ve issued certificate paragraph a bit clearer and ref to CIP policy.

git-svn-id: http://svn.cacert.org/CAcert/Policies@874 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
Teus Hagen 2008-07-02 10:45:40 +00:00
parent d16b89fa71
commit 194401885b

View file

@ -1,20 +1,19 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML> <HTML>
<HEAD> <HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=windows-1252"> <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
<TITLE>Assurance Policy</TITLE> <TITLE>Assurance Policy</TITLE>
<meta name="CREATEDBY" content="Ian Grigg"> <META NAME="CREATED" CONTENT="20080530;0">
<meta name="CREATED" content="20080530;0"> <META NAME="CHANGEDBY" CONTENT="Teus Hagen">
<meta name="CHANGEDBY" content="Teus Hagen"> <META NAME="CHANGED" CONTENT="20080702;12375400">
<meta name="CHANGED" content="20080701;0"> <META NAME="CREATEDBY" CONTENT="Ian Grigg">
<meta name="CHANGEDBY" content="Robert Cruikshank"> <META NAME="CHANGEDBY" CONTENT="Teus Hagen">
<meta name="CHANGED" content="20080702;0"> <META NAME="CHANGEDBY" CONTENT="Robert Cruikshank">
<STYLE TYPE="text/css"> <STYLE TYPE="text/css">
<!-- <!--
P { color: #000000 }
TD P { color: #000000 } TD P { color: #000000 }
H1 { color: #000000 } H1 { color: #000000 }
P { color: #000000 }
H2 { color: #000000 } H2 { color: #000000 }
DT { color: #000000 } DT { color: #000000 }
DD { color: #000000 } DD { color: #000000 }
@ -26,12 +25,8 @@
<BODY LANG="en-GB" TEXT="#000000" DIR="LTR"> <BODY LANG="en-GB" TEXT="#000000" DIR="LTR">
<H1>Assurance Policy for CAcert Community Members</H1> <H1>Assurance Policy for CAcert Community Members</H1>
<P><A HREF="PolicyOnPolicy.html"><IMG SRC="Images/cacert-wip.png" NAME="graphics1" ALT="CAcert Policy Status" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A> <P><A HREF="PolicyOnPolicy.html"><IMG SRC="Images/cacert-wip.png" NAME="graphics1" ALT="CAcert Policy Status" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A>
<BR> <BR>Author: Ian Grigg<BR>Creation date: 2008-05-30<BR>Status: WIP
Author: Ian Grigg<BR> 2008-05-30<BR>Next status: DRAFT June 2008
Creation date: 2008-05-30<BR>
Status: WIP
2008-05-30<BR>
Next status: DRAFT June 2008
</P> </P>
<H2>0. Preamble</H2> <H2>0. Preamble</H2>
<P>Definitions of terms: <P>Definitions of terms:
@ -54,7 +49,7 @@ Next status: DRAFT June 2008
</DD><DT> </DD><DT>
<EM>Name</EM> <EM>Name</EM>
</DT><DD> </DT><DD>
A Name is the full name of an individual:&nbsp;first name(s), family A Name is the full name of an individual: first name(s), family
name(s), name extensions, abbreviation of name(s), etc. The Name is name(s), name extensions, abbreviation of name(s), etc. The Name is
technically spoken a string exactly taken from a governmental issued technically spoken a string exactly taken from a governmental issued
photo ID. photo ID.
@ -71,7 +66,7 @@ The CAcert Web of Trust</H3>
<P>Each Assurance claims a number of Assurance Points, applied to the <P>Each Assurance claims a number of Assurance Points, applied to the
assured Member or Member prospect. By combining the Assurances, and assured Member or Member prospect. By combining the Assurances, and
the Assurance Points, CAcert constructs a global <EM>Web-of-Trust</EM> the Assurance Points, CAcert constructs a global <EM>Web-of-Trust</EM>
&nbsp;or &quot;WoT&quot;. or &quot;WoT&quot;.
</P> </P>
<P>CAcert explicitly chooses to meet its various goals by <P>CAcert explicitly chooses to meet its various goals by
construction of a Web-of-Trust of all Members. This is done by construction of a Web-of-Trust of all Members. This is done by
@ -85,7 +80,7 @@ high-level objective of the Assurance process.
