Initiation of WiP for new Org Assurances.
git-svn-id: http://svn.cacert.org/CAcert/Policies@1167 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
parent
89ddbee1d1
commit
3680cdf481
1 changed files with 622 additions and 0 deletions
622
OrganisationAssurancePolicy/OrganisationAssurancePolicyNew.html
Normal file
622
OrganisationAssurancePolicy/OrganisationAssurancePolicyNew.html
Normal file
|
@ -0,0 +1,622 @@
|
||||||
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
||||||
|
<HTML>
|
||||||
|
<HEAD>
|
||||||
|
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
|
||||||
|
<TITLE> Organisation Assurance Policy </TITLE>
|
||||||
|
<META NAME="CHANGEDBY" CONTENT="Teus Hagen">
|
||||||
|
<META NAME="CHANGED" CONTENT="20090210;14412600">
|
||||||
|
</HEAD>
|
||||||
|
|
||||||
|
<H1>Organisation Assurance Policy (new proposal) </H1>
|
||||||
|
<P ><A HREF="../PolicyOnPolicy.html"><IMG SRC="../cacert-wip.png" NAME="cacert-wip" ALT="CAcert WiP" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A><BR>
|
||||||
|
Document:<BR>
|
||||||
|
Initial Author: Jens Paul<BR>
|
||||||
|
Edited by: Teus Hagen<BR>
|
||||||
|
Original creation date: 2007-09-18<BR>
|
||||||
|
Status: Changed for Feb 2009 OA WoT concept, sync with (individual) AP.<BR>
|
||||||
|
Next status: proposal will replace former Draft OA Policy of 2008</P>
|
||||||
|
<!-- $Id$ -->
|
||||||
|
|
||||||
|
<H2><A NAME="0"></A>0. Preliminaries </H2>
|
||||||
|
<P>This policy describes how Organisation Assurers ("OAs")
|
||||||
|
conduct Assurances on Organisations. It fits within the overall
|
||||||
|
web-of-trust or Assurance process of CAcert.
|
||||||
|
</P>
|
||||||
|
<H3>0.1. Definition of Terms</H3>
|
||||||
|
<DL>
|
||||||
|
<DT><I>(Organisation) Member</I>
|
||||||
|
</DT><DD>
|
||||||
|
A Member is an organisation who has agreed to the CAcert Community
|
||||||
|
Agreement (<A HREF="http://www.cacert.org/policy/CAcertCommunityAgreement.php" TARGET="_blank">CCA</A>)
|
||||||
|
and has created successfully a CAcert login account on the CAcert
|
||||||
|
web site.
|
||||||
|
</DD><DT>
|
||||||
|
<I>(Organisation) Assurance</I>
|
||||||
|
</DT><DD>
|
||||||
|
Assurance is the process by which a Member of CAcert Community
|
||||||
|
(Organisation Assurer) identifies an organisation (Assuree).
|
||||||
|
</DD><DT>
|
||||||
|
<I>Prospective (Organisation) Member</I>
|
||||||
|
</DT><DD>
|
||||||
|
An organisation who participates in the process of an Organisation
|
||||||
|
Assurance, but has not yet created a CAcert login account.
|
||||||
|
</DD><DT>
|
||||||
|
<I>(Organisation) Name</I>
|
||||||
|
</DT><DD>
|
||||||
|
An Organisation Name is the full name of the organisation.
|
||||||
|
</DD></DL>
|
||||||
|
|
||||||
|
<H3>0.2. The CAcert Web of Trust</H3>
|
||||||
|
<P>An Organisation Assurer allocates a number of Assurance Points to
|
||||||
|
the (Organisation) Member being Assured. CAcert combines the
|
||||||
|
Assurance Points into a global <I>Web-of-Trust</I> (or "WoT").
|
||||||
|
</P>
|
||||||
|
<P>CAcert explicitly chooses to meet its various goals by
|
||||||
|
construction of a Web-of-Trust of all Members.
