cacert-policies/RemoteVerificationPolicy.html

163 lines
5.3 KiB
HTML
Raw Permalink Normal View History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
<TITLE> CACert Remote Verification Policy (RVP) </TITLE>
<META NAME="CHANGEDBY" CONTENT="Teus Hagen">
<META NAME="CHANGED" CONTENT="20090211;15005300">
</HEAD>
<BODY LANG="en-US" DIR="LTR">
<P><BR><BR>
</P>
<H1>CAcert Remote Verification Policy (RVP) </H1>
<P><A HREF="PolicyOnPolicy.html"><IMG SRC="images/cacert-wip.png" NAME="graphics1" ALT="CAcert Policy Status" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A><BR>Author:
Pete Stephenson<BR>Creation date: 2008-07-12<BR>
Status: WIP 2008-07-12 <BR>
Edited by: Teus Hagen, 2009-02-11<BR>
Next status: DRAFT 2009<BR>
<!-- $Id$ --></P>
<H2>0. Preliminaries </H2>
<P>This sub-policy extends the Assurance Policy (&quot;AP&quot;)
and Organisation Assurance Policy (“OAP”) by providing a
framework for Members to verify for individual Members their identity
and for organisation Members their organisation (trade) name via Trusted Third
Provider (&quot;TTP&quot;s) including Government Authorities,
Certification Authorities and Commercial Identity Providers, under
the supervision of a CAcert (Organisation) Assurer.
</P>
<P>Successful completion of the verification of name process defined
in RVP sub-policies shall result in the allocation of 10 extra
Assurance Points added to the maximum of Assurance Points the Assurer,
supervising the assurance process for the Member, can allocate.
</P>
<H2>1. Scope </H2>
<P>This sub-policy is available to all individual and organisation
Community Members. </P>
<H2>2. Roles </H2>
<H3>2.1 CAcert (Organisation) Assurer</H3>
<P>The CAcert (Organisation) Assurer must check the CAcert
(Organisation) Assurance Programme form. The identity verification or
organisation name verification is remotely performed by the Trusted
Verification Provider (2.2).</P>
<P>The Trusted Verification Provider who is involved in the
verification process should be accepted by the Assurer.
</P>
<P>
<i>
iang: This clause above probably <b>will NOT meet</b> the criteria DRC C.9.a: "MUST be satisfied as to the identity and competency of the TTP in identification procedures, as though they were to be conducting the assurance themselves."
</i>
</P>
<P>The Assurer will keep the following signed documents:</P>
<OL>
<LI><P>Signed document (e.g. CAP or COAP form) for CAcert Community Agreement with the Member.</P></LI>
<LI><P>Signed report of the Trusted Verification Provider for the name verification.</P></LI>
</OL>
<P>
<i>
iang: This clause probably will meet the criteria DRC C.9.b: "RAs provide the CA with complete documentation on each verified applicant for a certificate."
Although, it is not clear how the Signed Report is delivered from TVP to CA.
</i>
</P>
<H3>2.2 Trusted Verification Provider (&quot;TVP&quot;) </H3>
<P>Each TVA:: </P>
<OL>
<LI><P>must be <STRONG><I>verifiably
practicing identification procedures</I></STRONG>, typically one of
the following:</P>
<OL>
<LI><P><STRONG>Government Authorities</STRONG>
responsible for issuing ID documents for individuals, trade office
extracts for organisations, or providing taxation functions
</P>
<LI><P><STRONG>Certification Authorities</STRONG>
issuing authentication tokens (including certificates) based on a
published identity and/or trade name verification process
</P>
<LI><P><STRONG>Commercial Identity
Providers</STRONG> providing identity verification as a commercial
service.</P>
<LI><P><B>Commercial Trade name
Registrars</B> providing trade name verification.</P>
</OL>
<LI><P>must provide a secure mechanism
for validating a member's identity and/or organisation name or trade
name, including:
</P>
<OL>
<LI><P><STRONG>Authentication Tokens</STRONG>
which are delivered to the user and verifiable in a
cryptographically strong fashion
</P>
<LI><P><STRONG>Online Verification</STRONG>
via a web interface, ideally which is verified by SSL/TLS
</P>
<LI><P><STRONG>Out-of-Band</STRONG>
communication directly with CAcert, Inc. as to the outcome of the
verification
</P>
</OL>
<LI><P>should conduct identification of name procedures similar in
nature to CAcert's existing procedures (eg examining ID documents,
trade office extracts, obtaining 'assurances' from other trusted
members)
</P>
</OL>
<H3>2.3 Member </H3>
<P>A Member (the subject of a verification) using the Remote
Verification program: </P>
<OL>
<LI><P>must agree to be bound the CAcert
Community Agreement (CCA).</P>
<LI><P>must disclose any conflicts of
interest (including but not limited to relationships with
(Organisation) Assurer)
</P>
<LI><P>must cover the costs of their assurance (if any), including
fees imposed by TVPs and Assurer.</P>
</OL>
<H2>3. Processes </H2>
<H3>3.1 Verification </H3>
<OL>
<LI><P>Member shall create a CAcert
account and agree to the CAcert Community Agreement (CCA)
</P>
<LI><P>Member shall complete the procedure specified by the
applicable sub-policy(s), including being verified by the TVP .</P>
</OL>
<H2>4. Documentation </H2>
<P>Where documentation is required by the verification process it
shall be subject to the prevailing records management policies which
may require that it be kept for a certain period or destroyed
immediately after processing.
</P>
</BODY>
</HTML>