Handbook</A>. The policy is controlled by Configuration Control Handbook</A>. The policy is controlled by Configuration Control
Specification (<A HREF="http://wiki.cacert.org/wiki/PolicyDrafts/ConfigurationControlSpecification" TARGET="_blank">CCS</A>) Specification (<A HREF="http://wiki.cacert.org/wiki/PolicyDrafts/ConfigurationControlSpecification" TARGET="_blank">CCS</A>)
under Policy on Policy (<A HREF="http://www.cacert.org/policy/PolicyOnPolicy.php" TARGET="_blank">PoP</A>) under Policy on Policy (<A HREF="http://www.cacert.org/policy/PolicyOnPolicy.php" TARGET="_blank">PoP</A>)
policy document regime. <BR>Because Assurance is an active area, much policy document regime.<BR>Because Assurance is an active area, much
of the practice is handed over to the Assurance Handbook, which is of the practice is handed over to the Assurance Handbook, which is
not a controlled policy document, and can more easily respond to not a controlled policy document, and can more easily respond to
experience and circumstances. It is also more readable. experience and circumstances. It is also more readable.
@ -150,7 +145,7 @@ individual. Names in an ID can differ, so a CAcert account can have
more <FONT COLOR="#000000"><STRIKE>as</STRIKE></FONT><FONT COLOR="#000000"><SPAN STYLE="text-decoration: none"> more <FONT COLOR="#000000"><STRIKE>as</STRIKE></FONT><FONT COLOR="#000000"><SPAN STYLE="text-decoration: none">
than</SPAN></FONT> one Name.<BR>The technical form of a Name is a than</SPAN></FONT> one Name.<BR>The technical form of a Name is a
string of characters. Each Name should be exactly copied once from a string of characters. Each Name should be exactly copied once from a
governmental-issued photo ID.&nbsp;</P> governmental-issued photo ID.</P>
<H3>Multiple Names</H3> <H3>Multiple Names</H3>
<P>A Member can have multiple individual names. For example, married <P>A Member can have multiple individual names. For example, married
name, variations of initials of first or middle names, abbreviation name, variations of initials of first or middle names, abbreviation
@ -158,8 +153,8 @@ of a first name, different language or country variations and
transliterations of characters in a name. Each individual Name transliterations of characters in a name. Each individual Name
originating from a governmental ID must be assured to the applicable originating from a governmental ID must be assured to the applicable
level of 50 Assurance Points before the (comparable) name can be used level of 50 Assurance Points before the (comparable) name can be used
as Common Name in a certificate.&nbsp;</P> as Common Name in a certificate.</P>
<H3>Comparison of&nbsp;names</H3> <H3>Comparison of names</H3>
<P><A HREF="http://en.wikipedia.org/wiki/Transliteration" TARGET="_blank">Transliteration</A> <P><A HREF="http://en.wikipedia.org/wiki/Transliteration" TARGET="_blank">Transliteration</A>
of characters as defined in the transliteration character table (<A HREF="http://svn.cacert.org/CAcert/Policies/transtab.utf" TARGET="_blank">UTF of characters as defined in the transliteration character table (<A HREF="http://svn.cacert.org/CAcert/Policies/transtab.utf" TARGET="_blank">UTF
Transtab</A>) for names is permitted, but the result must be 7-bit Transtab</A>) for names is permitted, but the result must be 7-bit
@ -171,7 +166,7 @@ transliteration of a name makes the name less discriminative.</P>
name extensions in the name of an individual to one character and the name extensions in the name of an individual to one character and the
dot indicating the abbreviation, is permitted. If the first given dot indicating the abbreviation, is permitted. If the first given
name in the ID document is abbreviated, the first given name in the name in the ID document is abbreviated, the first given name in the
web account Name may be abbreviated. &nbsp;Abbreviation of a name web account Name may be abbreviated. Abbreviation of a name
makes the name less discriminative.</P> makes the name less discriminative.</P>
<P>Titles and name extensions in the name of an individual may be <P>Titles and name extensions in the name of an individual may be
omitted.</P> omitted.</P>
@ -180,24 +175,31 @@ for</STRIKE></FONT><FONT COLOR="#000000"> pursue</FONT> a highly
discriminative assured Name. The ambition is to have a Name in the discriminative assured Name. The ambition is to have a Name in the