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<H3>0.3. Related Documentation</H3>
|
||||||
|
<P>Documentation on Organisation Assurance is split between this Organisation
|
||||||
|
Assurance Policy (OAP) and the (organisation) <A HREF="http://wiki.cacert.org/wiki/AssuranceHandbook2" TARGET="_blank">Assurance Handbook</A>.
|
||||||
|
The policy is controlled by Configuration Control Specification (<A HREF="http://wiki.cacert.org/wiki/PolicyDrafts/ConfigurationControlSpecification" TARGET="_blank">CCS</A>)
|
||||||
|
under Policy on Policy (<A HREF="http://www.cacert.org/policy/PolicyOnPolicy.php" TARGET="_blank">PoP</A>)
|
||||||
|
policy document regime. Because Organisation Assurance is an active
|
||||||
|
area, much of the practice is handed over to the Assurance Handbook,
|
||||||
|
which is not a controlled policy document, and can more easily
|
||||||
|
respond to experience and circumstances. It is also more readable.
|
||||||
|
</P>
|
||||||
|
<P>See also Assurance Policy (<A HREF="http://www.cacert.org/policy/AssurancePolicy.php" TARGET="_blank">AP</A>)
|
||||||
|
and CAcert Policy Statement (<A HREF="http://svn.cacert.org/CAcert/policy.htm" TARGET="_blank">CPS</A>).
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<H2><A NAME="1"></A>1. Organisation Assurance Purpose </H2>
|
||||||
|
<P>Organisations with assured status can issue certificates via their
|
||||||
|
O-Admin directly with their own domains within.
|
||||||
|
</P>
|
||||||
|
<P>The purpose and statement of the certificate remains the same as
|
||||||
|
with ordinary users (natural persons) and as described in the CPS.
|
||||||
|
</P>
|
||||||
|
<UL>
|
||||||
|
<LI><P >The organisation named within is identified. </P>
|
||||||
|
<LI><P >The organisation has been verified according to this policy. </P>
|
||||||
|
<LI><P>The organisation is within the jurisdiction and can be taken to CAcert Arbitration. </P>
|
||||||
|
</UL>
|
||||||
|
|
||||||
|
<H3>1.1.The Organisation Assurance Statement</H3>
|
||||||
|
<P>The Assurance Statement makes the following claims about the organisation:
|
||||||
|
</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P>The organisation is a bona fide (organisation) Member. In
|
||||||
|
other words, the organisation is a member of the CAcert Community as
|
||||||
|
defined by the CAcert Community Agreement (<A HREF="http://www.cacert.org/policy/CAcertCommunityAgreement.php" TARGET="_blank">CCA</A>);
|
||||||
|
</P>
|
||||||
|
<LI><P>The Member has a (login) account with CAcert's on-line registration and service system; </P>
|
||||||
|
<LI><P>The Member can be determined from any CAcert certificate issued by the Account; </P>
|
||||||
|
<LI><P>The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement; </P>
|
||||||
|
<LI><P>Some information on the Organisation Member are known and
|
||||||
|
verified by CAcert: the Organisation Name(s), form of organisation,
|
||||||
|
domain names, Individual Members for contact and liaison purpose,
|
||||||
|
secondary distinguishing feature (e.g. corporate number).</P>
|
||||||
|
</OL>
|
||||||
|
<P>The confidence level of the Assurance Statement is expressed by the (Organisation) Assurance Points.
|
||||||
|
</P>
|
||||||
|
<P>Organisations can expect the normal privacy provisions provided to
|
||||||
|
Individuals. However, any business arrangements that are not
|
||||||
|
strictly provided for in this policy are likely outside normal
|
||||||
|
privacy. </P>
|
||||||
|
|
||||||
|
<H3><A NAME="1.2"></A>1.2. Relying Party Statement</H3>
|
||||||
|
<P>The primary goal of the Organisation Assurance Statement is for
|
||||||
|
the express purpose of certificates to meet the needs of the <I>Relying
|
||||||
|
Party Statement</I>, which latter is found in the Certification
|
||||||
|
Practice Statement (<A HREF="http://svn.cacert.org/CAcert/policy.htm" TARGET="_blank">CPS</A>).
|
||||||
|
</P>
|
||||||
|
<P>When a certificate is issued, some of the Organisation Assurance
|
||||||
|
Statement may be incorporated, e.g. Organisation name. Other parts
|
||||||
|
may be implied, e.g. Membership, exact account and status. They all
|
||||||
|
are part of the <I>Relying Party Statement</I>. In short, this means
|
||||||
|
that other Members of the Community may rely on the information
|
||||||
|
verified by Assurance and found in the certificate.</P>
|
||||||
|
<P>In particular, certificates are sometimes considered to provide
|
||||||
|
reliable indications of e.g. the Member's Organisation name,
|
||||||
|
organisation domain names, and organisation email address. The
|
||||||
|
nature of Assurance, the number of Assurance Points, and other
|
||||||
|
policies and processes should be understood as limitations on any
|
||||||
|
reliance.
