diff --git a/RemoteVerificationPolicy.html b/RemoteVerificationPolicy.html index ebc885f..2e40663 100644 --- a/RemoteVerificationPolicy.html +++ b/RemoteVerificationPolicy.html @@ -1,114 +1,151 @@ - - - -
-
-
- Editor: Pete Stephenson
- Creation date: 2008-07-12
- Last change by: Pete
- Last change date: 2008-07-14 21:42 MST
- Status: WIP 2008-07-12
- Next status: DRAFT 08-2008
-
-
- This sub-policy extends the Assurance Policy ("AP") by providing a framework for members to verify their identity via Trusted Verification Provider ("TVP"s) including Government Authorities, Certification Authorities and Commercial Identity Providers, under the supervision of the Assurance Officer ("AO"). -
-- Successful completion of the process defined in RVP sub-policies shall result in the allocation of up to 50 points depending on level of trust in the TVP and the verification process. -
-- This sub-policy is available to all Members. -
-- Each TVP:: -
-- A Member (the subject of a verification) using the Remote Verification program: -
-- Where documentation is required by the verification process it shall be subject to the prevailing records management policies which may require that it be kept for a certain period or destroyed immediately after processing. -
- - - + + + + +
+
Author:
+Pete Stephenson
Creation date: 2008-07-12
+Status: WIP 2008-07-12
+Edited by: Teus Hagen, 2009-02-11
+Next status: DRAFT 2009
+
This sub-policy extends the Assurance Policy ("AP") +and Organisation Assurance Policy (“OAP”) by providing a +framework for Members to verify for individual Members their identity +and for organisation Members their organisation (trade) name via Trusted Third +Provider ("TTP"s) including Government Authorities, +Certification Authorities and Commercial Identity Providers, under +the supervision of a CAcert (Organisation) Assurer. +
+ +Successful completion of the verification of name process defined +in RVP sub-policies shall result in the allocation of 10 extra +Assurance Points added to the maximum of Assurance Points the Assurer, +supervising the assurance process for the Member, can allocate. +
+ +This sub-policy is available to all individual and organisation +Community Members.
+ +The CAcert (Organisation) Assurer must check the CAcert +(Organisation) Assurance Programme form. The identity verification or +organisation name verification is remotely performed by the Trusted +Verification Provider (2.2).
+ +The Trusted Verification Provider who is involved in the +verification process should be accepted by the Assurer. +
+ +The Assurer will keep the following signed documents:
+Signed document (e.g. CAP or COAP form) for CAcert Community Agreement with the Member.
+Signed report of the Trusted Verification Provider for the name verification.
+Each TVA::
+ +must be verifiably + practicing identification procedures, typically one of + the following:
+Government Authorities + responsible for issuing ID documents for individuals, trade office + extracts for organisations, or providing taxation functions +
+Certification Authorities + issuing authentication tokens (including certificates) based on a + published identity and/or trade name verification process +
+Commercial Identity + Providers providing identity verification as a commercial + service.
+Commercial Trade name + Registrars providing trade name verification.
+must provide a secure mechanism + for validating a member's identity and/or organisation name or trade + name , including: +
+Authentication Tokens + which are delivered to the user and verifiable in a + cryptographically strong fashion +
+Online Verification + via a web interface, ideally which is verified by SSL/TLS +
+Out-of-Band + communication directly with CAcert, Inc. as to the outcome of the + verification +
+should conduct identification of name procedures similar in + nature to CAcert's existing procedures (eg examining ID documents, + trade office extracts, obtaining 'assurances' from other trusted + members) +
+A Member (the subject of a verification) using the Remote +Verification program:
+ +must agree to be bound the CAcert + Community Agreement (CCA).
+must disclose any conflicts of + interest (including but not limited to relationships with + (Organisation) Assurer) +
+must cover the costs of their assurance (if any), including + fees imposed by TVPs and Assurer.
+Member shall create a CAcert + account and agree to the CAcert Community Agreement (CCA) +
+Member shall complete the procedure specified by the + applicable sub-policy(s), including being verified by the TVP .
+Where documentation is required by the verification process it +shall be subject to the prevailing records management policies which +may require that it be kept for a certain period or destroyed +immediately after processing. +
+ + + + +