cacert/cacert-policies
9
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Initiation of WiP for new Org Assurances.

Browse source 
git-svn-id: http://svn.cacert.org/CAcert/Policies@1167 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
Teus Hagen 2009-02-10 14:11:36 +00:00
parent 89ddbee1d1
commit 3680cdf481
1 changed files with 622 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

622
OrganisationAssurancePolicy/OrganisationAssurancePolicyNew.html Normal file
View file

@ -0,0 +1,622 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
<TITLE> Organisation Assurance Policy </TITLE>
<META NAME="CHANGEDBY" CONTENT="Teus Hagen">
<META NAME="CHANGED" CONTENT="20090210;14412600">
</HEAD>
<H1>Organisation&nbsp;Assurance&nbsp;Policy (new proposal) </H1>
<P ><A HREF="../PolicyOnPolicy.html"><IMG SRC="../cacert-wip.png" NAME="cacert-wip" ALT="CAcert WiP" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A><BR>
Document:<BR>
Initial Author: Jens Paul<BR>
Edited by: Teus Hagen<BR>
Original creation date: 2007-09-18<BR>
Status: Changed for Feb 2009 OA WoT concept, sync with (individual) AP.<BR>
Next status: proposal will replace former Draft OA Policy of 2008</P>
<!-- $Id$ -->
<H2><A NAME="0"></A>0. Preliminaries </H2>
<P>This policy describes how Organisation Assurers (&quot;OAs&quot;)
conduct Assurances on Organisations. It fits within the overall
web-of-trust or Assurance process of CAcert.
</P>
<H3>0.1. Definition of Terms</H3>
<DL>
<DT><I>(Organisation) Member</I>
</DT><DD>
A Member is an organisation who has agreed to the CAcert Community
Agreement (<A HREF="http://www.cacert.org/policy/CAcertCommunityAgreement.php" TARGET="_blank">CCA</A>)
and has created successfully a CAcert login account on the CAcert
web site.
</DD><DT>
<I>(Organisation) Assurance</I>
</DT><DD>
Assurance is the process by which a Member of CAcert Community
(Organisation Assurer) identifies an organisation (Assuree).
</DD><DT>
<I>Prospective (Organisation) Member</I>
</DT><DD>
An organisation who participates in the process of an Organisation
Assurance, but has not yet created a CAcert login account.
</DD><DT>
<I>(Organisation) Name</I>
</DT><DD>
An Organisation Name is the full name of the organisation.
</DD></DL>
<H3>0.2. The CAcert Web of Trust</H3>
<P>An Organisation Assurer allocates a number of Assurance Points to
the (Organisation) Member being Assured. CAcert combines the
Assurance Points into a global <I>Web-of-Trust</I> (or &quot;WoT&quot;).
</P>
<P>CAcert explicitly chooses to meet its various goals by
construction of a Web-of-Trust of all Members.
</P>
<H3>0.3. Related Documentation</H3>
<P>Documentation on Organisation Assurance is split between this Organisation
Assurance Policy (OAP) and the (organisation) <A HREF="http://wiki.cacert.org/wiki/AssuranceHandbook2" TARGET="_blank">Assurance Handbook</A>.
The policy is controlled by Configuration Control Specification (<A HREF="http://wiki.cacert.org/wiki/PolicyDrafts/ConfigurationControlSpecification" TARGET="_blank">CCS</A>)
under Policy on Policy (<A HREF="http://www.cacert.org/policy/PolicyOnPolicy.php" TARGET="_blank">PoP</A>)
policy document regime. Because Organisation Assurance is an active
area, much of the practice is handed over to the Assurance Handbook,
which is not a controlled policy document, and can more easily
respond to experience and circumstances. It is also more readable.
</P>
<P>See also Assurance Policy (<A HREF="http://www.cacert.org/policy/AssurancePolicy.php" TARGET="_blank">AP</A>)
and CAcert Policy Statement (<A HREF="http://svn.cacert.org/CAcert/policy.htm" TARGET="_blank">CPS</A>).