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<H2>2. The Organisation Member</H2>
|
||||||
|
|
||||||
|
<H3><A NAME="2.11"></A>2.1. The Organisation Member's name </H3>
|
||||||
|
<P>The name of the organisation as recorded in the Member's CAcert
|
||||||
|
login account. The general standard of a name is:
|
||||||
|
</P>
|
||||||
|
<UL>
|
||||||
|
<LI><P>The name should be recorded as written in a government-issued
|
||||||
|
organisation registration extract e.g. extract from governmental
|
||||||
|
trade office registrar.</P>
|
||||||
|
<LI><P>The organisation name should be recorded as completely as
|
||||||
|
possible. That is without abbreviations, and without transliteration
|
||||||
|
of characters.
|
||||||
|
</P>
|
||||||
|
<LI><P>The organisation name is recorded as a string of characters,
|
||||||
|
encoded in <SPAN LANG="en-US">unicode</SPAN> transformation format.</P>
|
||||||
|
</UL>
|
||||||
|
|
||||||
|
<H3><A NAME="2.21"></A>2.2. Multiple trade names and variations</H3>
|
||||||
|
<P>In order to handle the contradictions in the above general
|
||||||
|
standard, a Member may record multiple names or multiple variations
|
||||||
|
of a name in her CAcert online Account. Examples of variations
|
||||||
|
include trade names, variations of trade names, abbreviations of a
|
||||||
|
name, different language or country variations, and transliterations
|
||||||
|
of characters in a name. All names should be defined within the
|
||||||
|
organisation registration extract.</P>
|
||||||
|
|
||||||
|
<H3><A NAME="2.31"></A>2.3. Status and Capabilities</H3>
|
||||||
|
<P>An organisation Name which has reached the level of 50
|
||||||
|
(Organisation) Assurance Points is defined as an Assured organisation
|
||||||
|
Name. An Assured Name can be used as Organisation Name in a
|
||||||
|
certificate issued by CAcert. A Member with at least one Assured Name
|
||||||
|
has reached the Assured Member status. Additional capabilities are
|
||||||
|
described in Table 1.
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<BLOCKQUOTE STYLE="text-align: left"><FONT SIZE=2><I>Table 1:
|
||||||
|
Assurance Capability</I></FONT></BLOCKQUOTE>
|
||||||
|
<DL>
|
||||||
|
<DD>
|
||||||
|
<TABLE WIDTH=470 BORDER=1 CELLPADDING=5 CELLSPACING=0>
|
||||||
|
<COL WIDTH=65>
|
||||||
|
<COL WIDTH=83>
|
||||||
|
<COL WIDTH=85>
|
||||||
|
<COL WIDTH=196>
|
||||||
|
<TR>
|
||||||
|
<TD WIDTH=65>
|
||||||
|
<P ALIGN=LEFT><I>Minimum Assurance Points</I></P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=83>
|
||||||
|
<P ALIGN=LEFT><I>Capability</I></P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=85>
|
||||||
|
<P ALIGN=LEFT><I>Status</I></P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=196>
|
||||||
|
<P ALIGN=LEFT><I>Comment</I></P>
|
||||||
|
</TD>
|
||||||
|
</TR>
|
||||||
|
<TR VALIGN=TOP>
|
||||||
|
<TD WIDTH=65>
|
||||||
|
<P ALIGN=CENTER>0</P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=83>
|
||||||
|
<P ALIGN=LEFT>Request Organisation Assurance</P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=85>
|
||||||
|
<P ALIGN=LEFT>Prospective Organisation Member</P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=196>
|
||||||
|
