2008-04-22 18:45:46 +00:00
<?xml version="1.0" encoding="utf-8"?>
< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
< html xmlns = "http://www.w3.org/1999/xhtml" >
< head >
< title >
2008-04-23 13:44:32 +00:00
CACert Remote Assurance Policy (RAP)
2008-04-22 18:45:46 +00:00
< / title >
< / head >
< body >
< h1 >
2008-04-23 13:44:32 +00:00
CACert Remote Assurance Policy (RAP)
2008-04-22 18:45:46 +00:00
< / h1 >
< p >
2008-04-22 18:49:22 +00:00
< a href = "PolicyOnPolicy.html" > < img src = "Images/cacert-wip.png" alt = "CAcert Policy Status" height = "31" width = "88" style = "border-style: none;" / > < / a > < br / >
2008-04-22 18:45:46 +00:00
Author: Sam Johnston< br / >
Creation date: 2008-04-22< br / >
Status: WIP 2008-04-22< br / >
Next status: DRAFT 05-2008< br / >
<!-- $Id$ -->
< / p >
< h2 >
0. Preliminaries
< / h2 >
< p >
2008-04-23 14:22:06 +00:00
This sub-policy extends the Assurance Policy ("AP") by specifying how assurances are to be remotely conducted for members where insufficient assurer(s) are available. A Remote Assurer ("RA") shall be assigned by a board-appointed Remote Assurance Officer ("RAO") to conduct the assurance to their satisfaction using TWO Trusted Third Parties ("TTP"s).
2008-04-22 18:45:46 +00:00
< / p >
< p >
2008-04-23 13:44:32 +00:00
Successful completion of the process shall result in the Assuree achieving the status of Assurer (eg the allocation of sufficient points to reach 100). However this status should not be considered permanent and the Assuree must seek assurance by the usual means as soon as practicable.
2008-04-22 18:45:46 +00:00
< / p >
< h2 >
1. Scope
< / h2 >
< p >
2008-04-22 21:32:57 +00:00
This sub-policy is restricted to members where insufficient local assurer(s) are available to reach Assurer status by the usual means within a 30 day period.
2008-04-22 18:45:46 +00:00
< / p >
< h2 >
2008-04-23 13:55:17 +00:00
2. Roles
2008-04-22 18:45:46 +00:00
< / h2 >
< h3 >
2008-04-23 13:44:32 +00:00
2.1 Trusted Third Party ("TTP")
2008-04-22 18:45:46 +00:00
< / h3 >
< p >
2008-04-23 13:44:32 +00:00
Each of the TWO TTPs:
2008-04-22 18:45:46 +00:00
< / p >
< ol style = "list-style-type: lower-alpha;" >
2008-04-23 13:44:32 +00:00
< li > MUST be < i > < strong > verifiably practicing identification procedures< / strong > < / i > , typically one of the following:< br / >
2008-04-22 18:45:46 +00:00
< ol style = "list-style-type: lower-roman;" >
< li >
< strong > Accountant< / strong > licensed and/or certified by the local authority (eg CPA)
< / li >
< li >
< strong > Bank Manager< / strong > of a branch of a banking institution
< / li >
< li >
< strong > Justice of the Peace< / strong > duly and verifiably elected or appointed
< / li >
< li >
< strong > Lawyer< / strong > currently practicing and registered with the bar association or equivalent
< / li >
< li >
< strong > Notary Public< / strong > authorised to authenticate documents in their jurisdiction
< / li >
2008-04-22 21:32:57 +00:00
< li >
< strong > Other< / strong > trusted local public figure as approved by AO (limited to ONE of the TWO TTPs)
< / li >
2008-04-22 18:45:46 +00:00
< / ol >
< / li >
2008-04-23 14:30:49 +00:00
< li > MUST retain the Remote Assurance Form and copies of the identity documents for at least 60 days and respond to enquiries in a timely fashion
2008-04-22 18:45:46 +00:00
< / li >
2008-04-23 14:22:06 +00:00
< li > SHOULD have experience with the Remote Assurance Program, unless no experienced local TTPs are available within a 30 day period
2008-04-22 18:45:46 +00:00
< / li >
2008-04-23 13:44:32 +00:00
< li > SHOULD be recommended to the Assuree by the RA where possible so as to improve security
< / li >
2008-04-22 18:45:46 +00:00
< / ol >
< h3 >
2008-04-23 14:14:52 +00:00
2.2 Remote Assurance Officer ("RAO")
< / h3 >
< p >
Officer(s) managing the Remote Assurance Program:
< / p >
< ol style = "list-style-type: lower-alpha;" >
< li > MUST be appointed by the board.
