2008-04-01 13:28:15 +00:00
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
|
|
|
|
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
|
|
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
|
|
<head>
|
|
|
|
<title>
|
|
|
|
Organisation Assurance Policy
|
|
|
|
</title>
|
|
|
|
</head>
|
|
|
|
<body>
|
2008-04-01 19:20:41 +00:00
|
|
|
<p>
|
|
|
|
<center>
|
|
|
|
<big>
|
|
|
|
<br><b>WARNING:</b><br>
|
|
|
|
The proper policy document is located<br>
|
|
|
|
<a href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php">
|
|
|
|
on the CAcert website </a>.<br>
|
|
|
|
</big></b>
|
|
|
|
This document is a working draft to include<br>
|
|
|
|
future revisions only, and is currently<br>
|
|
|
|
only relevant for the [policy] group.<br>
|
|
|
|
</center>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<h1>
|
|
|
|
Organisation Assurance Policy
|
|
|
|
</h1>
|
|
|
|
<p>
|
|
|
|
<a href="../PolicyOnPolicy.html"><img src="../cacert-draft.png" alt="CAcert Draft" height="31" width="88" style="border-style: none;" /> </a><br />
|
|
|
|
Document: OAP COD11<br />
|
|
|
|
Author: Jens Paul<br />
|
|
|
|
Creation date: 2007-09-18<br />
|
2008-04-02 13:58:36 +00:00
|
|
|
Status: POLICY/DRAFT 2007-09-18 <a href="http://wiki.cacert.org/wiki/TopMinutes-20070917">m20070918.x </a><br />
|
2008-04-01 19:20:41 +00:00
|
|
|
Changed: 2008-04-01 Teus Hagen policy list vote; add advisors and board<br />
|
2008-04-02 13:58:36 +00:00
|
|
|
Next status: POLICY 2008<br />
|
2008-04-01 19:20:41 +00:00
|
|
|
<!-- $Id$ -->
|
|
|
|
</p>
|
|
|
|
<h2> <a name="0">0. </a> Preliminaries </h2>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
This policy describes how Organisation Assurers ("OAs")
|
|
|
|
conduct Assurances on Organisations.
|
|
|
|
It fits within the overall web-of-trust
|
2008-04-02 17:13:10 +00:00
|
|
|
or Assurance process of CAcert.
|
2007-10-22 10:26:50 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
This policy is not a Controlled document, for purposes of
|
|
|
|
Configuration Control Specification ("CCS").
|
|
|
|
</p>
|
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h2> <a name="1"> 1. </a> Purpose </h2>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
Organisations with assured status can issue certificates
|
|
|
|
directly with their own domains within.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
The purpose and statement of the certificate remains
|
|
|
|
the same as with ordinary users (natural persons)
|
|
|
|
and as described in the CPS.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ul><li>
|
|
|
|
The organisation named within is identified.
|
|
|
|
</li><li>
|
|
|
|
The organisation has been verified according
|
|
|
|
to this policy.
|
|
|
|
</li><li>
|
|
|
|
The organisation is within the jurisdiction
|
2008-04-02 17:13:10 +00:00
|
|
|
and can be taken to CAcert Arbitration.
|
2007-10-22 10:26:50 +00:00
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h2> <a name="2"> 2. </a> Roles and Structure </h2>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
2008-04-02 17:13:10 +00:00
|
|
|
<h3> <a name="2.1"> 2.1 </a> Assurance Officer </h3>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
The Assurance Officer ("AO")
|
2008-04-02 17:13:10 +00:00
|
|
|
manages this policy and reports to the CAcert Inc. Committee ("Board").
|
2007-10-22 10:26:50 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
The AO manages all OAs and is responsible for process,
|
2008-04-02 17:13:10 +00:00
|
|
|
the CAcert Organisation Assurance Programme ("COAP") form,
|
2007-10-22 10:26:50 +00:00
|
|
|
OA training and testing, manuals, quality control.
|
|
|
|
In these responsibilities, other Officers will assist.
|
|
|
|
</p>
|
2008-04-01 13:28:15 +00:00
|
|
|
<p>
|
|
|
|
The OA is appointed by the Board.
|
|
|
|
Where the OA is failing the Board decides.
|
|
|
|
</p>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h3> <a name="2.2"> 2.2 </a> Organisation Assurers </h3>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ol type="a"> <li>
|
|
|
|
An OA must be an experienced Assurer
|
|
|
|
<ol type="i">
|
|
|
|
<li>Have 150 assurance points.</li>
|
|
|
|
<li>Be fully trained and tested on all general Assurance processes.</li>
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
</li><li>
|
|
|
|
Must be trained as Organisation Assurer.
