cacert-policies/RemoteVerificationPolicy.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
	<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
	<TITLE> CACert Remote Verification Policy (RVP) </TITLE>
	<META NAME="CHANGEDBY" CONTENT="Teus Hagen">
	<META NAME="CHANGED" CONTENT="20090211;15005300">
</HEAD>

<BODY LANG="en-US" DIR="LTR">
<P><BR><BR>
</P>

<H1>CAcert Remote Verification Policy (RVP) </H1>

<P><A HREF="PolicyOnPolicy.html"><IMG SRC="Images/cacert-wip.png" NAME="graphics1" ALT="CAcert Policy Status" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A><BR>Author:
Pete Stephenson<BR>Creation date: 2008-07-12<BR>
Status: WIP 2008-07-12 <BR>
Edited by: Teus Hagen, 2009-02-11<BR>
Next status: DRAFT 2009<BR>
<!-- $Id$ --></P>

<H2>0. Preliminaries </H2>

<P>This sub-policy extends the Assurance  Policy (&quot;AP&quot;) 
and Organisation Assurance Policy (“OAP”) by providing a
framework for Members to verify for individual Members their identity
and for organisation Members their organisation (trade) name via Trusted Third
Provider (&quot;TTP&quot;s) including Government Authorities,
Certification Authorities and Commercial Identity Providers, under
the supervision of a CAcert (Organisation) Assurer. 
</P>

<P>Successful completion of the verification of name process defined
in RVP sub-policies shall result in the allocation of 10 extra
Assurance  Points added to the maximum of Assurance Points the Assurer,
supervising the assurance process for the Member, can allocate.
</P>

<H2>1. Scope </H2>

<P>This sub-policy is available to all individual and organisation
Community Members.  </P>

<H2>2. Roles </H2>

<H3>2.1 CAcert (Organisation) Assurer</H3>

<P>The CAcert (Organisation) Assurer must check the CAcert
(Organisation) Assurance Programme form. The identity verification or
organisation name verification is remotely performed by the Trusted
Verification Provider (2.2).</P>

<P>The Trusted Verification Provider who is involved in the
verification process  should be accepted by the Assurer. 
</P>

<P>
<i>
iang: This clause above probably <b>will NOT meet</b> the criteria DRC C.9.a: "MUST be satisfied as to the identity and competency of the TTP in identification procedures, as though they were to be conducting the assurance themselves."
</i>
</P>

<P>The Assurer will keep the following signed documents:</P>
<OL>
	<LI><P>Signed document  (e.g. CAP or COAP form) for CAcert Community Agreement with the Member.</P></LI>
	<LI><P>Signed report of the Trusted Verification Provider for the name verification.</P></LI>
</OL>

<P>
<i>
iang: This clause probably will meet the criteria DRC C.9.b: "RAs provide the CA with complete documentation on each verified applicant for a certificate."
Although, it is not clear how the Signed Report is delivered from TVP to CA.
</i>
</P>


<H3>2.2 Trusted Verification Provider (&quot;TVP&quot;) </H3>

<P>Each TVA:: </P>

<OL>
	<LI><P>must be <STRONG><I>verifiably
	practicing identification procedures</I></STRONG>, typically one of
	the following:</P>
	<OL>
		<LI><P><STRONG>Government Authorities</STRONG>
		responsible for issuing ID documents for individuals, trade office
		extracts for organisations, or providing taxation functions 
		</P>
		<LI><P><STRONG>Certification Authorities</STRONG>
		issuing authentication tokens (including certificates) based on a
		published  identity and/or trade name verification process 
		</P>
		<LI><P><STRONG>Commercial  Identity
		Providers</STRONG> providing identity verification as a commercial
		service.</P>
		<LI><P><B>Commercial Trade  name
		Registrars</B> providing trade name verification.</P>
	</OL>
	<LI><P>must provide a secure mechanism
	for validating a member's identity and/or organisation name or trade
	name, including: 
	</P>
	<OL>
		<LI><P><STRONG>Authentication Tokens</STRONG>
		which are delivered to the user and verifiable in a
		cryptographically strong fashion 
		</P>
		<LI><P><STRONG>Online Verification</STRONG>
		via a web interface, ideally which is verified by SSL/TLS 
		</P>
		<LI><P><STRONG>Out-of-Band</STRONG>
		communication directly with CAcert, Inc. as to the outcome of the
		verification 
		</P>
	</OL>
	<LI><P>should conduct identification of name procedures similar in
	nature to CAcert's existing procedures (eg examining ID documents,
	trade office extracts, obtaining 'assurances' from other trusted
	members) 
	</P>
</OL>

<H3>2.3 Member </H3>

<P>A Member (the subject of a verification) using the Remote
Verification program: </P>

<OL>
	<LI><P>must agree to be bound the CAcert
	Community Agreement (CCA).</P>
	<LI><P>must disclose any conflicts of
	interest (including but not limited to relationships with
	(Organisation) Assurer) 
	</P>
	<LI><P>must cover the costs of their assurance (if any), including
	fees imposed by TVPs and Assurer.</P>
</OL>

<H2>3. Processes </H2>

<H3>3.1 Verification </H3>

<OL>
	<LI><P>Member shall create a CAcert
	account and agree to the CAcert Community Agreement (CCA) 
	</P>
	<LI><P>Member shall complete the procedure specified by the
	applicable sub-policy(s), including being verified by the TVP .</P>
</OL>

<H2>4. Documentation </H2>

<P>Where documentation is required by the verification process it
shall be subject to the prevailing records management policies which
may require that it be kept for a certain period or destroyed
immediately after processing. 
</P>

<P><A HREF="http://validator.w3.org/check?uri=referer"><IMG SRC="Images/valid-xhtml11-blue" NAME="graphics2" ALT="Valid XHTML 1.1" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A>
</P>

</BODY>
</HTML>