imported updated policy for australia per discussion on -policy

git-svn-id: 14b1bab8-4ef6-0310-b690-991c95c89dfd
Sam Johnston 17 years ago
parent ade42f0a59
commit 678e78ca64

@ -1,123 +1,174 @@
""> "">
<html> <html xmlns="">
<head> <head>
<TITLE> Australian OA </TITLE> <title>
CACert Organisation Assurance Program sub-policy for Australia
</head> </head>
<body> <body>
<h1> <font color="blue">Organisation Assurance - sub-policy for Australian organisations</font></h1> <h1>
<br><br> <font color="blue">CAcert Organisation Assurance Program sub-policy for Australia</font>
Author: Robert Cruikshank </h1>
<br> <p>
Creation date: WIP 2008-02-23 V0.2 Author(s): Robert Cruikshank, Sam Johnston<br />
<br> Creation date: WIP 2008-03-18 V0.3<br />
Status: <font color="red">WIP DRAFT</font> 2008-03-012 Status: <font color="red">WIP DRAFT</font> 2008-03-XXX<br />
<br> Date next status: changes expected in April 2008.<br />
Date next status: changes expected in April 2008.
<!-- $Id$ --> <!-- $Id$ -->
<h2>0. Preliminaries</h2> <h2>
This sub-policy describes how Organisation Assurers ("OAs") conduct assurances on Australian organisations. 0. Preliminaries
It fits within the overall web-of-trust or assurance process and the Organisation Assurance Policy (OAP) of CAcert. </h2>
<br><br><br> <p>
This CAcert sub-policy extends the Organisation Assurance Policy ("OAP") by specifying how the CAcert Organisation Assurance Program ("COAP") is to be conducted by the assigned Organisation Assurer ("OA") under the supervision of the Assurance Officer ("AO") for entities within the defined scope.
<h2>1. Purpose</h2> </p>
This is a subsidiary policy to the OAP. <h2>
1. Scope
This sub-policy is applicable to:<br />
<ol type="a"> <ol type="a">
<li>This sub-policy is applicable for the assurance of Australian organisations only.</li> <li>Australian legal entities:<br />
<li>This sub-policy is an implementation of the OAP.</li> <ol type="i">
<li>Where the Assurance Officer (AO) is referred to below, this includes their local delegate.</li> <li>Sole Traders
</ol> </li>
<h2>2. Organisation Assurers</h2> </li>
<h2>2.1 Requirements for the Organisation Assurer</h2> </li>
In addition to the requirements defined in the OAP, an OA must meet the following requirements for assuring Australian organisations: <li>Trusts
2. Requirements
This section describes any scope specific requirements that are not otherwise defined in the OAP.
2.1 Organisation
<ol type="a"> <ol type="a">
<li>Knowledge of common legal forms of organisations in Australia.</li> <li>Sole traders operating under their own name are not required to obtain a business name registration.
<li>Must pass an additional test on local knowledge, even if he/she is already an OA.</li> </li>
<li>Should help the AO to define local requirements.</li> <li>Applicants MUST be a valid legal entity but CAN have an arbitrary number of registered trading names.
</ol> </li>
<h2>3. Process</h2> <h3>
2.2 Records
<h2>3.1 Organisations</h2> </h3>
Acceptable organisations under this sub-policy must be:
<ol type="a"> <ol type="a">
<li>Organisations created under the rules of the Australian jurisdiction.</li> <li>Digital Signatures CAN be accepted in Australia under the Electronic Transactions Act(s).
<li>Organisations must not be revoked by a competent authority with direct oversight over the organisation.</li> </li>
<li>Records SHOULD typically be retained for a statutory period of five years.
<li>Reports SHOULD be submitted electronically via digitally signed email (including any attachments) by the OA to the AO.
</ol> </ol>
<h2>3.2 Documents</h2> 2.3 Application Form
The organisation has to provide documentary and/or physical evidence for two purposes. The first is to prove that the organisation exists as a registered entity and the second is to prove that the applicant has appropriate authority over the domain name. This policy assumes that there is a link between the entity name and the domain name evident in a 'whois' search. This link should established an association between the registered entity and the applicant. (i.e. the organisation name, the domain name/s and the applicant's name can all be linked together through these mechanisms): </h3>
<ol type="a"> <ol type="a">
<li>The jurisdiction MUST be specified as 'Australia' (for companies and trusts) or an Australian State or Territory (for sole traders and partnerships).
<li>The primary mechanism to prove existence of the organisation is to provide the ABN or other government registration number of the business that can be used to search the appropriate online register. This can take the form of a photocopy of the certificate issued by the business registrar accompanied by a letter on business letterhead. If an online search cannot be performed for the specific registrar your business is registered with, then an official extract will be required.</li> </li>
<li>Any applicable organisation identifiers (ACN/ABN/ARBN) MUST be specified where applicable (not required for sole traders operating under their own name).