|
|
|
|
<ol type="i">
|
|
|
|
<li> Global knowledge: This policy. </li>
|
|
|
|
<li> Global knowledge: A OA manual covers how to do the process.</li>
|
|
|
|
<li> Local knowledge: legal forms of organisations within jurisdiction.</li>
|
|
|
|
<li> Basic governance. </li>
|
|
|
|
<li> Training may be done a variety of ways,
|
|
|
|
such as on-the-job, etc. </li>
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
</li><li>
|
|
|
|
Must be tested.
|
|
|
|
<ol type="i">
|
|
|
|
<li> Global test: Covers this policy and the process. </li>
|
|
|
|
<li> Local knowledge: Subsidiary Policy to specify.</li>
|
|
|
|
<li> Tests to be created, approved, run, verified
|
|
|
|
by CAcert only (not outsourced). </li>
|
|
|
|
<li> Tests are conducted manually, not online/automatic. </li>
|
|
|
|
<li> Documentation to be retained. </li>
|
|
|
|
<li> Tests may include on-the-job components. </li>
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
</li><li>
|
|
|
|
Must be approved.
|
|
|
|
<ol type="i">
|
|
|
|
<li> Two supervising OAs must sign-off on new OA,
|
|
|
|
as trained, tested and passed.
|
|
|
|
</li>
|
|
|
|
<li> AO must sign-off on a new OA,
|
|
|
|
as supervised, trained and tested.
|
|
|
|
</li>
|
|
|
|
</ol>
|
2008-04-01 13:28:15 +00:00
|
|
|
</li>
|
|
|
|
<li>The OA can decide when a CAcert
|
|
|
|
(individual) Assurer
|
|
|
|
has done several OA Application Advises to appoint this
|
|
|
|
person to OA Assurer.
|
|
|
|
</li>
|
|
|
|
|
2007-10-22 10:26:50 +00:00
|
|
|
</ol>
|
|
|
|
|
2008-04-02 17:13:10 +00:00
|
|
|
<h3> <a name="2.3"> 2.3 </a> Organisation Assurance Advisor ("OAA") </h3>
|
2008-04-01 13:28:15 +00:00
|
|
|
<p>In countries/states/provinces where no OA Assurers are
|
|
|
|
operating for an OA Application (COAP) the OA
|
|
|
|
can be advised by an experienced local CAcert
|
|
|
|
(individual) Assurer to take the decision
|
|
|
|
to accept the OA Application (COAP) of the organisation.
|
|
|
|
</p>
|
|
|
|
<p>
|
|
|
|
The local Assurer must have at least 150 Points,
|
|
|
|
should know the language, and know
|
|
|
|
the organisation trade office registry culture and quality.
|
|
|
|
</p>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h3> <a name="2.4"> 2.4 </a> Organisation Administrator </h3>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
The Administrator within each Organisation ("O-Admin")
|
|
|
|
is the one who handles the assurance requests
|
|
|
|
and the issuing of certificates.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ol type="a"> <li>
|
|
|
|
O-Admin must be Assurer
|
|
|
|
<ol type="i">
|
|
|
|
<li>Have 100 assurance points.</li>
|
|
|
|
<li>Fully trained and tested as Assurer.</li>
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
</li><li>
|
|
|
|
Organisation is required to appoint O-Admin,
|
|
|
|
and appoint ones as required.
|
|
|
|
<ol type="i">
|
|
|
|
<li> On COAP Request Form.</li>
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
</li><li>
|
|
|
|
O-Admin must work with an assigned OA.
|
|
|
|
<ol type="i">
|
|
|
|
<li> Have contact details.</li>
|
|
|
|
</ol>
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h2> <a name="3"> 3. </a> Policies </h2>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h3> <a name="3.1"> 3.1 </a> Policy </h3>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
There is one policy being this present document,
|
|
|
|
and several subsidiary policies.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ol type="a">
|
|
|
|
<li> This policy authorises the creation of subsidiary policies. </li>
|
|
|
|
<li> This policy is international. </li>
|
|
|
|
<li> Subsidiary policies are implementations of the policy. </li>
|
|
|
|
<li> Organisations are assured under an appropriate subsidiary policy. </li>
|
|
|
|
</ol>
|
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h3> <a name="3.2"> 3.2 </a> Subsidiary Policies </h3>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
The nature of the Subsidiary Policies ("SubPols"):
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ol type="a"><li>
|
|
|
|
SubPols are purposed to check the organisation
|
|
|
|
under the rules of the jurisdiction that creates the
|
|
|
|
organisation. This does not evidence an intention
|
|
|
|
by CAcert to
|
|
|
|
enter into the local jurisdiction, nor an intention
|
|
|
|
to impose the rules of that jurisdiction over any other
|
|
|
|
organisation.
