cacert-policies/TVerifyAssurancePolicy.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
	<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=windows-1252">
	<TITLE>Third Party Verification System Policy</TITLE>
	<META NAME="GENERATOR" CONTENT="OpenOffice.org 3.0  (Win32)">
	<META NAME="CREATED" CONTENT="0;0">
	<META NAME="CHANGED" CONTENT="20090504;23580100">
</HEAD>
<BODY LANG="fr-FR" DIR="LTR">
<H1>Third Party Verification System Policy</H1>
<H2>Preamble 
</H2>
<P>This is a subsidiary policy under Assurance Policy (COD13). It
documents the acceptance of Thawte-issued certificates and disclosers
as inputs into the assurance process. 
</P>
<H2>Third Party Certificate 
</H2>
<P>The CAs listed in Appendix A are approved to &quot;this system&quot;.
</P>
<P>If a certificate is examined by an Assurer (e.g., signed email)
and determined to provide evidence of a Name and email address that
matches the Name stored in the CAcert system, the Assurer may
allocate 25 (???) Assurance Points (or as determined in the Appendix
A). 
</P>
<P>This is only available to Assurers who are: 
</P>
<OL>
	<LI><P STYLE="margin-bottom: 0cm">Full Assurer with 50 Experience
	Points 
	</P>
	<LI><P>Assigned the Tverify role by support. 
	</P>
</OL>
<P>This may be only awarded once per Member. 
</P>
<P>This may be done automatically by the existing Tverify system. 
</P>
<H2>Other Web of Trust 
</H2>
<P>Webs of Trust listed in Appendix B are approved for this system. 
</P>
<P>If evidence of full &quot;assurer status&quot; in the other Web of
Trust is provided to an Assurer, then the Assurer may award 25
Assurance Points, in addition to the above 25 points from the
certificate. 
</P>
<P>The Assurer must go to the other system and verify the Name. And
DoB??? But the user has to enable each Assurer to check the DoB by
means of the permitting an assurance in the other system. 
</P>
<P>Assurers enabled for this system must be: 
</P>
<OL>
	<LI><P STYLE="margin-bottom: 0cm">Full Assurer with 50 Experience
	Points 
	</P>
	<LI><P STYLE="margin-bottom: 0cm">Assigned the Tverify role by
	support. 
	</P>
	<LI><P>Full &quot;assurer status&quot; in the other system. 
	</P>
</OL>
<P>This may be only awarded once per Member. 
</P>
<P><I>What about voting system....</I> 
</P>
<UL>
	<LI><P>optional : the user provides the web link in the directory of
	Thawte notaries. The user must display his name and CAcert account
	email address in the directory assurer message. The user can get 40
	extra points after manual checking, 
	</P>
</UL>
<UL>
	<LI><P STYLE="margin-bottom: 0cm"><I>This proves that the person is
	a &quot;Thawte Notary&quot; </I>
	</P>
	<LI><P STYLE="margin-bottom: 0cm"><I>A TN has &quot;100 Thawte trust
	points&quot; which means that the Name, DoB, email address (by
	connecting into the system) have been checked by 3 people at least. </I>
	</P>
	<LI><P STYLE="margin-bottom: 0cm"><I>Thawte Notary: There is no
	&quot;test&quot;. </I>
	</P>
	<LI><P STYLE="margin-bottom: 0cm"><I>Thawte Notary: There are some
	rules, what needs to be done, what not. <U>Find the rules</U>. </I>
	</P>
	<UL>
		<LI><P STYLE="margin-bottom: 0cm"><I>http://www.thawte.com/secure-email/web-of-trust-wot/wot_notary.html</I></P>
		<LI><P STYLE="margin-bottom: 0cm"><I>http://www.thawte.com/secure-email/web-of-trust-wot/wot_rules.html</I></P>
		<LI><P STYLE="margin-bottom: 0cm"><I><A HREF="http://www.thawte.com/secure-email/web-of-trust-wot/wot_validation.html">http://www.thawte.com/secure-email/web-of-trust-wot/wot_validation.html</A></I></P>
		<LI><P STYLE="margin-bottom: 0cm"><I><A HREF="http://www.thawte.com/secure-email/web-of-trust-wot/wot_points.html">http://www.thawte.com/secure-email/web-of-trust-wot/wot_points.html</A></I></P>
		<LI><P STYLE="margin-bottom: 0cm"><I><A HREF="http://www.thawte.com/cps/">http://www.thawte.com/cps/</A>
		=&gt; section 3.1.9  Authentication of Individual Identity </I>
		</P>
	</UL>
	<LI><P STYLE="margin-bottom: 0cm"><I>Thawte Notary: complaints are
	reported to Thawte support, and support then requests all forms and
	documentation and copies of IDs, and support may do something ...
