is found in the Certification
Practice Statement (<span class="change"><A HREF="//www.cacert.org/policy/CertificationPracticeStatement.php" TARGET="_blank">CPS</A></span>).</span>
</P>
<P><span class="change">When a certificate is issued, some of the Organisation Assurance
Statement may be incorporated, e.g. Organisation name. Other parts
may be implied, e.g. Membership, exact account and status. They all
are part of the <I>Relying Party Statement</I>. In short, this means
that other Members of the Community may rely on the information
verified by Assurance and found in the certificate.</span></P>
<P><span class="change">In particular, certificates are sometimes considered to provide
reliable indications of e.g. the Member's Organisation name,
organisation domain names, and organisation email address. The
nature of Assurance, the number of Assurance Points, and other
policies and processes should be understood as limitations on any
reliance. </span>
</P>
<H2><span class="change">2. The Organisation Member</span></H2>
<H3><A NAME="2.11"></A><span class="change">2.1. The Organisation Member's name </span></H3>
<P><span class="change">The name of the organisation as recorded in the Member's CAcert
login account. The general standard of a name is:</span>
</P>
<UL>
<LI><P><span class="change">The name should be recorded as written in a government-issued
organisation registration extract e.g. extract from governmental
trade office registrar.</span></P>
<LI><P><span class="change">The organisation name should be recorded as completely as
possible. That is without abbreviations, and without transliteration
of characters. </span>
</P>
<LI><P><span class="change">The organisation name is recorded as a string of characters,
encoded in <SPAN LANG="en-US">unicode</SPAN> transformation format.</span></P>
</UL>
<H3><A NAME="2.21"></A><span class="change">2.2. Multiple trade names and variations</span></H3>
<P><span class="change">In order to handle the contradictions in the above general
standard, a Member may record multiple names or multiple variations
of a name in her CAcert online Account. Examples of variations
include trade names, variations of trade names, abbreviations of a
name, different language or country variations, and transliterations
of characters in a name. All names should be defined within the
organisation registration extract.</span></P>
<H3><A NAME="2.31"></A><span class="change">2.3. Status and Capabilities</span></H3>
<P><span class="change">An organisation Name which has reached the level of 50
(Organisation) Assurance Points is defined as an Assured organisation
Name. An Assured Name can be used as Organisation Name in a
certificate issued by CAcert. A Member with at least one Assured Name
has reached the Assured Member status. Additional capabilities are
described in Table 1. </span>
</P>
<BLOCKQUOTE STYLE="text-align: left"><FONT SIZE=2><span class="change"><I>Table 1:
Assurance Capability</I></span></FONT></BLOCKQUOTE>
<DL>
<DD>
<TABLE WIDTH=470 BORDER=1 CELLPADDING=5 CELLSPACING=0>
<COL WIDTH=65>
<COL WIDTH=83>
<COL WIDTH=85>
<COL WIDTH=196>
<TR>
<TD WIDTH=65>
<P ALIGN=LEFT><span class="change"><I>Minimum Assurance Points</I></span></P>
</TD>
<TD WIDTH=83>
<P ALIGN=LEFT><span class="change"><I>Capability</I></span></P>
</TD>
<TD WIDTH=85>
<P ALIGN=LEFT><span class="change"><I>Status</I></span></P>
</TD>
<TD WIDTH=196>
<P ALIGN=LEFT><span class="change"><I>Comment</I></span></P>
</TD>
</TR>
<TR VALIGN=TOP>
<TD WIDTH=65>
<P ALIGN=CENTER><span class="change">0</span></P>
</TD>
<TD WIDTH=83>
<P ALIGN=LEFT><span class="change">Request Organisation Assurance</span></P>
</TD>
<TD WIDTH=85>
<P ALIGN=LEFT><span class="change">Prospective Organisation Member</span></P>
</TD>
<TD WIDTH=196>
<P ALIGN=LEFT><span class="change">Organisation taking part of an Organisation
Assurance, who does not have created a CAcert login account
(yet). The allocation of Assurance Points is awaiting login
account creation.</span></P>
</TD>
</TR>
<TR VALIGN=TOP>
<TD WIDTH=65>
<P ALIGN=CENTER><span class="change">0</span></P>
</TD>
<TD WIDTH=83>
<P ALIGN=LEFT><span class="change">Request unnamed certificates</span></P>
</TD>
<TD WIDTH=85>
<P ALIGN=LEFT><span class="change">(Organisation) Member</span></P>
</TD>
<TD WIDTH=196>
<P ALIGN=LEFT><span class="change">Although the Organisation Member's details are
recorded in the account, they are not highly assured.</span></P>
</TD>
</TR>
<TR VALIGN=TOP>