< / li >
< li > MUST report regularly to the board on program status.
< / li >
< / ol >
< h3 >
2.3 Remote Assurer ("RA")
2008-04-22 18:45:46 +00:00
< / h3 >
< p >
2008-04-23 13:44:32 +00:00
An RA conducting assurances remotely using TTPs:
2008-04-22 18:45:46 +00:00
< / p >
< ol style = "list-style-type: lower-alpha;" >
2008-04-23 14:14:52 +00:00
< li > MUST be approved by a board-appointed RAO
2008-04-22 18:45:46 +00:00
< / li >
2008-04-23 13:44:32 +00:00
< li > MUST be satisfied as to the identity and competency of the TTP in identification procedures, as though they were to be conducting the assurance themselves
2008-04-22 21:32:57 +00:00
< / li >
2008-04-23 13:44:32 +00:00
< li > SHOULD be the most senior Assurer available
2008-04-22 18:45:46 +00:00
< / li >
2008-04-23 13:44:32 +00:00
< li > SHOULD have experience with the TTP program, unless no experienced local Assurers are available within a 30 day period
2008-04-22 18:45:46 +00:00
< / li >
< li > MAY charge a reasonable fee for the service, provided that fee is disclosed in advance
< / li >
< / ol >
< h3 >
2008-04-23 14:14:52 +00:00
2.4 Assuree
2008-04-22 18:45:46 +00:00
< / h3 >
< p >
2008-04-23 14:22:06 +00:00
An Assuree (the subject of an assurance) using the Remote Assurance program:
2008-04-22 18:45:46 +00:00
< / p >
< ol style = "list-style-type: lower-alpha;" >
< li > MUST agree to be bound the CAcert Community Agreement (CCA), including the Disupute Resolution Policy (DRP)
< / li >
< li > MUST justify to the Assurer as to why it is the standard processes are not appropriate
< / li >
2008-04-23 14:22:06 +00:00
< li > MUST provide adequate identification to satisfy the prevailing Assurance Policy and the TTP
2008-04-22 18:45:46 +00:00
< / li >
< li > MUST cover the costs of their assurance (if any), including fees imposed by TTPs and Assurers
< / li >
< / ol >
< h2 >
3. Processes
< / h2 >
< h3 >
3.1 Assurance
< / h3 >
< ol style = "list-style-type: lower-alpha;" >
< li > Assuree SHALL create a CAcert account and agree to the CAcert Community Agreement (CCA)
< / li >
< li > Assuree SHOULD first attempt to use the usual means for assurance
< / li >
2008-04-23 14:30:49 +00:00
< li > Assuree MUST request allocation of an RA from the RAO
2008-04-22 18:45:46 +00:00
< / li >
2008-04-23 14:30:49 +00:00
< li > RA SHOULD refer Assuree to the most known, experienced and appropriate TTPs in preference to:< br / >
2008-04-22 18:45:46 +00:00
< ol style = "list-style-type: lower-roman;" >
< li > unknown, inexperienced or inappropriate TTPs
< / li >
< li > TTPs proposed by the Assuree
< / li >
< / ol >
< / li >
< li > Assuree SHALL have their identity verified by the TTP by:< br / >
< ol style = "list-style-type: lower-roman;" >
2008-04-23 14:22:06 +00:00
< li > obtaining and printing two copies of the Remote Assurance Form
2008-04-22 18:45:46 +00:00
< / li >
< li > taking two copies of any identity documents to be presented to the TTP
< / li >
< li > meeting with the TTP in person and furnishing < strong > at least< / strong > sufficient identification to meet the requirements of the prevailing Assurance Policy
< / li >
2008-04-23 14:30:49 +00:00
< li > executing the Remote Assurance Form in dupicate, in the presence of the TTP (for paper forms)
2008-04-22 18:45:46 +00:00
< / li >
2008-04-23 14:22:06 +00:00
< li > leaving a Remote Assurance Form and copies of identity documents with the TTP for at least 60 days
2008-04-22 18:45:46 +00:00
< / li >
2008-04-23 14:30:49 +00:00
< li > sending a Remote Assurance Form and copies of identity documents to the Assurer by mutually agreed medium (eg post, web form or encrypted email)
