From 3680cdf481b5d9f5874d6b74c547755d023d8d18 Mon Sep 17 00:00:00 2001 From: Teus Hagen Date: Tue, 10 Feb 2009 14:11:36 +0000 Subject: [PATCH] Initiation of WiP for new Org Assurances. git-svn-id: http://svn.cacert.org/CAcert/Policies@1167 14b1bab8-4ef6-0310-b690-991c95c89dfd --- .../OrganisationAssurancePolicyNew.html | 622 ++++++++++++++++++ 1 file changed, 622 insertions(+) create mode 100644 OrganisationAssurancePolicy/OrganisationAssurancePolicyNew.html diff --git a/OrganisationAssurancePolicy/OrganisationAssurancePolicyNew.html b/OrganisationAssurancePolicy/OrganisationAssurancePolicyNew.html new file mode 100644 index 0000000..eb45201 --- /dev/null +++ b/OrganisationAssurancePolicy/OrganisationAssurancePolicyNew.html @@ -0,0 +1,622 @@ + + + + + Organisation Assurance Policy + + + + +

Organisation Assurance Policy (new proposal)

+

CAcert WiP
+Document:
+Initial Author: Jens Paul
+Edited by: Teus Hagen
+Original creation date: 2007-09-18
+Status: Changed for Feb 2009 OA WoT concept, sync with (individual) AP.
+Next status: proposal will replace former Draft OA Policy of 2008

+ + +

0. Preliminaries

+

This policy describes how Organisation Assurers ("OAs") +conduct Assurances on Organisations. It fits within the overall +web-of-trust or Assurance process of CAcert. +

+

0.1. Definition of Terms

+
+
(Organisation) Member +
+ A Member is an organisation who has agreed to the CAcert Community + Agreement (CCA) + and has created successfully a CAcert login account on the CAcert + web site. +
+ (Organisation) Assurance +
+ Assurance is the process by which a Member of CAcert Community + (Organisation Assurer) identifies an organisation (Assuree). +
+ Prospective (Organisation) Member +
+ An organisation who participates in the process of an Organisation + Assurance, but has not yet created a CAcert login account. +
+ (Organisation) Name +
+ An Organisation Name is the full name of the organisation. +
+ +

0.2. The CAcert Web of Trust

+

An Organisation Assurer allocates a number of Assurance Points to +the (Organisation) Member being Assured. CAcert combines the +Assurance Points into a global Web-of-Trust (or "WoT"). +

+

CAcert explicitly chooses to meet its various goals by +construction of a Web-of-Trust of all Members. +

+ +

0.3. Related Documentation

+

Documentation on Organisation Assurance is split between this Organisation +Assurance Policy (OAP) and the (organisation) Assurance Handbook. +The policy is controlled by Configuration Control Specification (CCS) +under Policy on Policy (PoP) +policy document regime. Because Organisation Assurance is an active +area, much of the practice is handed over to the Assurance Handbook, +which is not a controlled policy document, and can more easily +respond to experience and circumstances. It is also more readable. +

+

See also Assurance Policy (AP) +and CAcert Policy Statement (CPS). +

+ +

1. Organisation Assurance Purpose

+

Organisations with assured status can issue certificates via their +O-Admin directly with their own domains within. +

+

The purpose and statement of the certificate remains the same as +with ordinary users (natural persons) and as described in the CPS. +

+ + +

1.1.The Organisation Assurance Statement

+

The Assurance Statement makes the following claims about the organisation: +

+
    +

  1. The organisation is a bona fide (organisation) Member. In + other words, the organisation is a member of the CAcert Community as + defined by the CAcert Community Agreement (CCA); +

    +

  2. The Member has a (login) account with CAcert's on-line registration and service system;

    +

  3. The Member can be determined from any CAcert certificate issued by the Account;

    +

  4. The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement;

    +

  5. Some information on the Organisation Member are known and + verified by CAcert: the Organisation Name(s), form of organisation, + domain names, Individual Members for contact and liaison purpose, + secondary distinguishing feature (e.g. corporate number).

    +
+

The confidence level of the Assurance Statement is expressed by the (Organisation) Assurance Points. +

+

Organisations can expect the normal privacy provisions provided to +Individuals.  However, any business arrangements that are not +strictly provided for in this policy are likely outside normal +privacy. 