</P>
<H2><A NAME="1"></A>1. Organisation Assurance Purpose </H2>
<P>Organisations with assured status can issue certificates via their
O-Admin directly with their own domains within.
</P>
<P>The purpose and statement of the certificate remains the same as
with ordinary users (natural persons) and as described in the CPS.
</P>
<UL>
<LI><P >The organisation named within is identified. </P>
<LI><P >The organisation has been verified according to this policy. </P>
<LI><P>The organisation is within the jurisdiction and can be taken to CAcert Arbitration. </P>
</UL>
<H3>1.1.The Organisation Assurance Statement</H3>
<P>The Assurance Statement makes the following claims about the organisation:
</P>
<OL>
<LI><P>The organisation is a bona fide (organisation) Member. In
other words, the organisation is a member of the CAcert Community as
defined by the CAcert Community Agreement (<A HREF="http://www.cacert.org/policy/CAcertCommunityAgreement.php" TARGET="_blank">CCA</A>);
</P>
<LI><P>The Member has a (login) account with CAcert's on-line registration and service system; </P>
<LI><P>The Member can be determined from any CAcert certificate issued by the Account; </P>
<LI><P>The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement; </P>
<LI><P>Some information on the Organisation Member are known and
verified by CAcert: the Organisation Name(s), form of organisation,
domain names, Individual Members for contact and liaison purpose,
secondary distinguishing feature (e.g. corporate number).</P>
</OL>
<P>The confidence level of the Assurance Statement is expressed by the (Organisation) Assurance Points.
</P>
<P>Organisations can expect the normal privacy provisions provided to
Individuals.&nbsp; However, any business arrangements that are not
strictly provided for in this policy are likely outside normal
privacy.&nbsp;</P>
<H3><A NAME="1.2"></A>1.2. Relying Party Statement</H3>
<P>The primary goal of the Organisation Assurance Statement is for
the express purpose of certificates to meet the needs of the <I>Relying
Party Statement</I>, which latter is found in the Certification
Practice Statement (<A HREF="http://svn.cacert.org/CAcert/policy.htm" TARGET="_blank">CPS</A>).
</P>
<P>When a certificate is issued, some of the Organisation Assurance
Statement may be incorporated, e.g. Organisation name. Other parts
may be implied, e.g. Membership, exact account and status. They all
are part of the <I>Relying Party Statement</I>. In short, this means
that other Members of the Community may rely on the information
verified by Assurance and found in the certificate.</P>
<P>In particular, certificates are sometimes considered to provide
reliable indications of e.g. the Member's Organisation name,
organisation domain names, and organisation email address. The
nature of Assurance, the number of Assurance Points, and other
policies and processes should be understood as limitations on any
reliance.
</P>
<H2>2. The Organisation Member</H2>
<H3><A NAME="2.11"></A>2.1. The Organisation Member's name </H3>
<P>The name of the organisation as recorded in the Member's CAcert
login account. The general standard of a name is:
</P>
<UL>
<LI><P>The name should be recorded as written in a government-issued
organisation registration extract e.g. extract from governmental
trade office registrar.</P>
<LI><P>The organisation name should be recorded as completely as
possible. That is without abbreviations, and without transliteration
of characters.
</P>
<LI><P>The organisation name is recorded as a string of characters,
encoded in <SPAN LANG="en-US">unicode</SPAN> transformation format.</P>
</UL>
<H3><A NAME="2.21"></A>2.2. Multiple trade names and variations</H3>
<P>In order to handle the contradictions in the above general
standard, a Member may record multiple names or multiple variations
of a name in her CAcert online Account. Examples of variations
include trade names, variations of trade names, abbreviations of a
name, different language or country variations, and transliterations
of characters in a name. All names should be defined within the
organisation registration extract.</P>
<H3><A NAME="2.31"></A>2.3. Status and Capabilities</H3>
<P>An organisation Name which has reached the level of 50
(Organisation) Assurance Points is defined as an Assured organisation
Name. An Assured Name can be used as Organisation Name in a
certificate issued by CAcert. A Member with at least one Assured Name
has reached the Assured Member status. Additional capabilities are
described in Table 1.
