From 46fd411932365149ae5951d65031f7eaef8ece86 Mon Sep 17 00:00:00 2001 From: Teus Hagen Date: Wed, 11 Feb 2009 14:21:36 +0000 Subject: [PATCH] Added Org Assurance members and changed to 10 extra ass points of supervising assurer, added supervising assurer. git-svn-id: http://svn.cacert.org/CAcert/Policies@1171 14b1bab8-4ef6-0310-b690-991c95c89dfd --- RemoteVerificationPolicy.html | 265 +++++++++++++++++++--------------- 1 file changed, 151 insertions(+), 114 deletions(-) diff --git a/RemoteVerificationPolicy.html b/RemoteVerificationPolicy.html index ebc885f..2e40663 100644 --- a/RemoteVerificationPolicy.html +++ b/RemoteVerificationPolicy.html @@ -1,114 +1,151 @@ - - - - - - CACert Remote Verification Policy (RVP) - - - -

- CACert Remote Verification Policy (RVP) -

-

- CAcert Policy Status
- Editor: Pete Stephenson
- Creation date: 2008-07-12
- Last change by: Pete
- Last change date: 2008-07-14 21:42 MST
- Status: WIP 2008-07-12
- Next status: DRAFT 08-2008
- -

-

- 0. Preamble -

-

- This sub-policy extends the Assurance Policy ("AP") by providing a framework for members to verify their identity via Trusted Verification Provider ("TVP"s) including Government Authorities, Certification Authorities and Commercial Identity Providers, under the supervision of the Assurance Officer ("AO"). -

-

- Successful completion of the process defined in RVP sub-policies shall result in the allocation of up to 50 points depending on level of trust in the TVP and the verification process. -

-

- 1. Scope -

-

- This sub-policy is available to all Members. -

-

- 2. Roles -

-

- 2.1 Trusted Verification Provider ("TVP") -

-

- Each TVP:: -

-
    -
  1. MUST be verifiably practicing identification procedures, typically one of the following:
    -
      -
    1. - Government Authorities responsible for issuing ID documents or providing taxation functions -
      2. -
    2. - Certification Authorities issuing authentication tokens (including certificates) based on a published identity verification process -
      3. -
    3. - Commercial Identity Providers providing identity verification as a commercial service -
      4. -
    -
    2. -
  2. MUST provide a secure mechanism for validating a member's identity, including: -
      -
    1. - Authentication Tokens which are delivered to the user and verifiable in a cryptographically strong fashion; -
      2. -
    2. - Online Verification via a web interface, ideally which is verified by SSL/TLS; -
      3. -
    3. - Out-of-Band communication directly with CAcert as to the outcome of the verification; -
      4. -
    -
    3. -
  3. SHOULD conduct identification procedures similar in nature to CAcert's existing procedures (eg examining ID documents, obtaining "assurances" from other trusted members) -
    4. -
-

- 2.4 Member -

-

- A Member (the subject of a verification) using the Remote Verification program: -

-
    -
  1. MUST agree to be bound the CAcert Community Agreement (CCA), including the Disupute Resolution Policy (DRP) -
    2. -
  2. MUST disclose any conflicts of interest (including but not limited to relationships with Assurers) -
    3. -
  3. MUST cover the costs of their assurance (if any), including fees imposed by TTPs, TVPs, and Assurers -
    4. -
-

- 3. Processes -

-

- 3.1 Verification -

-
    -
  1. Member SHALL create a CAcert account and agree to the CAcert Community Agreement (CCA) -
    2. -
  2. Member SHALL complete the procedure specified by the applicable sub-policy(s), including being verified by the TVP -
    3. -
-

- 4. Documentation -

-

- Where documentation is required by the verification process it shall be subject to the prevailing records management policies which may require that it be kept for a certain period or destroyed immediately after processing. -

-

- Valid XHTML 1.1 -

- - + + + + + CACert Remote Verification Policy (RVP) + + + + + +



+

+ +

CAcert Remote Verification Policy (RVP)

+ +

CAcert Policy Status
Author: +Pete Stephenson
Creation date: 2008-07-12
+Status: WIP 2008-07-12
+Edited by: Teus Hagen, 2009-02-11
+Next status: DRAFT 2009
+

+ +

0. Preliminaries

+ +

This sub-policy extends the Assurance Policy ("AP") +and Organisation Assurance Policy (“OAP”) by providing a +framework for Members to verify for individual Members their identity +and for organisation Members their organisation (trade) name via Trusted Third +Provider ("TTP"s) including Government Authorities, +Certification Authorities and Commercial Identity Providers, under +the supervision of a CAcert (Organisation) Assurer. +

+ +

Successful completion of the verification of name process defined +in RVP sub-policies shall result in the allocation of 10 extra +Assurance Points added to the maximum of Assurance Points the Assurer, +supervising the assurance process for the Member, can allocate. +

+ +

1. Scope

+ +

This sub-policy is available to all individual and organisation +Community Members.

+ +

2. Roles

+ +

2.1 CAcert (Organisation) Assurer

+ +

The CAcert (Organisation) Assurer must check the CAcert +(Organisation) Assurance Programme form. The identity verification or +organisation name verification is remotely performed by the Trusted +Verification Provider (2.2).

+ +

The Trusted Verification Provider who is involved in the +verification process should be accepted by the Assurer. +

+ +

The Assurer will keep the following signed documents:

+
    +

  1. Signed document (e.g. CAP or COAP form) for CAcert Community Agreement with the Member.

    +

  2. Signed report of the Trusted Verification Provider for the name verification.

    +
+ +

2.2 Trusted Verification Provider ("TVP")

+ +

Each TVA::

+ +
    +

  1. must be verifiably + practicing identification procedures, typically one of + the following:

    +
      +

    1. Government Authorities + responsible for issuing ID documents for individuals, trade office + extracts for organisations, or providing taxation functions +

      +

    2. Certification Authorities + issuing authentication tokens (including certificates) based on a + published identity and/or trade name verification process +

      +

    3. Commercial Identity + Providers providing identity verification as a commercial + service.

      +

    4. Commercial Trade name + Registrars providing trade name verification.

      +
    +

  2. must provide a secure mechanism + for validating a member's identity and/or organisation name or trade + name , including: +

    +
      +

    1. Authentication Tokens + which are delivered to the user and verifiable in a + cryptographically strong fashion +

      +

    2. Online Verification + via a web interface, ideally which is verified by SSL/TLS +

      +

    3. Out-of-Band + communication directly with CAcert, Inc. as to the outcome of the + verification +

      +
    +

  3. should conduct identification of name procedures similar in + nature to CAcert's existing procedures (eg examining ID documents, + trade office extracts, obtaining 'assurances' from other trusted + members) +

    +
+ +

2.3 Member

+ +

A Member (the subject of a verification) using the Remote +Verification program:

+ +
    +

  1. must agree to be bound the CAcert + Community Agreement (CCA).

    +

  2. must disclose any conflicts of + interest (including but not limited to relationships with + (Organisation) Assurer) +

    +

  3. must cover the costs of their assurance (if any), including + fees imposed by TVPs and Assurer.

    +
+ +

3. Processes

+ +

3.1 Verification

+ +
    +

  1. Member shall create a CAcert + account and agree to the CAcert Community Agreement (CCA) +

    +

  2. Member shall complete the procedure specified by the + applicable sub-policy(s), including being verified by the TVP .

    +
+ +

4. Documentation

+ +

Where documentation is required by the verification process it +shall be subject to the prevailing records management policies which +may require that it be kept for a certain period or destroyed +immediately after processing. +

+ +

Valid XHTML 1.1 +

+ + +