+ +

1.2. Relying Party Statement

+

The primary goal of the Organisation Assurance Statement is for +the express purpose of certificates to meet the needs of the Relying +Party Statement, which latter is found in the Certification +Practice Statement (CPS). +

+

When a certificate is issued, some of the Organisation Assurance +Statement may be incorporated, e.g. Organisation name. Other parts +may be implied, e.g. Membership, exact account and status. They all +are part of the Relying Party Statement. In short, this means +that other Members of the Community may rely on the information +verified by Assurance and found in the certificate.

+

In particular, certificates are sometimes considered to provide +reliable indications of e.g. the Member's Organisation name, +organisation domain names, and organisation email address. The +nature of Assurance, the number of Assurance Points, and other +policies and processes should be understood as limitations on any +reliance. +

+ +

2. The Organisation Member

+ +

2.1. The Organisation Member's name

+

The name of the organisation as recorded in the Member's CAcert +login account. The general standard of a name is: +

+ + +

2.2. Multiple trade names and variations

+

In order to handle the contradictions in the above general +standard, a Member may record multiple names or multiple variations +of a name in her CAcert online Account. Examples of variations +include trade names, variations of trade names, abbreviations of a +name, different language or country variations, and transliterations +of characters in a name. All names should be defined within the +organisation registration extract.

+ +

2.3. Status and Capabilities

+

An organisation Name which has reached the level of 50 +(Organisation) Assurance Points is defined as an Assured organisation +Name. An Assured Name can be used as Organisation Name in a +certificate issued by CAcert. A Member with at least one Assured Name +has reached the Assured Member status. Additional capabilities are +described in Table 1. +

+ +
Table 1: +Assurance Capability
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Minimum Assurance Points

+ 		+

Capability

+ 		+

Status

+ 		+

Comment

+
+

0

+ 		+

Request Organisation Assurance

+ 		+

Prospective Organisation Member

+ 		+

Organisation taking part of an Organisation + Assurance, who does not have created a CAcert login account + (yet). The allocation of Assurance Points is awaiting login + account creation.

+
+

0

+ 		+

Request unnamed certificates

+ 		+

(Organisation) Member

+ 		+

Although the Organisation Member's details are + recorded in the account, they are not highly assured.

+
+

50

+ 		+

Request certificates with the name of the + organisation

+ 		+

Assured Organisation Member

+ 		+

Statements of Assurance: the organisation name is + assured to 50 Assurance Points or more

+
+
+

A Member may check the status of another Member, especially for an +assurance process. Status may be implied from information in a +certificate. The number of Assurance Points for each Member is not +published. +

+ + +

3. Roles and Structure

+ +

3.1 Organisation Assurance Officer

+

The (Organisation) Assurance Officer ("AO") manages this +policy and reports to the CAcert Inc. Committee ("Board"). +

+

The AO manages all OAs and is responsible for process, the CAcert +Organisation Assurance Programme ("COAP") form, OA training +and testing, manuals, quality control. In these responsibilities, +other Officers will assist. +

+

The OA is appointed by the Board. Where the OA is failing the +Board decides. +

+ +

3.2 Organisation Assurers

+
    +

  1. An OA must be an experienced + Assurer +

    +
      +

    1. Have 150 assurance points. +

      +

    2. Be fully trained and tested on + all general Assurance processes. +

      +
    +

  2. Must be trained as Organisation + Assurer. +

    +
      +

    1. Global knowledge: This policy. +

      +

    2. Global knowledge: A OA manual + covers how to do the process. +

      +

    3. Local knowledge: legal forms of + organisations within jurisdiction. +

      +

    4. Basic governance. +

      +

    5. Training may be done a variety of + ways, such as on-the-job, etc. +

      +
    +

  3. Must be tested. +

    +
      +

    1. Global test: Covers this policy + and the process. +

      +

    2. Local knowledge: Subsidiary + Policy to specify. +

      +

    3. Tests to be created, approved, + run, verified by CAcert only (not outsourced). +

      +

    4. Testing includes both online / + automated and manual tests with the manual tests confirming the on + line tests. +

      +

    5. Documentation to be retained. +

      +

    6. Tests may include on-the-job + components. +

      +
    +

  4. Must be approved. +

    +
      +

    1. Two supervising OAs must sign-off + on new OA, as trained, tested and passed. +

      +

    2. AO must sign-off on a new OA, as + supervised, trained and tested. +

      +
    +

  5. The OA can decide when a CAcert (individual) Assurer has done + several OA Application Advises to appoint this person to OA Assurer. +