<li>The primary mechanism to prove authority over the domain name/s in question is for the applicant to provide an official extract from the Australian business registrar containing the name and signature of the applicant as a current company officer, either via an online interface or via physical means (organisation is asked to carry the costs).</li> </li>
<ol> <h2>
3. Registration
<li>An example of this is: </h2>
<br>The applicant performs an <abbr title="Australian Securities and Investments Commission">ASIC</abbr> or <abbr title="Dune and Bradstreet">D&B</abbr> document search for a lodged document that contains the name and signature of the applicant and proves the rights of the applicant over the company name.</li> <h3>
3.1 Registries
<ol type="a">
<li>Australian Securities and Investments Commission ("ASIC") [<a title="Australian Securities and Investments Commission" href=""></a>]<br />
<ol type="i"> <ol type="i">
<li>National Names Index [<a title="National Names Index" href=""></a>]<br />
<li>Such a document could be a "Company Check" or "Business Check" (see <ahref=""></a>).</li> </li>
<li>This document should be made available to the OA by hyperlink to the <abbr title="Australian Securities and Investments Commission">ASIC</abbr> or <abbr title="Dune and Bradstreet">D&B</abbr> web site ensuring its authenticity or be an official extract (organisation is asked to carry the costs).</li> </li>
<li>Australian Taxation Office ("ATO") [<a title="Australian Taxation Office" href=""></a>]<br />
</ol> <ol type="i">
</li> <li>Australian Business Register ("ABR") [<a title="Australian Business Register" href=""></a>]<br />
<li>Where not available, an official document will be required from the company, subject to such checks as defined by the AO.</li> </ol>
<li>An acceptable alternative may be to place a randomly generated canonical name or text entry in the DNS zone file of the domain name in question. The randomly generated text is to be created by the OA and given to the the applicant with the COAP form. This process is to be approved by the AO for each organisation.</li> <li>AusRegistry [<a title="AusRegistry" href=""></a>]<br />
</ol> <li>.au ccTLD WHOIS [<a title="AusRegistry WHOIS" href=""></a>]<br />
<li>If copies of official extracts from the official register are provided, they must be officially certified.</li> </ol>
<li>The AO maintains a list of which specific documents and tests can be acceptable for certain types of organisations.</li> </li>
<li>The OA can ask for additional documents if needed to validate required information for the assurance process.</li> </ol>
</ol> <h3>
3.2 Agents
<h2>3.3 COAP</h2> </h3>
In addition to the checks defined in the policy, the COAP form for Australian organisations requires:
<ol type="a"> <ol type="a">
<li>Signatures from organisation officials meeting the following requirements</li> <li>ASIC
<br />
<ol type="i"> <ol type="i">
<li>as legally specified for the type of organisation</li> <li>ASIC Information Brokers [<a title="ASIC Information Brokers" href=""></a>]
<li>as specified in the official documents (i.e. the excerpt from the register)</li> </li>
<li>as delegated within the organisation (proof of delegation needed)</li> <li>ASIC Service Centers [<a title="ASIC Service Centers" href=""></a>]
<li>The organisation must agree to the terms of the <strong>CAcert Community Agreement</strong> by signing the COAP and will therefore be subject to Arbitration.</li> </li>
3.3 Identifiers
<ol type="a">
<li>Australian Company Number ("ACN") is a unique 9 digit identifying number assigned by ASIC when a body becomes registered as a company under corporations law.
<li>Australian Registered Body Number ("ARBN") is a unique 9 digit identifying number assigned by ASIC when a body is registered with them other than as a company, for example, foreign companies and registrable Australian bodies.<br />
<li>Australian Business Number ("ABN") is a unique 11 digit identifying number issued to all entities registered in the Australian Business Register (ABR).
</ol> </ol>
3.4 Documents
<ol type="a">
<li>ASIC Company Extract
</li><!--> <li>Certificate of Incorporation</li>
<li>Certificate of Registration of Business Name</li>-->
</ol> </ol>
<h2>3.4 Acceptable Search Process</h2> 4. Processes
An Australian Organisational Assurance must be preceded with the following searches, documents and agreements: <h3>
4.1 Assurance
<ol type="a"> <ol type="a">
<li>Each person listed in an application MUST be individually assured and referenced by a confirmed email.
<li>To prove the organisation in question exists an <abbr title="Australian Securities and Investments Commission">ASIC</abbr> search is to be performed using the given organisation number. This can be performed at this site <a </li>
href=""></a>. A printout of this search should be made and retained.</li> <li>Sole traders operating under their own name CAN be automatically approved without further checks.
<li>This search can be extended with a <abbr title="Dune and Bradstreet">D&B</abbr> search which should also give the contact phone number for this company. This search can be performed at this site <ahref=""></a>. A copy of this search should be printed and retained. The phone number can be compared with any phone numbers provided by the applicant if any.</li> <li>All other trading names (including companies) MUST be verified against the National Names Index and/or Australian Business Register, where the status MUST be 'Registered' or 'Active' respectively.
<li>To help establish a link between the domain name and the company name a whois search is to be conducted and the registered business name compared to the ASIC search result.</li> <li>Partnership applicants MUST additionally be verified in these registers as a current individual member.
<li>The organisation name and number should be consistent throughout:<br> <li>Company applications MUST be made by an individual who is duly authorised to sign on behalf of the company:
<ol type="i"> <ol type="i">
<li>in the search documents both ASIC and whois.</li> <li>Officeholder applicants (directors and secretaries) MUST be verified in an "ASIC Company Extract" which is to be obtained for a fee (reclaimable from the applicant) by the OA from an ASIC Service Center or ASIC Information Broker.
<li>on the COAP form.</li> </li>
<li>and in the CAcert database.</li> <li>Any other applicant MUST prove that they are duly authorised to sign on behalf of the entity (for example via delegation and/or under replacible rules) to the satisfaction of the OA, for approval by the AO.
</ol></li> </li>
4.2 Domain Names
<ol type="a">
<li>.au ccTLD WHOIS contains organisation information (including identifiers where applicable) which MUST exactly match the organisation's details.
<li>Any other domain names MUST exactly match the organisation's details for the registrant (or equivalent) or be subject to technical verification measures.
</ol> </ol>
</body> </body>
</html> </html>