<TD WIDTH=65>
<P ALIGN=CENTER><span class="change">50</span></P>
</TD>
<TD WIDTH=83>
<P ALIGN=LEFT><span class="change">Request certificates with the name of the
organisation</span></P>
</TD>
<TD WIDTH=85>
<P ALIGN=LEFT><span class="change">Assured Organisation Member</span></P>
</TD>
<TD WIDTH=196>
<P ALIGN=LEFT><span class="change">Statements of Assurance: the organisation name is
assured to 50 Assurance Points or more</span></P>
</TD>
</TR>
</TABLE>
</DL>
<P><span class="change">A Member may check the status of another Member, especially for an
assurance process. Status may be implied from information in a
certificate. The number of Assurance Points for each Member is not
published. </span>
</P>
<UL>
<P><span class="change">The <span class="strike">CAcert Policy Statement (<A HREF="http://svn.cacert.org/CAcert/policy.htm" TARGET="_blank">CPS</A>)</span><span class="q"><br>Document no longer exist<br>What was referenced here?<br>PoP? or CPS?<br></span>
and other policies may list other capabilities that rely on
Assurance Points. </span>
</P>
<P><span class="change">When an organisation is assured, it becomes in effect an Assurer
for its local names.&nbsp; These names are used in certificates
issued under the listed domains.&nbsp; When issued, the organisation
takes primary responsibility as Member. <BR><BR>Each name has to be
checked against the internal systems of the organisation.&nbsp; The
internal systems have to match some standard, as covered in SubPols
/ OA Manual. <BR><BR>If they internal systems do not support this
application, then the regular Assurance process can be used instead.</span></P>
</UL>
<H2>3. Roles and Structure </H2>
<H3>3.1 <span class="change">Organisation</span> Assurance Officer </H3>
<P>The <span class="change">(Organisation)</span> Assurance Officer (&quot;AO&quot;) manages this
policy and reports to the CAcert Inc. Committee (&quot;Board&quot;).
</P>
<P>The AO manages all OAs and is responsible for process, the CAcert
Organisation Assurance Programme (&quot;COAP&quot;) form, OA training
and testing, manuals, quality control. In these responsibilities,
other Officers will assist.
</P>
<P>The OA is appointed by the Board. Where the OA is failing the
Board decides.
</P>
<H3>3.2 Organisation Assurers </H3>
<OL TYPE=a>
<LI><P >An OA must be an experienced
Assurer
</P>
<OL TYPE=i>
<LI><P >Have 150 assurance points.
</P>
<LI><P >Be fully trained and tested on
all general Assurance processes.
</P>
</OL>
<LI><P >Must be trained as Organisation
Assurer.
</P>
<OL TYPE=i>
<LI><P >Global knowledge: This policy.
</P>
<LI><P >Global knowledge: A OA manual
covers how to do the process.
</P>
<LI><P >Local knowledge: legal forms of
organisations within jurisdiction.
</P>
<LI><P >Basic governance.
</P>
<LI><P >Training may be done a variety of
ways, such as on-the-job, etc.
</P>
</OL>
<LI><P >Must be tested.
</P>
<OL TYPE=i>
<LI><P >Global test: Covers this policy
and the process.
</P>
<LI><P >Local knowledge: Subsidiary
Policy to specify.
</P>
<LI><P >Tests to be created, approved,
run, verified by CAcert only (not outsourced).
</P>
<LI><P ><span class="strike">Tests are conducted manually, not online/automatic. </span><span class="change">Testing includes both online /
automated and manual tests with the manual tests confirming the on
line tests.</span>
</P>
<LI><P >Documentation to be retained.
</P>
<LI><P >Tests may include on-the-job
components.
</P>
</OL>
<LI><P >Must be approved.
</P>
<OL TYPE=i>
<LI><P >Two supervising OAs must sign-off
on new OA, as trained, tested and passed.
</P>
<LI><P >AO must sign-off on a new OA, as
supervised, trained and tested.
</P>
</OL>
<LI><P>The OA can decide when a CAcert (individual) Assurer has done
several OA Application Advises to appoint this person to OA Assurer.
</P>
</OL>
<H3>3.3 Organisation Assurance Advisor (&quot;OAA&quot;) </H3>
<P>In countries/states/provinces where no OA Assurers are operating
for an OA Application (COAP) the OA can be advised by an experienced
local CAcert (individual) Assurer to take the decision to accept the
OA Application (COAP) of the organisation.
</P>
<P>The local Assurer must have at least 150 Points, should know the
language, and know the organisation trade office registry culture and
quality.
</P>
<H3>3.4 Organisation Administrator </H3>
<P>The Administrator within each Organisation (&quot;O-Admin&quot;)
is the one who handles the assurance requests and the issuing of
certificates.