account with no abbreviation(s), no transliteration and case account with no abbreviation(s), no transliteration and case
<FONT COLOR="#000000"><STRIKE>sensitive </STRIKE></FONT><FONT COLOR="#000000">sensitivity</FONT>.</P> <FONT COLOR="#000000"><STRIKE>sensitive </STRIKE></FONT><FONT COLOR="#000000">sensitivity</FONT>.</P>
<H3>Names on the certificate issued by CAcert</H3>
<P>The Certificate Implementation Policy (<A HREF="http://svn.cacert.org/CAcert/Policies/CertificateImplementationPolicy.html" TARGET="_blank">CIP</A>)
will define the fields added by CAcert on the issued certificate on
request of the Member.</P>
<P>The Common Name and related certificate fields in the issued <P>The Common Name and related certificate fields in the issued
certificate is dependent on the assurance of the Name in the web certificate is dependent on the assurance of the Name in the web
account. Abbreviation and transliteration handling in the CN is account. Abbreviation and transliteration handling in the CN is
defined in the Certificate Implementation Policy (<A HREF="http://svn.cacert.org/CAcert/Policies/CertificateImplementationPolicy.html" TARGET="_blank">CIP</A>) defined in the Certificate Implementation Policy and is similar to
and is similar to the name comparison as defined in this policy. the name comparison as defined in this policy. However the Common
However the Common Name may become less discriminative <FONT COLOR="#000000"><STRIKE>as</STRIKE></FONT><FONT COLOR="#000000"> Name may become less discriminative <FONT COLOR="#000000"><STRIKE>as</STRIKE></FONT><FONT COLOR="#000000">
than</FONT> the assured Name as the unique certificate serial number than</FONT> the assured Name as the unique certificate serial number
will lead to the account of the individual in a unique way, and in will lead to the account of the individual in a unique way, and in
this way to the Name and email address of the individual or this way to the Name and email address of the individual or
organisation. The first given name in the Common Name may be organisation. The first given name in the Common Name may be
abbreviated on request.</P> abbreviated on request.</P>
<P>The certificate issued by CAcert can have on request of the Member
the SubjAltName field. The name as defined by the Member is not
checked by CAcert.</P>
<TABLE BORDER=1 CELLPADDING=2 CELLSPACING=0> <TABLE BORDER=1 CELLPADDING=2 CELLSPACING=0>
<TR> <TR>
<TH WIDTH=25%> <TH WIDTH=25%>
<P><I>name on the ID</I></P> <P><I>name on the ID</I></P>
</TH> </TH>
<TH WIDTH=25%> <TH WIDTH=25%>
<P><I>Name in the account</I></P> <P><I>assured Name in the account</I></P>
</TH> </TH>
<TH WIDTH=25%> <TH WIDTH=25%>
<P><I>name in the certificate request</I></P> <P><I>name in the certificate request</I></P>
@ -208,16 +210,16 @@ abbreviated on request.</P>
</TR> </TR>
<TR> <TR>
<TD> <TD>
<P>Maria Kate Marvel-Java sr</P> <P>Maria Kate M&auml;rvel-Java sr</P>
</TD> </TD>
<TD> <TD>
<P>Maria K. Marvel-Java</P> <P>Maria K. Maervel-Java</P>
</TD> </TD>
<TD> <TD>
<P>M. K. Marvel-Java</P> <P>M. K. M&auml;rvel-Java</P>
</TD> </TD>
<TD> <TD>
<P>Maria K. Marvel-Java</P> <P>Maria K. Maervel-Java</P>
</TD> </TD>
</TR> </TR>
<TR> <TR>
@ -239,7 +241,7 @@ abbreviated on request.</P>
<P>Moeria Koete v. Java</P> <P>Moeria Koete v. Java</P>
</TD> </TD>
<TD> <TD>
<P>M&ouml;ria K&oelig;t&eacute; von Java</P> <P>M&ouml;ria Kœt&eacute; von Java</P>
</TD> </TD>
<TD> <TD>
<P>M&ouml;ria K. v. Java</P> <P>M&ouml;ria K. v. Java</P>
@ -283,7 +285,7 @@ Examples of names in different contexts</FONT></P>
type (title, first given name, secondary given name(s), type (title, first given name, secondary given name(s),
middlename(s), family name, and/or name extensions) and the Name in middlename(s), family name, and/or name extensions) and the Name in
the web account provides the type of name field attribute, this will the web account provides the type of name field attribute, this will
be assured in the Name account administration. </STRIKE> be assured in the Name account administration.</STRIKE>
</P> </P>
<H3>Capabilities</H3> <H3>Capabilities</H3>
<P>A Member has the following capabilities derived from an Assurance: <P>A Member has the following capabilities derived from an Assurance:
@ -425,7 +427,7 @@ procedure and process, and is responsible for the results.