2008-04-22 18:45:46 +00:00
< / li >
< / ol >
< / li >
2008-04-23 14:30:49 +00:00
< li > RA MUST authenticate the TTP to their satisfaction by:< br / >
2008-04-22 18:45:46 +00:00
< ol style = "list-style-type: lower-roman;" >
< li > searching for their details in an appropriate, official public registry (eg government site, association registry)
< / li >
< li > contacting the TTP using these details to verify their identity
< / li >
< li > verifying that the TTP is suitable in terms of meeting the requirements of this policy
< / li >
< li > verifying that the meeting did indeed take place and that the Assuree was adequately identified
< / li >
< / ol >
< / li >
2008-04-23 14:30:49 +00:00
< li > RA MUST submit their reports for BOTH TTPs to the AO within 30 days of the date of each TTP meeting
2008-04-22 18:45:46 +00:00
< / li >
2008-04-23 14:30:49 +00:00
< li > RA MUST securely destroy all copies held no less than 60 days and no more than 90 days from the date of the TTP meeting
2008-04-22 18:45:46 +00:00
< / li >
2008-04-23 14:30:49 +00:00
< li > Disputes requiring access to the Remote Assurance Form and copies of identity documents must be handled within 60 days of the TTP meeting (after which time the TTP MAY be revoked)
2008-04-22 18:45:46 +00:00
< / li >
< / ol >
2008-04-23 13:44:32 +00:00
< h2 >
2008-04-23 13:55:17 +00:00
4. Documentation
2008-04-23 13:44:32 +00:00
< / h2 >
< h3 >
2008-04-23 13:55:17 +00:00
4.1 Remote Assurance Form
2008-04-23 13:44:32 +00:00
< / h3 >
< p >
The Remote Assurance Form is to be completed (in duplicate for paper forms) and:
< / p >
< ol style = "list-style-type: lower-alpha;" >
< li > SHALL include all information required by the Assurance Policy
< / li >
< li > SHOULD include a concise guide for Assurees and TTPs
< / li >
2008-04-23 14:16:13 +00:00
< li > MUST be executed by the Assuree in the presence of the TTP (for paper forms)
2008-04-23 13:55:17 +00:00
< / li >
2008-04-23 13:44:32 +00:00
< / ol >
2008-04-22 18:45:46 +00:00
< h2 >
2008-04-23 13:55:17 +00:00
5. Exclusions
2008-04-22 18:45:46 +00:00
< / h2 >
< p >
The following exclusions (with reasoning) apply to the TTP program:
< / p >
< ol style = "list-style-type: lower-alpha;" >
< li >
< strong > Countries:< / strong > < br / >
< ol style = "list-style-type: lower-roman;" >
< li > None
< / li >
< / ol >
< / li >
< li >
< strong > Trusted Third Parties:< / strong > < br / >
< ol style = "list-style-type: lower-roman;" >
2008-04-23 13:55:17 +00:00
< li > Unqualified TTPs (due to insufficient verifiable knowledge)
< / li >
< li > Inxeperienced TTPs (due to insufficient verifiable competency)
2008-04-22 18:45:46 +00:00
< / li >
< / ol >
< / li >
< li >
2008-04-23 13:44:32 +00:00
< strong > Remote Assurers:< / strong > < br / >
2008-04-22 18:45:46 +00:00
< ol style = "list-style-type: lower-roman;" >
2008-04-23 13:44:32 +00:00
< li > Assurers under age of majority (due to inadequate experience/liability)
2008-04-22 18:45:46 +00:00
< / li >
< / ol >
< / li >
< li >
< strong > Assurees:< / strong > < br / >
< ol style = "list-style-type: lower-roman;" >
2008-04-23 14:22:06 +00:00
< li > Existing Assurers (due to lack of demonstrable need)
2008-04-22 18:45:46 +00:00
< / li >
< / ol >
< / li >
< / ol >
< p >
2008-04-22 18:49:22 +00:00
< a href = "http://validator.w3.org/check?uri=referer" > < img src = "Images/valid-xhtml11-blue" alt = "Valid XHTML 1.1" height = "31" width = "88" style = "border-style: none;" / > < / a >
2008-04-22 18:45:46 +00:00
< / p >
< / body >
< / html >