</P>
<OL TYPE=a>
<LI><P >O-Admin must be <span class="change">an individual</span>
Assurer
</P>
<OL TYPE=i>
<LI><P >Have 100 assurance points.
</P>
<LI><P >Fully trained and tested as
Assurer.
</P>
</OL>
<LI><P >Organisation is required to
appoint the O-Admin<span class="change">(s)</span>, and appoint ones as required.
</P>
<OL TYPE=i>
<LI><P >On COAP Request Form.
</P>
<LI><P ><span class="change">On the organisation Member
account.</span></P>
</OL>
<LI><P >O-Admin must work with an assigned
OA.
</P>
<OL TYPE=i>
<LI><P >Have contact details.
</P>
<LI><P><span class="change">Is named on the organisation Member account.</span></P>
</OL>
</OL>
<H2>4. Policies </H2>
<H3>4.1 Policy </H3>
<P>There is one policy being this present document, and several
subsidiary policies.
</P>
<OL TYPE=a>
<LI><P >This policy authorises the
creation of subsidiary policies.
</P>
<LI><P >This policy is international.
</P>
<LI><P >Subsidiary policies are
implementations of the policy.
</P>
<LI><P>Organisations are assured under an appropriate subsidiary
policy.
</P>
</OL>
<H3>4.2 Subsidiary Policies </H3>
<P>The nature of the Subsidiary Policies (&quot;SubPols&quot;):
</P>
<OL TYPE=a>
<LI><P >SubPols are purposed to check the
organisation under the rules of the jurisdiction that creates the
organisation. This does not evidence an intention by CAcert to enter
into the local jurisdiction, nor an intention to impose the rules of
that jurisdiction over any other organisation. CAcert assurances are
conducted under the jurisdiction of CAcert.
</P>
<LI><P >For OAs, SubPol specifies the
<I>tests of local knowledge</I> including the local organisation
assurance COAP forms.
</P>
<LI><P >For assurances, SubPol specifies
the <I>local documentation forms</I> which are acceptable under this
SubPol to meet the standard.
</P>
<LI><P>SubPols are subjected to the normal policy approval process.
</P>
</OL>
<H3>4.3 Freedom to Assemble </H3>
<P>Subsidiary Policies are open, accessible and free to enter.
</P>
<OL TYPE=a>
<LI><P >SubPols compete but are compatible. </P>
<LI><P >No SubPol is a franchise. </P>
<LI><P >Many will be on State or National
lines, reflecting the legal tradition of organisations created
(&quot;incorporated&quot;) by states.
</P>
<LI><P >However, there is no need for
strict national lines; it is possible to have 2 SubPols in one
country, or one covering several countries with the same language
(e.g., Austria with Germany, England with Wales but not Scotland).
</P>
<LI><P >There could also be SubPols for
special organisations, one person organisations, UN agencies,
churches, etc.
</P>
<LI><P>Where it is appropriate to use the SubPol in another
situation (another country?), it can be so approved. (e.g., Austrian
SubPol might be approved for Germany.) The SubPol must record this
approval.
</P>
</OL>
<H2>5. Process </H2>
<H3>5.1 Standard of Organisation Assurance </H3>
<P>The essential standard of Organisation Assurance <span class="change">(see also 1.1
Organisation Assurance Statement)</span> is:
</P>
<OL TYPE=a>
<LI><P >the organisation exists
</P>
<LI><P >the organisation name is correct
and consistent:
</P>
<OL TYPE=i>
<LI><P >in official documents specified
in SubPol.
</P>
<LI><P >on COAP form.
</P>
<LI><P >in CAcert database.
</P>
<LI><P >form or type of legal entity is
consistent
</P>
</OL>
<LI><P >signing rights: requester can sign
on behalf of the organisation.
</P>
<LI><P >the organisation has agreed to the
terms of the <B>CAcert Community Agreement </B>, and is therefore
subject to Arbitration.
</P>
<LI><P><span class="change">Organisation Domain names must have been checked accordingly
the CPS.</span></P>
</OL>
<P>Acceptable documents to meet above standard are stated in the SubPol.