<P ALIGN=LEFT>Organisation taking part of an Organisation
|
||||||
|
Assurance, who does not have created a CAcert login account
|
||||||
|
(yet). The allocation of Assurance Points is awaiting login
|
||||||
|
account creation.</P>
|
||||||
|
</TD>
|
||||||
|
</TR>
|
||||||
|
<TR VALIGN=TOP>
|
||||||
|
<TD WIDTH=65>
|
||||||
|
<P ALIGN=CENTER>0</P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=83>
|
||||||
|
<P ALIGN=LEFT>Request unnamed certificates</P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=85>
|
||||||
|
<P ALIGN=LEFT>(Organisation) Member</P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=196>
|
||||||
|
<P ALIGN=LEFT>Although the Organisation Member's details are
|
||||||
|
recorded in the account, they are not highly assured.</P>
|
||||||
|
</TD>
|
||||||
|
</TR>
|
||||||
|
<TR VALIGN=TOP>
|
||||||
|
<TD WIDTH=65>
|
||||||
|
<P ALIGN=CENTER>50</P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=83>
|
||||||
|
<P ALIGN=LEFT>Request certificates with the name of the
|
||||||
|
organisation</P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=85>
|
||||||
|
<P ALIGN=LEFT>Assured Organisation Member</P>
|
||||||
|
</TD>
|
||||||
|
<TD WIDTH=196>
|
||||||
|
<P ALIGN=LEFT>Statements of Assurance: the organisation name is
|
||||||
|
assured to 50 Assurance Points or more</P>
|
||||||
|
</TD>
|
||||||
|
</TR>
|
||||||
|
</TABLE>
|
||||||
|
</DL>
|
||||||
|
<P>A Member may check the status of another Member, especially for an
|
||||||
|
assurance process. Status may be implied from information in a
|
||||||
|
certificate. The number of Assurance Points for each Member is not
|
||||||
|
published.
|
||||||
|
</P>
|
||||||
|
<UL>
|
||||||
|
<P>The CAcert Policy Statement (<A HREF="http://svn.cacert.org/CAcert/policy.htm" TARGET="_blank">CPS</A>)
|
||||||
|
and other policies may list other capabilities that rely on
|
||||||
|
Assurance Points.
|
||||||
|
</P>
|
||||||
|
<P>When an organisation is assured, it becomes in effect an Assurer
|
||||||
|
for its local names. These names are used in certificates
|
||||||
|
issued under the listed domains. When issued, the organisation
|
||||||
|
takes primary responsibility as Member. <BR><BR>Each name has to be
|
||||||
|
checked against the internal systems of the organisation. The
|
||||||
|
internal systems have to match some standard, as covered in SubPols
|
||||||
|
/ OA Manual. <BR><BR>If they internal systems do not support this
|
||||||
|
application, then the regular Assurance process can be used instead.</P>
|
||||||
|
</UL>
|
||||||
|
|
||||||
|
<H2>3. Roles and Structure </H2>
|
||||||
|
|
||||||
|
<H3>3.1 Organisation Assurance Officer </H3>
|
||||||
|
<P>The (Organisation) Assurance Officer ("AO") manages this
|
||||||
|
policy and reports to the CAcert Inc. Committee ("Board").
|
||||||
|
</P>
|
||||||
|
<P>The AO manages all OAs and is responsible for process, the CAcert
|
||||||
|
Organisation Assurance Programme ("COAP") form, OA training
|
||||||
|
and testing, manuals, quality control. In these responsibilities,
|
||||||
|
other Officers will assist.
|
||||||
|
</P>
|
||||||
|
<P>The OA is appointed by the Board. Where the OA is failing the
|
||||||
|
Board decides.
