241 lines
5.9 KiB
HTML
241 lines
5.9 KiB
HTML
|
<html>
|
||
|
<head>
|
||
|
<title>Third Party Verification System Policy</title>
|
||
|
</head>
|
||
|
<body>
|
||
|
<h1>Third Party Verification System Policy</h1>
|
||
|
|
||
|
<h2> Preamble </h2>
|
||
|
|
||
|
<p>
|
||
|
This is a subsidiary policy under Assurance Policy (COD13).
|
||
|
It documents the acceptance of Thawte-issued certificates
|
||
|
and disclosers as inputs into the assurance process.
|
||
|
</p>
|
||
|
|
||
|
<h2> Third Party Certificate </h2>
|
||
|
|
||
|
|
||
|
<p>
|
||
|
The CAs listed in Appendix A are approved to "this system".
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
If a certificate is examined by an Assurer (e.g., signed email)
|
||
|
and determined to provide evidence of a Name and email address that
|
||
|
matches the Name stored in the CAcert system,
|
||
|
the Assurer may allocate 25 (???) Assurance Points
|
||
|
(or as determined in the Appendix A).
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
This is only available to Assurers who are:
|
||
|
</p>
|
||
|
|
||
|
<ol><li>
|
||
|
Full Assurer with 50 Experience Points
|
||
|
</li><li>
|
||
|
Assigned the Tverify role by support.
|
||
|
</li></ol>
|
||
|
|
||
|
<p>
|
||
|
This may be only awarded once per Member.
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
This may be done automatically by the existing
|
||
|
Tverify system.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<h2> Other Web of Trust </h2>
|
||
|
|
||
|
<p>
|
||
|
Webs of Trust listed in Appendix B are approved for this system.
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
If evidence of full "assurer status" in the other Web of Trust
|
||
|
is provided to an Assurer,
|
||
|
then the Assurer may award 25 Assurance Points,
|
||
|
in addition to the above 25 points from the certificate.
|
||
|
<p>
|
||
|
|
||
|
<p>
|
||
|
The Assurer must go to the other system and verify the
|
||
|
Name.
|
||
|
And DoB??? But the user has to enable each Assurer to
|
||
|
check the DoB by means of the permitting an assurance in the
|
||
|
other system.
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
Assurers enabled for this system must be:
|
||
|
</p>
|
||
|
|
||
|
<ol><li>
|
||
|
Full Assurer with 50 Experience Points
|
||
|
</li><li>
|
||
|
Assigned the Tverify role by support.
|
||
|
</li><li>
|
||
|
Full "assurer status" in the other system.
|
||
|
</li></ol>
|
||
|
|
||
|
<p>
|
||
|
This may be only awarded once per Member.
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
<i>What about voting system....</i>
|
||
|
</p>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
</li><li>
|
||
|
|
||
|
optional :
|
||
|
the user provides the web link in the directory of Thawte
|
||
|
notaries. The user must display his name and CAcert account email
|
||
|
address in the directory assurer message. The user can get 40 extra
|
||
|
points after manual checking,
|
||
|
|
||
|
<ul><li><i>
|
||
|
This proves that the person is a "Thawte Notary"
|
||
|
</i></li><li><i>
|
||
|
A TN has "100 Thawte trust points" which means that the Name, DoB, email address (by connecting into the system) have been checked by 3 people at least.
|
||
|
</i></li><li><i>
|
||
|
Thawte Notary: There is no "test".
|
||
|
</i></li><li><i>
|
||
|
Thawte Notary: There are some rules, what needs to be done, what not.
|
||
|
<u>Find the rules</u>.
|
||
|
</i></li><li><i>
|
||
|
Thawte Notary: complaints are reported to Thawte support, and support then requests all forms and documentation and copies of IDs, and support may do something ... <u>but this was before the change of liability, they may not care anymore</u>
|
||
|
</i></li><li><i>
|
||
|
Probably this should be 25 points?
|
||
|
</i></li></ul>
|
||
|
|
||
|
</li><li>
|
||
|
optional:
|
||
|
The user provides a scan of a government photo id. The user
|
||
|
can get an extra 60 points after manual checking.