</P>
<H3><span class="change">5.2 (Organisation) Assurance Points</span></H3>
<P><span class="change">The Organisation Assurance applies Assurance Points to each
organisation Member which measure the increase of confidence in the
Statement (above). Assurance Points should not be interpreted for any
other purpose. Note that, even though they are sometimes referred to
as <I>Web-of-Trust</I> (Assurance) Points, or <I>Trust</I> Points,
the meaning of the word 'Trust' is not well defined.</span>
</P>
<P><span class="change"><I>Assurance Points Allocation</I><BR>An Assurer can allocate a
number of Assurance Points to the organisation Member. The allocation
of the maximum means that the Assurer is 100% confident in the
information presented:</span>
</P>
<UL>
<LI><P ><span class="change">Detail on form, system, documents,
organisation and O-Admin(s) in accordance;</span>
</P>
<LI><P ><span class="change">Sufficient quality organisation
registration extract documents and organisation by-laws related to
signature control of the organisation director have been checked;</span>
</P>
<LI><P><span class="change">Assurer's familiarity with extract
and by-laws documents; </span>
</P>
<LI><P><span class="change">The Organisation Assurance Statement is confirmed.</span>
</P>
</UL>
<P><span class="change">Any lesser confidence should result in less Assurance Points for
an organisation name. If the Organisation Assurer has no confidence
in the information presented, then <I>zero</I> Assurance Points may
be allocated by the Organisation Assurer. For example, this may
happen if the identity documents are totally unfamiliar to the
Organisation Assurer. The Organisation Assurer maybe assisted by a
second (individual) Assurer as such gaining confidence and/or assist
in allocating a second Organisation Assurance. The number of
Assurance Points from <I>zero</I> to <I>maximum</I> is guided by the
Assurance Handbook and the judgment of the Assurer. If there is
negative confidence the Assurer should consider filing a dispute.</span>
</P>
<P><span class="change">Multiple (trade) organisation names should be allocated Assurance
Points independently within a single Assurance.</span>
</P>
<P><span class="change">In general, for an organisation Member to reach 50 Assurance
Points, the Member must have participated in at least two assurances,
and at least one organisation name will have been assured to that
level. </span>
</P>
<P><span class="change">The maximum number of Assurance Points which can be allocated for
an Assurance under this policy and under any act under any Subsidiary
Policy (below) is 50 Assurance Points.</span>
</P>
<H3>5.2 <span class="change">CAcert Organisation Assurance Programme (</span>COAP<span class="change">)</span>
</H3>
<P>The COAP form documents the checks and the resultant assurance
results to meet the standard. Additional information to be provided
on form:
</P>
<OL TYPE=a>
<LI><P >CAcert account of O-Admin<span class="change">(S)</span>
(email address<span class="strike">?</span><span class="change"> of O-Admin individual Assurer Membership account</span>)
</P>
<LI><P >Location:
</P>
<OL TYPE=i>
<LI><P >country (MUST). </P>
<LI><P >city (MUST). </P>
<LI><P >additional contact information (as required by SubPol). </P>
</OL>
<LI><P >Administrator account name(s) (1 or more) </P>
<LI><P >Domain name(s) </P>
<LI><P >Agreement with <B>CAcert Community
Agreement</B>. Statement and initials box for organisation and also
for OA.
</P>
<LI><P>Date of completion of Assurance. Records should be maintained
for 7 years from this date.
</P>
</OL>
<P>The COAP should be in English. Where translations are provided,
they should be matched to the English, and indication provided that
the English is the ruling language (due to Arbitration requirements).
</P>
<H3>5.3 Jurisdiction </H3>
<P>Organisation Assurances are carried out by CAcert Inc. under its
Arbitration jurisdiction. Actions carried out by OAs are under this
regime.
</P>
<OL TYPE=a>
<LI><P >The organisation has agreed to the
terms of the <B>CAcert Community Agreement</B>.
</P>
<LI><P >The organisation, the Organisation
Assurers, CAcert and other related parties are bound into CAcert's
jurisdiction and dispute resolution.
</P>
<LI><P>The OA is responsible for ensuring that the organisation
reads, understands, intends and agrees to the <B>CAcert Community
Agreement</B>. This OA responsibility should be recorded on COAP
(statement and initials box).
</P>
</OL>
<H2>6. Exceptions </H2>
<OL TYPE=a>
<LI><P ><B>Conflicts of Interest.</B> An
OA must not assure an organisation in which there is a close or
direct relationship by, e.g., employment, family, financial
interests. Other conflicts of interest must be disclosed.
</P>
<LI><P ><B>Trusted Third Parties.</B> TTPs
are not generally approved to be part of organisation assurance, but
may be approved by subsidiary policies according to local needs.
</P>
<LI><P ><B>Exceptional Organisations.</B>
(e.g., Vatican, International Space Station, United Nations) can be
dealt with as a single-organisation SubPol. The OA creates the
checks, documents them, and subjects them to to normal policy
approval.
</P>
<LI><P><B>DBA.</B> Alternative names for organisations (DBA, &quot;doing
business as&quot;) can be added as long as they are proven
independently. E.g., registration as DBA or holding of registered
trade mark. This means that the anglo law tradition of unregistered
DBAs is not accepted without further proof.
</P>
</OL>
<P><A HREF="http://validator.w3.org/check?uri=referer"><IMG SRC="http://www.w3.org/Icons/valid-xhtml11-blue" NAME="graphics2" ALT="Valid XHTML 1.1" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A></P>
</BODY>
</HTML>