    +
+ +

3.3 Organisation Assurance Advisor ("OAA")

+

In countries/states/provinces where no OA Assurers are operating +for an OA Application (COAP) the OA can be advised by an experienced +local CAcert (individual) Assurer to take the decision to accept the +OA Application (COAP) of the organisation. +

+

The local Assurer must have at least 150 Points, should know the +language, and know the organisation trade office registry culture and +quality. +

+ +

3.4 Organisation Administrator

+

The Administrator within each Organisation ("O-Admin") +is the one who handles the assurance requests and the issuing of +certificates. +

+
    +

  1. O-Admin must be an individual + Assurer +

    +
      +

    1. Have 100 assurance points. +

      +

    2. Fully trained and tested as + Assurer. +

      +
    +

  2. Organisation is required to + appoint the O-Admin(s), and appoint ones as required. +

    +
      +

    1. On COAP Request Form. +

      +

    2. On the organisation Member + account.

      +
    +

  3. O-Admin must work with an assigned + OA. +

    +
      +

    1. Have contact details. +

      +

    2. Is named on the organisation Member account.

      +
    +
+ +

4. Policies

+ +

4.1 Policy

+

There is one policy being this present document, and several +subsidiary policies. +

+
    +

  1. This policy authorises the + creation of subsidiary policies. +

    +

  2. This policy is international. +

    +

  3. Subsidiary policies are + implementations of the policy. +

    +

  4. Organisations are assured under an appropriate subsidiary + policy. +

    +
+ +

4.2 Subsidiary Policies

+

The nature of the Subsidiary Policies ("SubPols"): +

+
    +

  1. SubPols are purposed to check the + organisation under the rules of the jurisdiction that creates the + organisation. This does not evidence an intention by CAcert to enter + into the local jurisdiction, nor an intention to impose the rules of + that jurisdiction over any other organisation. CAcert assurances are + conducted under the jurisdiction of CAcert. +

    +

  2. For OAs, SubPol specifies the + tests of local knowledge including the local organisation + assurance COAP forms. +

    +

  3. For assurances, SubPol specifies + the local documentation forms which are acceptable under this + SubPol to meet the standard. +

    +

  4. SubPols are subjected to the normal policy approval process. +

    +
+ +

4.3 Freedom to Assemble

+

Subsidiary Policies are open, accessible and free to enter. +

+
    +

  1. SubPols compete but are compatible.

    +

  2. No SubPol is a franchise.

    +

  3. Many will be on State or National + lines, reflecting the legal tradition of organisations created + ("incorporated") by states. +

    +

  4. However, there is no need for + strict national lines; it is possible to have 2 SubPols in one + country, or one covering several countries with the same language + (e.g., Austria with Germany, England with Wales but not Scotland). +

    +

  5. There could also be SubPols for + special organisations, one person organisations, UN agencies, + churches, etc. +

    +

  6. Where it is appropriate to use the SubPol in another + situation (another country?), it can be so approved. (e.g., Austrian + SubPol might be approved for Germany.) The SubPol must record this + approval. +

    +
+ +

5. Process

+ +

5.1 Standard of Organisation Assurance

+

The essential standard of Organisation Assurance (see also 1.1 +Organisation Assurance Statement) is: +

+
    +

  1. the organisation exists +

    +

  2. the organisation name is correct + and consistent: +

    +
      +

    1. in official documents specified + in SubPol. +

      +

    2. on COAP form. +

      +

    3. in CAcert database. +

      +

    4. form or type of legal entity is + consistent +

      +
    +

  3. signing rights: requester can sign + on behalf of the organisation. +

    +

  4. the organisation has agreed to the + terms of the CAcert Community Agreement , and is therefore + subject to Arbitration. +