</P>
<BLOCKQUOTE STYLE="text-align: left"><FONT SIZE=2><I>Table 1:
Assurance Capability</I></FONT></BLOCKQUOTE>
<DL>
<DD>
<TABLE WIDTH=470 BORDER=1 CELLPADDING=5 CELLSPACING=0>
<COL WIDTH=65>
<COL WIDTH=83>
<COL WIDTH=85>
<COL WIDTH=196>
<TR>
<TD WIDTH=65>
<P ALIGN=LEFT><I>Minimum Assurance Points</I></P>
</TD>
<TD WIDTH=83>
<P ALIGN=LEFT><I>Capability</I></P>
</TD>
<TD WIDTH=85>
<P ALIGN=LEFT><I>Status</I></P>
</TD>
<TD WIDTH=196>
<P ALIGN=LEFT><I>Comment</I></P>
</TD>
</TR>
<TR VALIGN=TOP>
<TD WIDTH=65>
<P ALIGN=CENTER>0</P>
</TD>
<TD WIDTH=83>
<P ALIGN=LEFT>Request Organisation Assurance</P>
</TD>
<TD WIDTH=85>
<P ALIGN=LEFT>Prospective Organisation Member</P>
</TD>
<TD WIDTH=196>
<P ALIGN=LEFT>Organisation taking part of an Organisation
Assurance, who does not have created a CAcert login account
(yet). The allocation of Assurance Points is awaiting login
account creation.</P>
</TD>
</TR>
<TR VALIGN=TOP>
<TD WIDTH=65>
<P ALIGN=CENTER>0</P>
</TD>
<TD WIDTH=83>
<P ALIGN=LEFT>Request unnamed certificates</P>
</TD>
<TD WIDTH=85>
<P ALIGN=LEFT>(Organisation) Member</P>
</TD>
<TD WIDTH=196>
<P ALIGN=LEFT>Although the Organisation Member's details are
recorded in the account, they are not highly assured.</P>
</TD>
</TR>
<TR VALIGN=TOP>
<TD WIDTH=65>
<P ALIGN=CENTER>50</P>
</TD>
<TD WIDTH=83>
<P ALIGN=LEFT>Request certificates with the name of the
organisation</P>
</TD>
<TD WIDTH=85>
<P ALIGN=LEFT>Assured Organisation Member</P>
</TD>
<TD WIDTH=196>
<P ALIGN=LEFT>Statements of Assurance: the organisation name is
assured to 50 Assurance Points or more</P>
</TD>
</TR>
</TABLE>
</DL>
<P>A Member may check the status of another Member, especially for an
assurance process. Status may be implied from information in a
certificate. The number of Assurance Points for each Member is not
published.
</P>
<UL>
<P>The CAcert Policy Statement (<A HREF="http://svn.cacert.org/CAcert/policy.htm" TARGET="_blank">CPS</A>)
and other policies may list other capabilities that rely on
Assurance Points.
</P>
<P>When an organisation is assured, it becomes in effect an Assurer
for its local names.&nbsp; These names are used in certificates
issued under the listed domains.&nbsp; When issued, the organisation
takes primary responsibility as Member. <BR><BR>Each name has to be
checked against the internal systems of the organisation.&nbsp; The
internal systems have to match some standard, as covered in SubPols
/ OA Manual. <BR><BR>If they internal systems do not support this
application, then the regular Assurance process can be used instead.</P>
</UL>
<H2>3. Roles and Structure </H2>
<H3>3.1 Organisation Assurance Officer </H3>
<P>The (Organisation) Assurance Officer (&quot;AO&quot;) manages this
policy and reports to the CAcert Inc. Committee (&quot;Board&quot;).