	<U>but this was before the change of liability, they may not care
	anymore</U> </I>
	</P>
	<LI><P><I>Probably this should be 25 points? </I>
	</P>
</UL>
<UL>
	<LI><P>optional: The user provides a scan of a government photo id.
	The user can get an extra 60 points after manual checking. 
	</P>
</UL>
<UL>
	<LI><P STYLE="margin-bottom: 0cm"><I>May need to make this mandatory
	so we can check the DoB. </I>
	</P>
	<LI><P><I>Probably this should be 40 points? </I>
	</P>
</UL>
<P><I>Agreed that experience as TN is not useful for CAcert
Experience Points. So Maximum is 100.</I> 
</P>
<H2>Manual Points Allocation 
</H2>
<P>If the user completes only step 1, the users get 50 points if the
Thawte name matches the CAcert name : The process is fully automated
and the user still can do later the optional steps. 
</P>
<P>In case the user completes steps 2 or 3, a Tverify-authorised
Assurer does the following manual checks : 
</P>
<OL>
	<LI><P STYLE="margin-bottom: 0cm">check if the link to the Thawte
	WoT directory matches the name and email address of the CAcert
	account, and 
	</P>
	<LI><P>check if the photo id macthes the name and date of birth of
	the CAcert account. 
	</P>
</OL>
<P>the CAcert Tverify community member votes Aye or Nay on the
request (faithfullness) and optionally adds a comment on the reason
why they reject the request. 
</P>
<P>If the requests gets 4 Naye, the requests is rejected, the user
has to restart the process. 
</P>
<P>if the request gets 4 Aye, the requests is completed and the
appropriate amount of Assurance points are added to the account,
logged as an Tverify assurance. <I>BY WHOM?</I> 
</P>
<P>Each user step can granted points only once. The maximum is 150
points. <B>BLECH</B> 
</P>
<H2>Manual Points Allocation 
</H2>
<P>To be a Tverify Assurer, an Assurer must have: 
</P>
<UL>
	<LI><P>full Thawte &quot;Notary&quot; status. 
	</P>
</UL>
<P>Authorisation is done by .... the Support Officer (and confirmed
by ??? Assurance Officer). 
</P>
<P>Currently there are 7+ Assurers who are authorised to conduct the
Tverify additional procedure. 
</P>
<H2>System 
</H2>
<P>An online system is run to accept the certificate. This is located
at https://tverify.cacert.org/ This is a critical / non-critical
system ???? 
</P>
<H2>Legal 
</H2>
<P>WHat do the Thawte docs say about reliance, etc. Is there a
possibility to do this? What is the liability position? <B>Chances
are, there is no liability and no reliance permitted.</B> Which means
... there is no reliance on the Name in the cert. 
</P>
<H2>OLD stuff 
</H2>
<BLOCKQUOTE><B>OLD:</B> 
</BLOCKQUOTE>
<BLOCKQUOTE><B>mandatory </B>: the users provides a Thawte assured
certificate including the user name. If the name and email address in
the certificate matches the name and email address recorded by CAcert
exactly, the user is given 50 Assurance Points automatically by the
online system. 
</BLOCKQUOTE>
<UL>
	<LI><BLOCKQUOTE STYLE="margin-bottom: 0cm"><I>no checking of date of
	birth, </I>
	</BLOCKQUOTE>
	<LI><BLOCKQUOTE STYLE="margin-bottom: 0cm"><I>no alignment of these
	50 points with AP (statement, checking of date of birth, there may
	be some rules about middle names and extracting the name fields out
	of FirstName and LastName... this is in the system. <B>should check
	Thwarte doco to make a judgement call on what it is worth.</B> </I>
	</BLOCKQUOTE>
	<LI><BLOCKQUOTE><I>Probably this should be 25 points? </I>
	</BLOCKQUOTE>
</UL>
</BODY>
</HTML>