|
|
|
|
CAcert assurances are conducted under the jurisdiction
|
|
|
|
of CAcert.
|
|
|
|
</li><li>
|
|
|
|
For OAs,
|
|
|
|
SubPol specifies the <i>tests of local knowledge</i>
|
2008-04-02 17:13:10 +00:00
|
|
|
including the local organisation assurance COAP forms.
|
2007-10-22 10:26:50 +00:00
|
|
|
</li><li>
|
|
|
|
For assurances,
|
|
|
|
SubPol specifies the <i>local documentation forms</i>
|
|
|
|
which are acceptable under this SubPol to meet the
|
|
|
|
standard.
|
|
|
|
</li><li>
|
|
|
|
SubPols are subjected to the normal
|
|
|
|
policy approval process.
|
|
|
|
</li></ol>
|
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h3> <a name="3.3"> 3.3 </a> Freedom to Assemble </h3>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
Subsidiary Policies are open, accessible and free to enter.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ol type="a"><li>
|
|
|
|
SubPols compete but are compatible.
|
|
|
|
</li><li>
|
|
|
|
No SubPol is a franchise.
|
|
|
|
</li><li>
|
|
|
|
Many will be on State or National lines,
|
|
|
|
reflecting the legal
|
|
|
|
tradition of organisations created
|
|
|
|
("incorporated") by states.
|
|
|
|
</li><li>
|
|
|
|
However, there is no need for strict national lines;
|
|
|
|
it is possible to have 2 SubPols in one country, or one
|
|
|
|
covering several countries with the same language
|
|
|
|
(e.g., Austria with Germany, England with Wales but not Scotland).
|
|
|
|
</li><li>
|
|
|
|
There could also be SubPols for special
|
|
|
|
organisations, one person organisations,
|
|
|
|
UN agencies, churches, etc.
|
|
|
|
</li><li>
|
|
|
|
Where it is appropriate to use the SubPol
|
|
|
|
in another situation (another country?), it
|
|
|
|
can be so approved.
|
|
|
|
(e.g., Austrian SubPol might be approved for Germany.)
|
|
|
|
The SubPol must record this approval.
|
|
|
|
</li></ol>
|
|
|
|
|
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h2> <a name="4"> 4. </a> Process </h2>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h3> <a name="4.1"> 4.1 </a> Standard of Organisation Assurance </h3>
|
2007-10-22 10:26:50 +00:00
|
|
|
<p>
|
|
|
|
The essential standard of Organisation Assurance is:
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ol type="a"><li>
|
|
|
|
the organisation exists
|
|
|
|
</li><li>
|
|
|
|
the organisation name is correct and consistent:
|
|
|
|
<ol type="i">
|
|
|
|
<li>in official documents specified in SubPol.</li>
|
|
|
|
<li>on COAP form.</li>
|
|
|
|
<li>in CAcert database.</li>
|
|
|
|
<li>form or type of legal entity is consistent</li>
|
|
|
|
</ol>
|
|
|
|
</li><li>
|
|
|
|
signing rights:
|
|
|
|
requestor can sign on behalf of the organisation.
|
|
|
|
</li><li>
|
|
|
|
the organisation has agreed to the terms of the
|
2008-04-01 19:20:41 +00:00
|
|
|
<b>
|
|
|
|
CAcert Community Agreement
|
|
|
|
</b>,
|
2007-10-22 10:26:50 +00:00
|
|
|
and is therefore subject to Arbitration.
|
|
|
|
</li></ol>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
Acceptable documents to meet above standard
|
|
|
|
are stated in the SubPol.
|
|
|
|
</p>
|
|
|
|
|
2008-04-02 17:13:10 +00:00
|
|
|
<h3> <a name="4.2"> 4.2 </a> COAP </h3>
|
2007-10-22 10:26:50 +00:00
|
|
|
<p>
|
|
|
|
The COAP form documents the checks and the resultant
|
|
|
|
assurance results to meet the standard.
|
|
|
|
Additional information to be provided on form:
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ol type="a"><li>
|
|
|
|
CAcert account of O-Admin (email address?)