</P>
<P>The AO manages all OAs and is responsible for process, the CAcert
Organisation Assurance Programme (&quot;COAP&quot;) form, OA training
and testing, manuals, quality control. In these responsibilities,
other Officers will assist.
</P>
<P>The OA is appointed by the Board. Where the OA is failing the
Board decides.
</P>
<H3>3.2 Organisation Assurers </H3>
<OL TYPE=a>
<LI><P >An OA must be an experienced
Assurer
</P>
<OL TYPE=i>
<LI><P >Have 150 assurance points.
</P>
<LI><P >Be fully trained and tested on
all general Assurance processes.
</P>
</OL>
<LI><P >Must be trained as Organisation
Assurer.
</P>
<OL TYPE=i>
<LI><P >Global knowledge: This policy.
</P>
<LI><P >Global knowledge: A OA manual
covers how to do the process.
</P>
<LI><P >Local knowledge: legal forms of
organisations within jurisdiction.
</P>
<LI><P >Basic governance.
</P>
<LI><P >Training may be done a variety of
ways, such as on-the-job, etc.
</P>
</OL>
<LI><P >Must be tested.
</P>
<OL TYPE=i>
<LI><P >Global test: Covers this policy
and the process.
</P>
<LI><P >Local knowledge: Subsidiary
Policy to specify.
</P>
<LI><P >Tests to be created, approved,
run, verified by CAcert only (not outsourced).
</P>
<LI><P >Testing includes both online /
automated and manual tests with the manual tests confirming the on
line tests.
</P>
<LI><P >Documentation to be retained.
</P>
<LI><P >Tests may include on-the-job
components.
</P>
</OL>
<LI><P >Must be approved.
</P>
<OL TYPE=i>
<LI><P >Two supervising OAs must sign-off
on new OA, as trained, tested and passed.
</P>
<LI><P >AO must sign-off on a new OA, as
supervised, trained and tested.
</P>
</OL>
<LI><P>The OA can decide when a CAcert (individual) Assurer has done
several OA Application Advises to appoint this person to OA Assurer.
</P>
</OL>
<H3>3.3 Organisation Assurance Advisor (&quot;OAA&quot;) </H3>
<P>In countries/states/provinces where no OA Assurers are operating
for an OA Application (COAP) the OA can be advised by an experienced
local CAcert (individual) Assurer to take the decision to accept the
OA Application (COAP) of the organisation.
</P>
<P>The local Assurer must have at least 150 Points, should know the
language, and know the organisation trade office registry culture and
quality.
</P>
<H3>3.4 Organisation Administrator </H3>
<P>The Administrator within each Organisation (&quot;O-Admin&quot;)
is the one who handles the assurance requests and the issuing of
certificates.
</P>
<OL TYPE=a>
<LI><P >O-Admin must be an individual
Assurer
</P>
<OL TYPE=i>
<LI><P >Have 100 assurance points.
</P>
<LI><P >Fully trained and tested as
Assurer.
</P>
</OL>
<LI><P >Organisation is required to
appoint the O-Admin(s), and appoint ones as required.
</P>
<OL TYPE=i>
<LI><P >On COAP Request Form.
</P>
<LI><P >On the organisation Member
account.</P>
</OL>
<LI><P >O-Admin must work with an assigned
OA.
</P>
<OL TYPE=i>
<LI><P >Have contact details.
</P>
<LI><P>Is named on the organisation Member account.</P>
</OL>
</OL>
<H2>4. Policies </H2>
<H3>4.1 Policy </H3>
<P>There is one policy being this present document, and several
subsidiary policies.
</P>
<OL TYPE=a>
<LI><P >This policy authorises the
creation of subsidiary policies.
</P>
<LI><P >This policy is international.
</P>
<LI><P >Subsidiary policies are
implementations of the policy.
</P>
<LI><P>Organisations are assured under an appropriate subsidiary
policy.