Assurer, and reduces any sense of power. It is also an important aid Assurer, and reduces any sense of power. It is also an important aid
to the assurance training for future Assurers. to the assurance training for future Assurers.
</P> </P>
<P><EM>Evidence of Assurer status</EM> <BR>On the question of <P><EM>Evidence of Assurer status</EM><BR>On the question of
providing evidence that one is an Assurer, CAcert Policy Statement providing evidence that one is an Assurer, CAcert Policy Statement
(<A HREF="http://svn.cacert.org/CAcert/policy.htm#p3.2" TARGET="_blank">CPS</A>) (<A HREF="http://svn.cacert.org/CAcert/policy.htm#p3.2" TARGET="_blank">CPS</A>)
says:<EM> &quot;The level at which each Member is Assured is public says:<EM> &quot;The level at which each Member is Assured is public
@ -440,7 +442,7 @@ Note that, even though they are sometimes referred to as <EM>Web-of-Trust</EM>
(Assurance) Points, or <EM>Trust</EM> Points, the meaning of the word (Assurance) Points, or <EM>Trust</EM> Points, the meaning of the word
'Trust' is not well defined. 'Trust' is not well defined.
</P> </P>
<P><EM>Assurance Points Allocation.</EM> <BR>An Assurer can allocate <P><EM>Assurance Points Allocation.</EM><BR>An Assurer can allocate
a number of Assurance Points to the Member according to the Assurer's a number of Assurance Points to the Member according to the Assurer's
experience (Experience Point system, see below). The allocation of experience (Experience Point system, see below). The allocation of
the maximum means that the Assurer is 100% confident in the the maximum means that the Assurer is 100% confident in the
@ -462,7 +464,7 @@ information presented:
<P>Any lesser confidence should result in less Assurance Points for a <P>Any lesser confidence should result in less Assurance Points for a
Name. If the Assurer has no confidence in the information presented, Name. If the Assurer has no confidence in the information presented,
then <EM>zero </EM>Assurance Points may be allocated by the then <EM>zero </EM>Assurance Points may be allocated by the
Assurer.&nbsp;For example, this may happen if the identity documents Assurer. For example, this may happen if the identity documents
are totally unfamiliar to the Assurer. The number of Assurance Points are totally unfamiliar to the Assurer. The number of Assurance Points
from <EM>zero</EM> to <EM>maximum </EM>is guided by the Assurance from <EM>zero</EM> to <EM>maximum </EM>is guided by the Assurance
Handbook and the judgement of the Assurer. Handbook and the judgement of the Assurer.
@ -487,7 +489,7 @@ times.
Points per Name. This means that to reach 50 Assurance Points Points per Name. This means that to reach 50 Assurance Points
(certificate with a Name), a Member must have been assured at least (certificate with a Name), a Member must have been assured at least
once. To reach 100 Assurance Points, at least one Name of the Member once. To reach 100 Assurance Points, at least one Name of the Member
must have been assured at least twice. </STRIKE> must have been assured at least twice.</STRIKE>
</P> </P>
<H3>Experience Points</H3> <H3>Experience Points</H3>
<P>The maximum number of Assurance Points that may be awarded by an <P>The maximum number of Assurance Points that may be awarded by an
@ -555,7 +557,7 @@ Assurer is determined by the Experience Points of the Assurer.
</TABLE> </TABLE>
</DL> </DL>
<P ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT SIZE=2><I>table <P ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT SIZE=2><I>table
Maximum of Assurance Points&nbsp;</I></FONT></P> Maximum of Assurance Points </I></FONT></P>
<P ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> <P ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
</P> </P>
<P>An Assurer is given a maximum of 2 Experience Points for every <P>An Assurer is given a maximum of 2 Experience Points for every
@ -680,7 +682,7 @@ areas of risk.
<P>In addition to the Assurance or Experience Points ratings set here <P>In addition to the Assurance or Experience Points ratings set here
in and in other policies, Assurance Officer or policies can designate in and in other policies, Assurance Officer or policies can designate
certain applications as high risk. If so, additional measures may be certain applications as high risk. If so, additional measures may be
added to the Assurance process that specifically address the risks.&nbsp;</P> added to the Assurance process that specifically address the risks.</P>
<P>Additional measures may include additional information. Additional <P>Additional measures may include additional information. Additional
information can be required in process of assurance: information can be required in process of assurance:
</P> </P>