Licence: <ahref="//wiki.cacert.org/Policy#Licence"title="this document is Copyright CAcert, licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy"> CC-by-sa+DRP </a><br/>
The Name and Date of Birth details recorded on the form
are matched by those in the identity documents.
</li><li>
The method (document type and issuer, not numbers)
by which the Name and DoB details are matched
is stated on the form.
</li><li>
Location of the meeting.
</li><li>
Contact details for the TTP
</li><li>
Assurer's Name and Token.
</li></ol>
</li><li>
<p>
The TTP shall use either the local form of document
(on CAcert's approved list), or a CAcert-provided form.
</p>
</li><li>
<p>
The TTP shall log the event by their customary means,
including the Assurer's Name and Verification Token.
</p>
<pclass="q">Old: leaving a Remote Assurance Form and copies of identity documents with the TTP for at least 60 days</p>
</li><li>
<p>
The paperwork is sent to the Assurer by the TTP.
</p>
<spanclass="q">
<p>Old: sending a Remote Assurance Form and copies of identity documents to the Assurer by mutually agreed medium (eg post, web form or encrypted email).</p>
<p>iang: this clause <B>is similar</B> to the requirement DRC C.9.b:</p>
<blockquote><u>"RAs provide the CA with complete documentation on each verified applicant for a certificate."</u></blockquote>
<p>What is different is that the criteria requires the TTP to send the form, not the Member.</p>
The Assurer must confirm the assurance using the paperwork,
</p><p>
The Assurer must
be satisfied as to the identity and competency of the TTP
in identification procedures,
as though they were to be conducting the assurance themselves
</p>
<spanclass="q">
<p>iang: this clause would probably meet DRC C.9.a:
<blockquote><u>"When the CA uses an external registration authority (RA), each RA is positively identified by CA personnel before being authorized to verify identities of subscribers and authorizations of individuals to represent organizational subscribers (see §A.2.v)."</u></blockquote>
For that reason, the above clause should be considered strongly,
and either discussed further in the Handbook, or include these
other Older suggestions:
<p>RA MUST authenticate the TTP to their satisfaction by:
</p>
<olstyle="list-style-type: lower-roman;">
<li>searching for their details in an appropriate, official public registry (eg government site, association registry, telephone book) </li>
<li>contacting the TTP using these details to verify their identity </li>
<li>verifying that the TTP is suitable in terms of meeting the requirements of this policy </li>
<li>verifying that the meeting did indeed take place and that the Assuree was adequately identified </li>
</ol>
</span><br/>
</i></blockquote>
</li><li>
The Assurer may contact the TTP, quoting Name and Verification Token.
</li><li>
On completion of the assurance, the Assurer
allocates standard full Assurance Points
(35 at time of writing)
to the Member.
Given the work involved, the Assurer should
strive to ensure that full points are allocated
by for example requesting any rework required.
<pclass="q">iang: this clause might be better off in the Handbook. Dominik+1</p>