</P>
</OL>
<H3>4.2 Subsidiary Policies </H3>
<P>The nature of the Subsidiary Policies (&quot;SubPols&quot;):
</P>
<OL TYPE=a>
<LI><P >SubPols are purposed to check the
organisation under the rules of the jurisdiction that creates the
organisation. This does not evidence an intention by CAcert to enter
into the local jurisdiction, nor an intention to impose the rules of
that jurisdiction over any other organisation. CAcert assurances are
conducted under the jurisdiction of CAcert.
</P>
<LI><P >For OAs, SubPol specifies the
<I>tests of local knowledge</I> including the local organisation
assurance COAP forms.
</P>
<LI><P >For assurances, SubPol specifies
the <I>local documentation forms</I> which are acceptable under this
SubPol to meet the standard.
</P>
<LI><P>SubPols are subjected to the normal policy approval process.
</P>
</OL>
<H3>4.3 Freedom to Assemble </H3>
<P>Subsidiary Policies are open, accessible and free to enter.
</P>
<OL TYPE=a>
<LI><P >SubPols compete but are compatible. </P>
<LI><P >No SubPol is a franchise. </P>
<LI><P >Many will be on State or National
lines, reflecting the legal tradition of organisations created
(&quot;incorporated&quot;) by states.
</P>
<LI><P >However, there is no need for
strict national lines; it is possible to have 2 SubPols in one
country, or one covering several countries with the same language
(e.g., Austria with Germany, England with Wales but not Scotland).
</P>
<LI><P >There could also be SubPols for
special organisations, one person organisations, UN agencies,
churches, etc.
</P>
<LI><P>Where it is appropriate to use the SubPol in another
situation (another country?), it can be so approved. (e.g., Austrian
SubPol might be approved for Germany.) The SubPol must record this
approval.
</P>
</OL>
<H2>5. Process </H2>
<H3>5.1 Standard of Organisation Assurance </H3>
<P>The essential standard of Organisation Assurance (see also 1.1
Organisation Assurance Statement) is:
</P>
<OL TYPE=a>
<LI><P >the organisation exists
</P>
<LI><P >the organisation name is correct
and consistent:
</P>
<OL TYPE=i>
<LI><P >in official documents specified
in SubPol.
</P>
<LI><P >on COAP form.
</P>
<LI><P >in CAcert database.
</P>
<LI><P >form or type of legal entity is
consistent
</P>
</OL>
<LI><P >signing rights: requester can sign
on behalf of the organisation.
</P>
<LI><P >the organisation has agreed to the
terms of the <B>CAcert Community Agreement </B>, and is therefore
subject to Arbitration.
</P>
<LI><P>Organisation Domain names must have been checked accordingly
the CPS.</P>
</OL>
<P>Acceptable documents to meet above standard are stated in the SubPol.
</P>
<H3>5.2 (Organisation) Assurance Points</H3>
<P>The Organisation Assurance applies Assurance Points to each
organisation Member which measure the increase of confidence in the
Statement (above). Assurance Points should not be interpreted for any
other purpose. Note that, even though they are sometimes referred to
as <I>Web-of-Trust</I> (Assurance) Points, or <I>Trust</I> Points,
the meaning of the word 'Trust' is not well defined.
</P>
<P><I>Assurance Points Allocation</I><BR>An Assurer can allocate a
number of Assurance Points to the organisation Member. The allocation
of the maximum means that the Assurer is 100% confident in the
information presented:
</P>
<UL>
<LI><P >Detail on form, system, documents,
organisation and O-Admin(s) in accordance;
</P>
<LI><P >Sufficient quality organisation
registration extract documents and organisation by-laws related to
signature control of the organisation director have been checked;
</P>
<LI><P >Assurer's familiarity with extract
and by-laws documents;
</P>
<LI><P>The Organisation Assurance Statement is confirmed.