    +

  5. Organisation Domain names must have been checked accordingly + the CPS.

    +
+

Acceptable documents to meet above standard are stated in the SubPol. +

+ +

5.2 (Organisation) Assurance Points

+

The Organisation Assurance applies Assurance Points to each +organisation Member which measure the increase of confidence in the +Statement (above). Assurance Points should not be interpreted for any +other purpose. Note that, even though they are sometimes referred to +as Web-of-Trust (Assurance) Points, or Trust Points, +the meaning of the word 'Trust' is not well defined. +

+

Assurance Points Allocation
An Assurer can allocate a +number of Assurance Points to the organisation Member. The allocation +of the maximum means that the Assurer is 100% confident in the +information presented: +

+ +

Any lesser confidence should result in less Assurance Points for +an organisation name. If the Organisation Assurer has no confidence +in the information presented, then zero Assurance Points may +be allocated by the Organisation Assurer. For example, this may +happen if the identity documents are totally unfamiliar to the +Organisation Assurer. The Organisation Assurer maybe assisted by a +second (individual) Assurer as such gaining confidence and/or assist +in allocating a second Organisation Assurance. The number of +Assurance Points from zero to maximum is guided by the +Assurance Handbook and the judgment of the Assurer. If there is +negative confidence the Assurer should consider filing a dispute. +

+

Multiple (trade) organisation names should be allocated Assurance +Points independently within a single Assurance. +

+

In general, for an organisation Member to reach 50 Assurance +Points, the Member must have participated in at least two assurances, +and at least one organisation name will have been assured to that +level. +

+

The maximum number of Assurance Points which can be allocated for +an Assurance under this policy and under any act under any Subsidiary +Policy (below) is 50 Assurance Points. +

+

5.2 CAcert Organisation Assurance Programme (COAP) +

+

The COAP form documents the checks and the resultant assurance +results to meet the standard. Additional information to be provided +on form: +

+
    +

  1. CAcert account of O-Admin(S) + (email address of O-Admin individual Assurer Membership account) +

    +

  2. Location: +

    +
      +

    1. country (MUST).

      +

    2. city (MUST).

      +

    3. additional contact information (as required by SubPol).

      +
    +

  3. Administrator account name(s) (1 or more)

    +

  4. Domain name(s)

    +

  5. Agreement with CAcert Community + Agreement. Statement and initials box for organisation and also + for OA. +

    +

  6. Date of completion of Assurance. Records should be maintained + for 7 years from this date. +

    +
+

The COAP should be in English. Where translations are provided, +they should be matched to the English, and indication provided that +the English is the ruling language (due to Arbitration requirements). +

+ +

5.3 Jurisdiction

+

Organisation Assurances are carried out by CAcert Inc. under its +Arbitration jurisdiction. Actions carried out by OAs are under this +regime. +

+
    +

  1. The organisation has agreed to the + terms of the CAcert Community Agreement. +

    +

  2. The organisation, the Organisation + Assurers, CAcert and other related parties are bound into CAcert's + jurisdiction and dispute resolution. +

    +

  3. The OA is responsible for ensuring that the organisation + reads, understands, intends and agrees to the CAcert Community + Agreement. This OA responsibility should be recorded on COAP + (statement and initials box). +

    +
+ +

6. Exceptions

+
    +

  1. Conflicts of Interest. An + OA must not assure an organisation in which there is a close or + direct relationship by, e.g., employment, family, financial + interests. Other conflicts of interest must be disclosed. +

    +

  2. Trusted Third Parties. TTPs + are not generally approved to be part of organisation assurance, but + may be approved by subsidiary policies according to local needs. +

    +

  3. Exceptional Organisations. + (e.g., Vatican, International Space Station, United Nations) can be + dealt with as a single-organisation SubPol. The OA creates the + checks, documents them, and subjects them to to normal policy + approval. +

    +

  4. DBA. Alternative names for organisations (DBA, "doing + business as") can be added as long as they are proven + independently. E.g., registration as DBA or holding of registered + trade mark. This means that the anglo law tradition of unregistered + DBAs is not accepted without further proof. +

    +
+ +

Valid XHTML 1.1

+ + +