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<H3>3.2 Organisation Assurers </H3>
|
||||||
|
<OL TYPE=a>
|
||||||
|
<LI><P >An OA must be an experienced
|
||||||
|
Assurer
|
||||||
|
</P>
|
||||||
|
<OL TYPE=i>
|
||||||
|
<LI><P >Have 150 assurance points.
|
||||||
|
</P>
|
||||||
|
<LI><P >Be fully trained and tested on
|
||||||
|
all general Assurance processes.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
<LI><P >Must be trained as Organisation
|
||||||
|
Assurer.
|
||||||
|
</P>
|
||||||
|
<OL TYPE=i>
|
||||||
|
<LI><P >Global knowledge: This policy.
|
||||||
|
</P>
|
||||||
|
<LI><P >Global knowledge: A OA manual
|
||||||
|
covers how to do the process.
|
||||||
|
</P>
|
||||||
|
<LI><P >Local knowledge: legal forms of
|
||||||
|
organisations within jurisdiction.
|
||||||
|
</P>
|
||||||
|
<LI><P >Basic governance.
|
||||||
|
</P>
|
||||||
|
<LI><P >Training may be done a variety of
|
||||||
|
ways, such as on-the-job, etc.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
<LI><P >Must be tested.
|
||||||
|
</P>
|
||||||
|
<OL TYPE=i>
|
||||||
|
<LI><P >Global test: Covers this policy
|
||||||
|
and the process.
|
||||||
|
</P>
|
||||||
|
<LI><P >Local knowledge: Subsidiary
|
||||||
|
Policy to specify.
|
||||||
|
</P>
|
||||||
|
<LI><P >Tests to be created, approved,
|
||||||
|
run, verified by CAcert only (not outsourced).
|
||||||
|
</P>
|
||||||
|
<LI><P >Testing includes both online /
|
||||||
|
automated and manual tests with the manual tests confirming the on
|
||||||
|
line tests.
|
||||||
|
</P>
|
||||||
|
<LI><P >Documentation to be retained.
|
||||||
|
</P>
|
||||||
|
<LI><P >Tests may include on-the-job
|
||||||
|
components.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
<LI><P >Must be approved.
|
||||||
|
</P>
|
||||||
|
<OL TYPE=i>
|
||||||
|
<LI><P >Two supervising OAs must sign-off
|
||||||
|
on new OA, as trained, tested and passed.
|
||||||
|
</P>
|
||||||
|
<LI><P >AO must sign-off on a new OA, as
|
||||||
|
supervised, trained and tested.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
<LI><P>The OA can decide when a CAcert (individual) Assurer has done
|
||||||
|
several OA Application Advises to appoint this person to OA Assurer.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
|
||||||
|
<H3>3.3 Organisation Assurance Advisor ("OAA") </H3>
|
||||||
|
<P>In countries/states/provinces where no OA Assurers are operating
|
||||||
|
for an OA Application (COAP) the OA can be advised by an experienced
|
||||||
|
local CAcert (individual) Assurer to take the decision to accept the
|
||||||
|
OA Application (COAP) of the organisation.
|
||||||
|
</P>
|
||||||
|
<P>The local Assurer must have at least 150 Points, should know the
|
||||||
|
language, and know the organisation trade office registry culture and
|
||||||
|
quality.
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<H3>3.4 Organisation Administrator </H3>
|
||||||
|
<P>The Administrator within each Organisation ("O-Admin")
|
||||||
|
is the one who handles the assurance requests and the issuing of
|
||||||
|
certificates.
|
||||||
|
</P>
|
||||||
|
<OL TYPE=a>
|
||||||
|
<LI><P >O-Admin must be an individual
|
||||||
|
Assurer
|
||||||
|
</P>
|
||||||
|
<OL TYPE=i>
|
||||||
|
<LI><P >Have 100 assurance points.
|
||||||
|
</P>
|
||||||
|
<LI><P >Fully trained and tested as
|
||||||
|
Assurer.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
<LI><P >Organisation is required to
|
||||||
|
appoint the O-Admin(s), and appoint ones as required.
|
||||||
|
</P>
|
||||||
|
<OL TYPE=i>
|
||||||
|
<LI><P >On COAP Request Form.
|
||||||
|
</P>
|
||||||
|
<LI><P >On the organisation Member
|
||||||
|
account.</P>
|
||||||
|
</OL>
|
||||||
|
<LI><P >O-Admin must work with an assigned
|
||||||
|
OA.
|
||||||
|
</P>
|
||||||
|
<OL TYPE=i>
|
||||||
|
<LI><P >Have contact details.
