2009-02-11 14:21:36 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
< HTML >
< HEAD >
< META HTTP-EQUIV = "CONTENT-TYPE" CONTENT = "text/html; charset=utf-8" >
< TITLE > CACert Remote Verification Policy (RVP) < / TITLE >
< META NAME = "CHANGEDBY" CONTENT = "Teus Hagen" >
< META NAME = "CHANGED" CONTENT = "20090211;15005300" >
< / HEAD >
< BODY LANG = "en-US" DIR = "LTR" >
< P > < BR > < BR >
< / P >
< H1 > CAcert Remote Verification Policy (RVP) < / H1 >
< P > < A HREF = "PolicyOnPolicy.html" > < IMG SRC = "Images/cacert-wip.png" NAME = "graphics1" ALT = "CAcert Policy Status" ALIGN = BOTTOM WIDTH = 90 HEIGHT = 33 BORDER = 0 > < / A > < BR > Author:
Pete Stephenson< BR > Creation date: 2008-07-12< BR >
Status: WIP 2008-07-12 < BR >
Edited by: Teus Hagen, 2009-02-11< BR >
Next status: DRAFT 2009< BR >
<!-- $Id$ --> < / P >
< H2 > 0. Preliminaries < / H2 >
< P > This sub-policy extends the Assurance Policy (" AP" )
and Organisation Assurance Policy (“OAP”) by providing a
framework for Members to verify for individual Members their identity
and for organisation Members their organisation (trade) name via Trusted Third
Provider (" TTP" s) including Government Authorities,
Certification Authorities and Commercial Identity Providers, under
the supervision of a CAcert (Organisation) Assurer.
< / P >
< P > Successful completion of the verification of name process defined
in RVP sub-policies shall result in the allocation of 10 extra
Assurance Points added to the maximum of Assurance Points the Assurer,
supervising the assurance process for the Member, can allocate.
< / P >
< H2 > 1. Scope < / H2 >
< P > This sub-policy is available to all individual and organisation
Community Members. < / P >
< H2 > 2. Roles < / H2 >
< H3 > 2.1 CAcert (Organisation) Assurer< / H3 >
< P > The CAcert (Organisation) Assurer must check the CAcert
(Organisation) Assurance Programme form. The identity verification or
organisation name verification is remotely performed by the Trusted
Verification Provider (2.2).< / P >
< P > The Trusted Verification Provider who is involved in the
verification process should be accepted by the Assurer.
< / P >
2009-04-29 18:20:44 +00:00
< P >
< i >
iang: This clause above probably < b > will NOT meet< / b > the criteria DRC C.9.a: "MUST be satisfied as to the identity and competency of the TTP in identification procedures, as though they were to be conducting the assurance themselves."
< / P >
2009-02-11 14:21:36 +00:00
< P > The Assurer will keep the following signed documents:< / P >
< OL >
2009-04-16 21:57:53 +00:00
< LI > < P > Signed document (e.g. CAP or COAP form) for CAcert Community Agreement with the Member.< / P > < / LI >
< LI > < P > Signed report of the Trusted Verification Provider for the name verification.< / P > < / LI >
2009-02-11 14:21:36 +00:00
< / OL >
2009-04-29 18:20:44 +00:00
< P >
< i >
iang: This clause probably will meet the criteria DRC C.9.b: "RAs provide the CA with complete documentation on each verified applicant for a certificate."
Although, it is not clear how the Signed Report is delivered from TVP to CA.
< / P >
2009-02-11 14:21:36 +00:00
< H3 > 2.2 Trusted Verification Provider (" TVP" ) < / H3 >
< P > Each TVA:: < / P >
< OL >
< LI > < P > must be < STRONG > < I > verifiably
practicing identification procedures< / I > < / STRONG > , typically one of
the following:< / P >
< OL >
< LI > < P > < STRONG > Government Authorities< / STRONG >
responsible for issuing ID documents for individuals, trade office
extracts for organisations, or providing taxation functions
< / P >
< LI > < P > < STRONG > Certification Authorities< / STRONG >
issuing authentication tokens (including certificates) based on a
published identity and/or trade name verification process
< / P >
< LI > < P > < STRONG > Commercial Identity
Providers< / STRONG > providing identity verification as a commercial
service.< / P >
< LI > < P > < B > Commercial Trade name
Registrars< / B > providing trade name verification.< / P >
< / OL >
< LI > < P > must provide a secure mechanism
for validating a member's identity and/or organisation name or trade
2009-04-29 18:20:44 +00:00
name, including:
2009-02-11 14:21:36 +00:00
< / P >
< OL >
< LI > < P > < STRONG > Authentication Tokens< / STRONG >
which are delivered to the user and verifiable in a
cryptographically strong fashion
< / P >
< LI > < P > < STRONG > Online Verification< / STRONG >
via a web interface, ideally which is verified by SSL/TLS
< / P >
< LI > < P > < STRONG > Out-of-Band< / STRONG >
communication directly with CAcert, Inc. as to the outcome of the
verification
< / P >
< / OL >
< LI > < P > should conduct identification of name procedures similar in
nature to CAcert's existing procedures (eg examining ID documents,
trade office extracts, obtaining 'assurances' from other trusted
members)
< / P >
< / OL >
< H3 > 2.3 Member < / H3 >
< P > A Member (the subject of a verification) using the Remote
Verification program: < / P >
< OL >
< LI > < P > must agree to be bound the CAcert
Community Agreement (CCA).< / P >
< LI > < P > must disclose any conflicts of
interest (including but not limited to relationships with
(Organisation) Assurer)
< / P >
< LI > < P > must cover the costs of their assurance (if any), including
fees imposed by TVPs and Assurer.< / P >
< / OL >
< H2 > 3. Processes < / H2 >
< H3 > 3.1 Verification < / H3 >
< OL >
< LI > < P > Member shall create a CAcert
account and agree to the CAcert Community Agreement (CCA)
< / P >
< LI > < P > Member shall complete the procedure specified by the
applicable sub-policy(s), including being verified by the TVP .< / P >
< / OL >
< H2 > 4. Documentation < / H2 >
< P > Where documentation is required by the verification process it
shall be subject to the prevailing records management policies which
may require that it be kept for a certain period or destroyed
immediately after processing.
< / P >
< P > < A HREF = "http://validator.w3.org/check?uri=referer" > < IMG SRC = "Images/valid-xhtml11-blue" NAME = "graphics2" ALT = "Valid XHTML 1.1" ALIGN = BOTTOM WIDTH = 90 HEIGHT = 33 BORDER = 0 > < / A >
< / P >
< / BODY >
< / HTML >