From 115d38ea9c88f754b7265ccfdbb885c29fee8463 Mon Sep 17 00:00:00 2001
From: Greg Rose <ggr@cacert.org>
Date: Mon, 4 May 2009 21:18:20 +0000
Subject: [PATCH] added TVerifyAssurancePolicy.html proposal row draft

git-svn-id: http://svn.cacert.org/CAcert/Policies@1494 14b1bab8-4ef6-0310-b690-991c95c89dfd
---
 TVerifyAssurancePolicy.html | 240 ++++++++++++++++++++++++++++++++++++
 1 file changed, 240 insertions(+)
 create mode 100644 TVerifyAssurancePolicy.html

diff --git a/TVerifyAssurancePolicy.html b/TVerifyAssurancePolicy.html
new file mode 100644
index 0000000..f31b47b
--- /dev/null
+++ b/TVerifyAssurancePolicy.html
@@ -0,0 +1,240 @@
+<html>
+<head>
+<title>Third Party Verification System Policy</title>
+</head>
+<body>
+<h1>Third Party Verification System Policy</h1>
+
+<h2> Preamble </h2>
+
+<p>
+This is a subsidiary policy under Assurance Policy (COD13).
+It documents the acceptance of Thawte-issued certificates
+and disclosers as inputs into the assurance process.
+</p>
+
+<h2> Third Party Certificate  </h2>
+
+
+<p>
+The CAs listed in Appendix A are approved to "this system".
+</p>
+
+<p>
+If a certificate is examined by an Assurer (e.g., signed email)
+and determined to provide evidence of a Name and email address that
+matches the Name stored in the CAcert system,
+the Assurer may allocate 25 (???) Assurance Points
+(or as determined in the Appendix A).
+</p>
+
+<p>
+This is only available to Assurers who are:
+</p>
+
+<ol><li>
+    Full Assurer with 50 Experience Points
+  </li><li>
+    Assigned the Tverify role by support.
+</li></ol>
+
+<p>
+This may be only awarded once per Member.
+</p>
+
+<p>
+This may be done automatically by the existing
+Tverify system.
+</p>
+
+
+<h2> Other Web of Trust </h2>
+
+<p>
+Webs of Trust listed in Appendix B are approved for this system.
+</p>
+
+<p>
+If evidence of full "assurer status" in the other Web of Trust
+is provided to an Assurer,
+then the Assurer may award 25 Assurance Points,
+in addition to the above 25 points from the certificate.
+<p>
+
+<p>
+The Assurer must go to the other system and verify the
+Name.
+And DoB??? But the user has to enable each Assurer to
+check the DoB by means of the permitting an assurance in the
+other system.
+</p>
+
+<p>
+Assurers enabled for this system must be:
+</p>
+
+<ol><li>
+    Full Assurer with 50 Experience Points
+  </li><li>
+    Assigned the Tverify role by support.
+  </li><li>
+    Full "assurer status" in the other system.
+</li></ol>
+
+<p>
+This may be only awarded once per Member.
+</p>
+
+<p>
+<i>What about voting system....</i>
+</p>
+
+
+
+
+  </li><li>
+
+    optional :
+    the user provides the web link in the directory of Thawte
+    notaries. The user must display his name and CAcert account email
+    address in the directory assurer message. The user can get 40 extra
+    points after manual checking,
+
+<ul><li><i>
+This proves that the person is a "Thawte Notary"
+</i></li><li><i>
+A TN has "100 Thawte trust points" which means that the Name, DoB, email address (by connecting into the system) have been checked by 3 people at least.
+</i></li><li><i>
+Thawte Notary:  There is no "test".
+</i></li><li><i>
+Thawte Notary:  There are some rules, what needs to be done, what not.
+<u>Find the rules</u>.
+</i></li><li><i>
+Thawte Notary:  complaints are reported to Thawte support, and support then requests all forms and documentation and copies of IDs, and support may do something ... <u>but this was before the change of liability, they may not care anymore</u>
+</i></li><li><i>
+Probably this should be 25 points?
+</i></li></ul>
+
+  </li><li>
+    optional:
+    The user provides a scan of a government photo id. The user
+    can get an extra 60 points after manual checking.
+<ul><li><i>
+May need to make this mandatory so we can check the DoB.
+</i></li><li><i>
+Probably this should be 40 points?
+</i></li></ul>
+</li></ol>
+
+<p>
+<i> Agreed that experience as TN is not useful for CAcert Experience Points.
+So Maximum is 100.</i>
+</p>
+
+<h2> Manual Points Allocation </h2>
+
+<p>
+   If the user completes only step 1, the users get 50 points if the
+   Thawte name matches the CAcert name : The process is fully automated and
+   the user still can do later the optional steps.
+</p>
+
+<p>
+   In case the user completes steps 2 or 3, a Tverify-authorised Assurer does the following manual checks :
+</p>
+
+
+<ol><li>
+    check if the link to the Thawte WoT directory matches the name and
+    email address of the CAcert account, and
+  </li><li>
+
+    check if the photo id macthes the name and date of birth of the CAcert
+    account.
+</li></ol>
+
+<p>
+the CAcert Tverify community member votes Aye or Nay on the request
+(faithfullness) and optionally adds a comment on the reason why they reject
+the request.
+</p>
+
+<p>
+If the requests gets 4 Naye, the requests is rejected, the user has to
+restart the process.
+</p>
+
+<p>
+if the request gets 4 Aye, the requests is completed and the appropriate
+amount of Assurance points are added to the account, logged as an Tverify
+assurance.
+<i>BY WHOM?</i>
+</p>
+
+<p>
+Each user step can granted points only once. The maximum is 150 points.
+<b>BLECH</b>
+</p>
+
+<h2> Manual Points Allocation </h2>
+
+<p>
+To be a Tverify Assurer, an Assurer must have:
+</p>
+
+<ul><li>
+    full Thawte "Notary" status.
+</li></ul>
+
+<p>
+Authorisation is done by ....
+   the Support Officer (and confirmed by ??? Assurance Officer).
+</p>
+
+<p>
+Currently there are 7+ Assurers who are authorised to conduct the
+Tverify additional procedure.
+</p>
+
+<h2> System </h2>
+
+<p>
+An online system is run to accept the certificate.
+This is located at https://tverify.cacert.org/
+This is a critical / non-critical system ????
+</p>
+
+<h2> Legal </h2>
+
+<p>
+WHat do the Thawte docs say about reliance, etc.
+Is there a possibility to do this?
+What is the liability position?
+<b>Chances are, there is no liability and no reliance permitted.</b>
+Which means ... there is no reliance on the Name in the cert.
+</p>
+
+
+
+<h2> OLD stuff </h2>
+<blockquote><b>OLD:</b>
+<p>
+    <b> mandatory </b> : the users provides a
+    Thawte assured certificate including the user name.
+    If the name and email address in the certificate matches
+    the name and email address recorded by CAcert exactly,
+    the user is given 50 Assurance Points automatically
+    by the online system.
+</p>
+<ul><li><i>
+no checking of date of birth,
+</i></li><li><i>
+no alignment of these 50 points with AP (statement,  checking of date of birth,
+there may be some rules about middle names and extracting the name fields out of FirstName and LastName... this is in the system.
+<b>should check Thwarte doco to make a judgement call on what it is worth.</b>
+</i></li><li><i>
+Probably this should be 25 points?
+</i></li></ul>
+
+</blockquote>
+</body></html>