|
||||||
|
</P>
|
||||||
|
<LI><P>Is named on the organisation Member account.</P>
|
||||||
|
</OL>
|
||||||
|
</OL>
|
||||||
|
|
||||||
|
<H2>4. Policies </H2>
|
||||||
|
|
||||||
|
<H3>4.1 Policy </H3>
|
||||||
|
<P>There is one policy being this present document, and several
|
||||||
|
subsidiary policies.
|
||||||
|
</P>
|
||||||
|
<OL TYPE=a>
|
||||||
|
<LI><P >This policy authorises the
|
||||||
|
creation of subsidiary policies.
|
||||||
|
</P>
|
||||||
|
<LI><P >This policy is international.
|
||||||
|
</P>
|
||||||
|
<LI><P >Subsidiary policies are
|
||||||
|
implementations of the policy.
|
||||||
|
</P>
|
||||||
|
<LI><P>Organisations are assured under an appropriate subsidiary
|
||||||
|
policy.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
|
||||||
|
<H3>4.2 Subsidiary Policies </H3>
|
||||||
|
<P>The nature of the Subsidiary Policies ("SubPols"):
|
||||||
|
</P>
|
||||||
|
<OL TYPE=a>
|
||||||
|
<LI><P >SubPols are purposed to check the
|
||||||
|
organisation under the rules of the jurisdiction that creates the
|
||||||
|
organisation. This does not evidence an intention by CAcert to enter
|
||||||
|
into the local jurisdiction, nor an intention to impose the rules of
|
||||||
|
that jurisdiction over any other organisation. CAcert assurances are
|
||||||
|
conducted under the jurisdiction of CAcert.
|
||||||
|
</P>
|
||||||
|
<LI><P >For OAs, SubPol specifies the
|
||||||
|
<I>tests of local knowledge</I> including the local organisation
|
||||||
|
assurance COAP forms.
|
||||||
|
</P>
|
||||||
|
<LI><P >For assurances, SubPol specifies
|
||||||
|
the <I>local documentation forms</I> which are acceptable under this
|
||||||
|
SubPol to meet the standard.
|
||||||
|
</P>
|
||||||
|
<LI><P>SubPols are subjected to the normal policy approval process.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
|
||||||
|
<H3>4.3 Freedom to Assemble </H3>
|
||||||
|
<P>Subsidiary Policies are open, accessible and free to enter.
|
||||||
|
</P>
|
||||||
|
<OL TYPE=a>
|
||||||
|
<LI><P >SubPols compete but are compatible. </P>
|
||||||
|
<LI><P >No SubPol is a franchise. </P>
|
||||||
|
<LI><P >Many will be on State or National
|
||||||
|
lines, reflecting the legal tradition of organisations created
|
||||||
|
("incorporated") by states.
|
||||||
|
</P>
|
||||||
|
<LI><P >However, there is no need for
|
||||||
|
strict national lines; it is possible to have 2 SubPols in one
|
||||||
|
country, or one covering several countries with the same language
|
||||||
|
(e.g., Austria with Germany, England with Wales but not Scotland).
|
||||||
|
</P>
|
||||||
|
<LI><P >There could also be SubPols for
|
||||||
|
special organisations, one person organisations, UN agencies,
|
||||||
|
churches, etc.
|
||||||
|
</P>
|
||||||
|
<LI><P>Where it is appropriate to use the SubPol in another
|
||||||
|
situation (another country?), it can be so approved. (e.g., Austrian
|
||||||
|
SubPol might be approved for Germany.) The SubPol must record this
|
||||||
|
approval.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
|
||||||
|
<H2>5. Process </H2>
|
||||||
|
|
||||||
|
<H3>5.1 Standard of Organisation Assurance </H3>
|
||||||
|
<P>The essential standard of Organisation Assurance (see also 1.1
|
||||||
|
Organisation Assurance Statement) is:
|
||||||
|
</P>
|
||||||
|
<OL TYPE=a>
|
||||||
|
<LI><P >the organisation exists
|
||||||
|
</P>
|
||||||
|
<LI><P >the organisation name is correct
|
||||||
|
and consistent:
|
||||||
|
</P>
|
||||||
|
<OL TYPE=i>
|
||||||
|
<LI><P >in official documents specified
|
||||||
|
in SubPol.
|
||||||
|
</P>
|
||||||
|
<LI><P >on COAP form.