</P>
</UL>
<P>Any lesser confidence should result in less Assurance Points for
an organisation name. If the Organisation Assurer has no confidence
in the information presented, then <I>zero</I> Assurance Points may
be allocated by the Organisation Assurer. For example, this may
happen if the identity documents are totally unfamiliar to the
Organisation Assurer. The Organisation Assurer maybe assisted by a
second (individual) Assurer as such gaining confidence and/or assist
in allocating a second Organisation Assurance. The number of
Assurance Points from <I>zero</I> to <I>maximum</I> is guided by the
Assurance Handbook and the judgment of the Assurer. If there is
negative confidence the Assurer should consider filing a dispute.
</P>
<P>Multiple (trade) organisation names should be allocated Assurance
Points independently within a single Assurance.
</P>
<P>In general, for an organisation Member to reach 50 Assurance
Points, the Member must have participated in at least two assurances,
and at least one organisation name will have been assured to that
level.
</P>
<P>The maximum number of Assurance Points which can be allocated for
an Assurance under this policy and under any act under any Subsidiary
Policy (below) is 50 Assurance Points.
</P>
<H3>5.2 CAcert Organisation Assurance Programme (COAP)
</H3>
<P>The COAP form documents the checks and the resultant assurance
results to meet the standard. Additional information to be provided
on form:
</P>
<OL TYPE=a>
<LI><P >CAcert account of O-Admin(S)
(email address of O-Admin individual Assurer Membership account)
</P>
<LI><P >Location:
</P>
<OL TYPE=i>
<LI><P >country (MUST). </P>
<LI><P >city (MUST). </P>
<LI><P >additional contact information (as required by SubPol). </P>
</OL>
<LI><P >Administrator account name(s) (1 or more) </P>
<LI><P >Domain name(s) </P>
<LI><P >Agreement with <B>CAcert Community
Agreement</B>. Statement and initials box for organisation and also
for OA.
</P>
<LI><P>Date of completion of Assurance. Records should be maintained
for 7 years from this date.
</P>
</OL>
<P>The COAP should be in English. Where translations are provided,
they should be matched to the English, and indication provided that
the English is the ruling language (due to Arbitration requirements).
</P>
<H3>5.3 Jurisdiction </H3>
<P>Organisation Assurances are carried out by CAcert Inc. under its
Arbitration jurisdiction. Actions carried out by OAs are under this
regime.
</P>
<OL TYPE=a>
<LI><P >The organisation has agreed to the
terms of the <B>CAcert Community Agreement</B>.
</P>
<LI><P >The organisation, the Organisation
Assurers, CAcert and other related parties are bound into CAcert's
jurisdiction and dispute resolution.
</P>
<LI><P>The OA is responsible for ensuring that the organisation
reads, understands, intends and agrees to the <B>CAcert Community
Agreement</B>. This OA responsibility should be recorded on COAP
(statement and initials box).
</P>
</OL>
<H2>6. Exceptions </H2>
<OL TYPE=a>
<LI><P ><B>Conflicts of Interest.</B> An
OA must not assure an organisation in which there is a close or
direct relationship by, e.g., employment, family, financial
interests. Other conflicts of interest must be disclosed.
</P>
<LI><P ><B>Trusted Third Parties.</B> TTPs
are not generally approved to be part of organisation assurance, but
may be approved by subsidiary policies according to local needs.
</P>
<LI><P ><B>Exceptional Organisations.</B>
(e.g., Vatican, International Space Station, United Nations) can be
dealt with as a single-organisation SubPol. The OA creates the
checks, documents them, and subjects them to to normal policy
approval.
</P>
<LI><P><B>DBA.</B> Alternative names for organisations (DBA, &quot;doing
business as&quot;) can be added as long as they are proven
independently. E.g., registration as DBA or holding of registered
trade mark. This means that the anglo law tradition of unregistered
DBAs is not accepted without further proof.
</P>
</OL>
<P><A HREF="http://validator.w3.org/check?uri=referer"><IMG SRC="http://www.w3.org/Icons/valid-xhtml11-blue" NAME="graphics2" ALT="Valid XHTML 1.1" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A></P>
</BODY>
</HTML>