|
|
|
|
</li><li>
|
|
|
|
location:
|
|
|
|
<ol type="i">
|
|
|
|
<li>country (MUST).</li>
|
|
|
|
<li>city (MUST).</li>
|
|
|
|
<li>additional contact information (as required by SubPol).</li>
|
|
|
|
</ol>
|
|
|
|
</li><li>
|
2008-04-02 17:13:10 +00:00
|
|
|
administrator account name(s) (1 or more)
|
2007-10-22 10:26:50 +00:00
|
|
|
</li><li>
|
|
|
|
domain name(s)
|
|
|
|
</li><li>
|
2008-04-01 19:20:41 +00:00
|
|
|
Agreement with
|
2008-04-02 17:13:10 +00:00
|
|
|
<b>CAcert Community Agreement</b>.
|
|
|
|
Statement and initials box for organisation
|
2007-10-22 10:26:50 +00:00
|
|
|
and also for OA.
|
|
|
|
</li><li>
|
|
|
|
Date of completion of Assurance.
|
|
|
|
Records should be maintained for 7 years from
|
|
|
|
this date.
|
|
|
|
</li></ol>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
The COAP should be in English. Where translations
|
|
|
|
are provided, they should be matched to the English,
|
|
|
|
and indication provided that the English is the
|
|
|
|
ruling language (due to Arbitration requirements).
|
|
|
|
</p>
|
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h3> <a name="4.3"> 4.3 </a> Jurisdiction </h3>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
Organisation Assurances are carried out by
|
2008-04-01 13:28:15 +00:00
|
|
|
CAcert Inc. under its Arbitration jurisdiction.
|
2007-10-22 10:26:50 +00:00
|
|
|
Actions carried out by OAs are under this regime.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ol type="a"><li>
|
|
|
|
The organisation has agreed to the terms of the
|
2008-04-02 17:13:10 +00:00
|
|
|
<b>CAcert Community Agreement</b>.
|
2007-10-22 10:26:50 +00:00
|
|
|
</li><li>
|
|
|
|
The organisation, the Organisation Assurers, CAcert and
|
|
|
|
other related parties are bound into CAcert's jurisdiction
|
|
|
|
and dispute resolution.
|
|
|
|
</li><li>
|
|
|
|
The OA is responsible for ensuring that the
|
|
|
|
organisation reads, understands, intends and
|
2008-04-01 19:20:41 +00:00
|
|
|
agrees to the
|
2008-04-02 17:13:10 +00:00
|
|
|
<b>CAcert Community Agreement</b>.
|
2007-10-22 10:26:50 +00:00
|
|
|
This OA responsibility should be recorded on COAP
|
|
|
|
(statement and initials box).
|
|
|
|
</li></ol>
|
|
|
|
|
2008-04-01 19:20:41 +00:00
|
|
|
<h2> <a name="5"> 5. </a> Exceptions </h2>
|
2007-10-22 10:26:50 +00:00
|
|
|
|
|
|
|
|
|
|
|
<ol type="a"><li>
|
|
|
|
<b> Conflicts of Interest.</b>
|
|
|
|
An OA must not assure an organisation in which
|
|
|
|
there is a close or direct relationship by, e.g.,
|
|
|
|
employment, family, financial interests.
|
|
|
|
Other conflicts of interest must be disclosed.
|
|
|
|
</li><li>
|
|
|
|
<b> Trusted Third Parties.</b>
|
|
|
|
TTPs are not generally approved to be part of
|
|
|
|
organisation assurance,
|
|
|
|
but may be approved by subsidiary policies according
|
|
|
|
to local needs.
|
|
|
|
</li><li>
|
|
|
|
<b>Exceptional Organisations.</b>
|
|
|
|
(e.g., Vatican, International Space Station, United Nations)
|
|
|
|
can be dealt with as a single-organisation
|
|
|
|
SubPol.
|
|
|
|
The OA creates the checks, documents them,
|
|
|
|
and subjects them to to normal policy approval.
|
|
|
|
</li><li>
|
|
|
|
<b>DBA.</b>
|
|
|
|
Alternative names for organisations
|
|
|
|
(DBA, "doing business as")
|
|
|
|
can be added as long as they are proven independently.
|
|
|
|
E.g., registration as DBA or holding of registered trade mark.
|
|
|
|
This means that the anglo law tradition of unregistered DBAs
|
|
|
|
is not accepted without further proof.
|
2008-04-02 17:13:10 +00:00
|
|
|
</li></ol>
|
|
|
|
<p><a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml11-blue" alt="Valid XHTML 1.1" height="31" width="88" style="border-style: none;" /> </a>
|
|
|
|
</p>
|
2008-04-01 13:28:15 +00:00
|
|
|
</body>
|
|
|
|
</html>
|
2007-10-22 10:26:50 +00:00
|
|
|
|