|
||||||
|
</P>
|
||||||
|
<LI><P >in CAcert database.
|
||||||
|
</P>
|
||||||
|
<LI><P >form or type of legal entity is
|
||||||
|
consistent
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
<LI><P >signing rights: requester can sign
|
||||||
|
on behalf of the organisation.
|
||||||
|
</P>
|
||||||
|
<LI><P >the organisation has agreed to the
|
||||||
|
terms of the <B>CAcert Community Agreement </B>, and is therefore
|
||||||
|
subject to Arbitration.
|
||||||
|
</P>
|
||||||
|
<LI><P>Organisation Domain names must have been checked accordingly
|
||||||
|
the CPS.</P>
|
||||||
|
</OL>
|
||||||
|
<P>Acceptable documents to meet above standard are stated in the SubPol.
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<H3>5.2 (Organisation) Assurance Points</H3>
|
||||||
|
<P>The Organisation Assurance applies Assurance Points to each
|
||||||
|
organisation Member which measure the increase of confidence in the
|
||||||
|
Statement (above). Assurance Points should not be interpreted for any
|
||||||
|
other purpose. Note that, even though they are sometimes referred to
|
||||||
|
as <I>Web-of-Trust</I> (Assurance) Points, or <I>Trust</I> Points,
|
||||||
|
the meaning of the word 'Trust' is not well defined.
|
||||||
|
</P>
|
||||||
|
<P><I>Assurance Points Allocation</I><BR>An Assurer can allocate a
|
||||||
|
number of Assurance Points to the organisation Member. The allocation
|
||||||
|
of the maximum means that the Assurer is 100% confident in the
|
||||||
|
information presented:
|
||||||
|
</P>
|
||||||
|
<UL>
|
||||||
|
<LI><P >Detail on form, system, documents,
|
||||||
|
organisation and O-Admin(s) in accordance;
|
||||||
|
</P>
|
||||||
|
<LI><P >Sufficient quality organisation
|
||||||
|
registration extract documents and organisation by-laws related to
|
||||||
|
signature control of the organisation director have been checked;
|
||||||
|
</P>
|
||||||
|
<LI><P >Assurer's familiarity with extract
|
||||||
|
and by-laws documents;
|
||||||
|
</P>
|
||||||
|
<LI><P>The Organisation Assurance Statement is confirmed.
|
||||||
|
</P>
|
||||||
|
</UL>
|
||||||
|
<P>Any lesser confidence should result in less Assurance Points for
|
||||||
|
an organisation name. If the Organisation Assurer has no confidence
|
||||||
|
in the information presented, then <I>zero</I> Assurance Points may
|
||||||
|
be allocated by the Organisation Assurer. For example, this may
|
||||||
|
happen if the identity documents are totally unfamiliar to the
|
||||||
|
Organisation Assurer. The Organisation Assurer maybe assisted by a
|
||||||
|
second (individual) Assurer as such gaining confidence and/or assist
|
||||||
|
in allocating a second Organisation Assurance. The number of
|
||||||
|
Assurance Points from <I>zero</I> to <I>maximum</I> is guided by the
|
||||||
|
Assurance Handbook and the judgment of the Assurer. If there is
|
||||||
|
negative confidence the Assurer should consider filing a dispute.
|
||||||
|
</P>
|
||||||
|
<P>Multiple (trade) organisation names should be allocated Assurance
|
||||||
|
Points independently within a single Assurance.
|
||||||
|
</P>
|
||||||
|
<P>In general, for an organisation Member to reach 50 Assurance
|
||||||
|
Points, the Member must have participated in at least two assurances,
|
||||||
|
and at least one organisation name will have been assured to that
|
||||||
|
level.
|
||||||
|
</P>
|
||||||
|
<P>The maximum number of Assurance Points which can be allocated for
|
||||||
|
an Assurance under this policy and under any act under any Subsidiary
|
||||||
|
Policy (below) is 50 Assurance Points.