|
||
|
<ul><li><i>
|
||
|
May need to make this mandatory so we can check the DoB.
|
||
|
</i></li><li><i>
|
||
|
Probably this should be 40 points?
|
||
|
</i></li></ul>
|
||
|
</li></ol>
|
||
|
|
||
|
<p>
|
||
|
<i> Agreed that experience as TN is not useful for CAcert Experience Points.
|
||
|
So Maximum is 100.</i>
|
||
|
</p>
|
||
|
|
||
|
<h2> Manual Points Allocation </h2>
|
||
|
|
||
|
<p>
|
||
|
If the user completes only step 1, the users get 50 points if the
|
||
|
Thawte name matches the CAcert name : The process is fully automated and
|
||
|
the user still can do later the optional steps.
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
In case the user completes steps 2 or 3, a Tverify-authorised Assurer does the following manual checks :
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<ol><li>
|
||
|
check if the link to the Thawte WoT directory matches the name and
|
||
|
email address of the CAcert account, and
|
||
|
</li><li>
|
||
|
|
||
|
check if the photo id macthes the name and date of birth of the CAcert
|
||
|
account.
|
||
|
</li></ol>
|
||
|
|
||
|
<p>
|
||
|
the CAcert Tverify community member votes Aye or Nay on the request
|
||
|
(faithfullness) and optionally adds a comment on the reason why they reject
|
||
|
the request.
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
If the requests gets 4 Naye, the requests is rejected, the user has to
|
||
|
restart the process.
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
if the request gets 4 Aye, the requests is completed and the appropriate
|
||
|
amount of Assurance points are added to the account, logged as an Tverify
|
||
|
assurance.
|
||
|
<i>BY WHOM?</i>
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
Each user step can granted points only once. The maximum is 150 points.
|
||
|
<b>BLECH</b>
|
||
|
</p>
|
||
|
|
||
|
<h2> Manual Points Allocation </h2>
|
||
|
|
||
|
<p>
|
||
|
To be a Tverify Assurer, an Assurer must have:
|
||
|
</p>
|
||
|
|
||
|
<ul><li>
|
||
|
full Thawte "Notary" status.
|
||
|
</li></ul>
|
||
|
|
||
|
<p>
|
||
|
Authorisation is done by ....
|
||
|
the Support Officer (and confirmed by ??? Assurance Officer).
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
Currently there are 7+ Assurers who are authorised to conduct the
|
||
|
Tverify additional procedure.
|
||
|
</p>
|
||
|
|
||
|
<h2> System </h2>
|
||
|
|
||
|
<p>
|
||
|
An online system is run to accept the certificate.
|
||
|
This is located at https://tverify.cacert.org/
|
||
|
This is a critical / non-critical system ????
|
||
|
</p>
|
||
|
|
||
|
<h2> Legal </h2>
|
||
|
|
||
|
<p>
|
||
|
WHat do the Thawte docs say about reliance, etc.
|
||
|
Is there a possibility to do this?
|
||
|
What is the liability position?
|
||
|
<b>Chances are, there is no liability and no reliance permitted.</b>
|
||
|
Which means ... there is no reliance on the Name in the cert.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
|
||
|
<h2> OLD stuff </h2>
|
||
|
<blockquote><b>OLD:</b>
|
||
|
<p>
|
||
|
<b> mandatory </b> : the users provides a
|
||
|
Thawte assured certificate including the user name.
|
||
|
If the name and email address in the certificate matches
|
||
|
the name and email address recorded by CAcert exactly,
|
||
|
the user is given 50 Assurance Points automatically
|
||
|
by the online system.
|
||
|
</p>
|
||
|
<ul><li><i>
|
||
|
no checking of date of birth,
|
||
|
</i></li><li><i>
|
||
|
no alignment of these 50 points with AP (statement, checking of date of birth,
|
||
|
there may be some rules about middle names and extracting the name fields out of FirstName and LastName... this is in the system.
|
||
|
<b>should check Thwarte doco to make a judgement call on what it is worth.</b>
|
||
|
</i></li><li><i>
|
||
|
Probably this should be 25 points?
|
||
|
</i></li></ul>
|
||
|
|
||
|
</blockquote>
|
||
|
</body></html>
|