|
||||||
|
</P>
|
||||||
|
<H3>5.2 CAcert Organisation Assurance Programme (COAP)
|
||||||
|
</H3>
|
||||||
|
<P>The COAP form documents the checks and the resultant assurance
|
||||||
|
results to meet the standard. Additional information to be provided
|
||||||
|
on form:
|
||||||
|
</P>
|
||||||
|
<OL TYPE=a>
|
||||||
|
<LI><P >CAcert account of O-Admin(S)
|
||||||
|
(email address of O-Admin individual Assurer Membership account)
|
||||||
|
</P>
|
||||||
|
<LI><P >Location:
|
||||||
|
</P>
|
||||||
|
<OL TYPE=i>
|
||||||
|
<LI><P >country (MUST). </P>
|
||||||
|
<LI><P >city (MUST). </P>
|
||||||
|
<LI><P >additional contact information (as required by SubPol). </P>
|
||||||
|
</OL>
|
||||||
|
<LI><P >Administrator account name(s) (1 or more) </P>
|
||||||
|
<LI><P >Domain name(s) </P>
|
||||||
|
<LI><P >Agreement with <B>CAcert Community
|
||||||
|
Agreement</B>. Statement and initials box for organisation and also
|
||||||
|
for OA.
|
||||||
|
</P>
|
||||||
|
<LI><P>Date of completion of Assurance. Records should be maintained
|
||||||
|
for 7 years from this date.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
<P>The COAP should be in English. Where translations are provided,
|
||||||
|
they should be matched to the English, and indication provided that
|
||||||
|
the English is the ruling language (due to Arbitration requirements).
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<H3>5.3 Jurisdiction </H3>
|
||||||
|
<P>Organisation Assurances are carried out by CAcert Inc. under its
|
||||||
|
Arbitration jurisdiction. Actions carried out by OAs are under this
|
||||||
|
regime.
|
||||||
|
</P>
|
||||||
|
<OL TYPE=a>
|
||||||
|
<LI><P >The organisation has agreed to the
|
||||||
|
terms of the <B>CAcert Community Agreement</B>.
|
||||||
|
</P>
|
||||||
|
<LI><P >The organisation, the Organisation
|
||||||
|
Assurers, CAcert and other related parties are bound into CAcert's
|
||||||
|
jurisdiction and dispute resolution.
|
||||||
|
</P>
|
||||||
|
<LI><P>The OA is responsible for ensuring that the organisation
|
||||||
|
reads, understands, intends and agrees to the <B>CAcert Community
|
||||||
|
Agreement</B>. This OA responsibility should be recorded on COAP
|
||||||
|
(statement and initials box).
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
|
||||||
|
<H2>6. Exceptions </H2>
|
||||||
|
<OL TYPE=a>
|
||||||
|
<LI><P ><B>Conflicts of Interest.</B> An
|
||||||
|
OA must not assure an organisation in which there is a close or
|
||||||
|
direct relationship by, e.g., employment, family, financial
|
||||||
|
interests. Other conflicts of interest must be disclosed.
|
||||||
|
</P>
|
||||||
|
<LI><P ><B>Trusted Third Parties.</B> TTPs
|
||||||
|
are not generally approved to be part of organisation assurance, but
|
||||||
|
may be approved by subsidiary policies according to local needs.
|
||||||
|
</P>
|
||||||
|
<LI><P ><B>Exceptional Organisations.</B>
|
||||||
|
(e.g., Vatican, International Space Station, United Nations) can be
|
||||||
|
dealt with as a single-organisation SubPol. The OA creates the
|
||||||
|
checks, documents them, and subjects them to to normal policy
|
||||||
|
approval.
|
||||||
|
</P>
|
||||||
|
<LI><P><B>DBA.</B> Alternative names for organisations (DBA, "doing
|
||||||
|
business as") can be added as long as they are proven
|
||||||
|
independently. E.g., registration as DBA or holding of registered
|
||||||
|
trade mark. This means that the anglo law tradition of unregistered
|
||||||
|
DBAs is not accepted without further proof.
|
||||||
|
</P>
|
||||||
|
</OL>
|
||||||
|
|
||||||
|
<P><A HREF="http://validator.w3.org/check?uri=referer"><IMG SRC="http://www.w3.org/Icons/valid-xhtml11-blue" NAME="graphics2" ALT="Valid XHTML 1.1" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A></P>
|
||||||
|
|
||||||
|
</BODY>
|
||||||
|
</HTML>
|
Loading…
Reference in a new issue