fixing images, the original seems to have gone into permanent conflict

git-svn-id: http://svn.cacert.org/CAcert/Policies@1938 14b1bab8-4ef6-0310-b690-991c95c89dfd

TTP-AssistedAssurancePolicy.html

@@ -0,0 +1,290 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+ "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+  <title> CACert -- TTP-Assisted Assurance Policy </title>
+<style type="text/css">
+<!--
+.q {
+        color : green;
+        text-indent : 2em;
+        font-weight: bold;
+        font-style:italic;
+}
+.error {
+        color : red;
+        font-weight: bold;
+        text-align: center;
+        font-style:italic;
+}
+.change {
+        color : blue;
+        font-weight: bold;
+}
+-->
+</style>
+
+ </head>
+
+ <body>
+  <h1> TTP-Assisted Assurance Policy </h1>
+
+  <p>
+   <a href="PolicyOnPolicy.html"><img align="right" src="images/cacert-wip.png" alt="CAcert Policy Status" height="31" width="88" style="border-style: none;" /></a>
+   Editor: Iang<br />
+   Creation Date : <a href="https://svn.cacert.org/CAcert/Assurance/Minutes/20091215HamburgMiniTOP.html">20091215</a><br />
+   Status: WIP 20100202<br />
+  </p>
+
+  <h2> <a name="0"> 0. </a> Preliminaries </h2>
+  <p>
+   This sub-policy extends the
+   <a href="//www.cacert.org/policy/AssurancePolicy.php">
+   Assurance Policy</a> ("AP" => COD13)
+   by specifying how Assurers can be assisted by
+   outsourcing the identity documents verification
+   component of assurance to trusted third parties (TTPs).
+  </p>
+
+  <h2> <a name="1"> 1. </a> Scope </h2>
+  <p>
+   This sub-policy is restricted to members located
+   in areas not well-served with Assurers.
+  </p>
+
+  <h2> <a name="1"> 2. </a> Roles </h2>
+
+  <h3> <a name="1"> 2.1 </a> Trusted Third Party </h3>
+  <p>
+   A Trusted Third Party ("TTP") is a person who is traditionally respected
+   for making reliable statements to others, especially over identification
+   documents.  Typically, notaries public (anglo),
+   Notaries (European), bank managers, accountants
+   and lawyers.
+  </p>
+  <p>
+   The Board maintains a list of approved classes of TTP
+   and forms of documents.
+   The list is expected to vary according to the
+   different juridical traditions of different regions.
+  </p>
+
+  <h3> <a name="2.2"> 2.2 </a> The Assurer </h3>
+  <p>
+   To employ a TTP in an assurance,
+   the Assurer must have 50 experience points,
+   and pass other checks as imposed by the Board
+   from time to time.
+   The Assurer must be familiar with the local
+   language and customs.
+  </p>
+
+  <h3> <a name="2.3"> 2.3 </a> Member </h3>
+
+  <p>
+   A Member ("assuree") who is located in a place not well-served
+   by Assurers may use the TTP-assisted Assurance.
+  </p>
+
+  <h2> <a name="3"> 3. </a> The Assurance </h2>
+
+  <p>
+   These steps are taken.
+  </p>
+
+  <h3> <a name="3.1"> 3.1 </a> Preliminaries  </h3>
+  <ol> <li>
+    <p>
+    The Member creates her account
+    and attempts to be assured by the routine face-to-face process.
+    </p>
+   </li><li>
+    <p>
+    Once determining that none are conveniently located,
+    the Member contacts an Assurer who is enabled to
+    conduct TTP-assisted assurances in the region.
+    </p>
+   </li><li>
+    <p>
+    The Assurer confirms that the Member 
+    agrees to the CAcert Community Agreement (CCA),
+    including the Dispute Resolution Policy (DRP).
+    </p>
+   </li><li>
+    The Assurer confirms that standard Assurances do not meet
+    the needs of the Member.
+<span class="change">
+    This is only likely in areas not well-served with Assurers.
+</span>
+    </p>
+   </li><li>
+    <p>
+    The Member and Assurer must negotiate the selection of TTPs
+    and the provision of adequate identification documents to the TTP.
+    Each TTP can only be used once (within one assurance for this Member).
+    </p>
+
+    <p class="q">iang:  this may suggest a Patch required to the system that permits the Assurer to check other TTP Assurances of the member.</p>
+   </li><li>
+     Assurer agrees to conduct the TTP-assisted Assurance,
+     and gives the Member a Token.
+   </li></ol>
+
+  <h3> <a name="3.2"> 3.2 </a> Face-to-face meeting with the TTP  </h3>
+   <ol><li>
+   <p>
+    The TTP and the Member meet face-to-face.
+   </p>
+   </li><li>
+   <p>
+    The TTP shall confirm that:
+   </p>
+   <ol type="a"><li>
+     The Member agrees to the CCA.
+    </li><li>
+     The Name and Date of Birth details recorded on the form
+     are matched by those in the identity documents.
+    </li><li>
+     The method (document type and issuer, not numbers)
+     by which the Name and DoB details are matched
+     is stated on the form.
+    </li><li>
+     Location of the meeting.
+    </li><li>
+     Contact details for the TTP
+    </li><li>
+     Assurer's Name and Token.
+   </li></ol>
+
+   </li><li>
+   <p>
+    The TTP shall use either the local form of document
+    (on CAcert's approved list), or a CAcert-provided form.
+   </p>
+
+   </li><li>
+   <p>
+    The TTP shall log the event by their customary means,
+    including the Assurer's Name and Verification Token.
+   </p>
+    <p class="q">Old: leaving a Remote Assurance Form and copies of identity documents with the TTP for at least 60 days</p>
+   </li><li>
+
+    <p>
+     The paperwork is sent to the Assurer by the TTP.
+    </p>
+     <span class="q">
+      <p>Old: sending a Remote Assurance Form and copies of identity documents to the Assurer by mutually agreed medium (eg post, web form or encrypted email).</p>
+      <p>iang:  this clause <B>is similar</B> to the requirement DRC C.9.b:</p>
+        <blockquote><u>"RAs provide the CA with complete documentation on each verified applicant for a certificate."</u></blockquote>
+      <p>What is different is that the criteria requires the TTP to send the form, not the Member.</p>
+     </span>
+  </li></ol>
+
+ <h3> <a name="3.3"> 3.3 </a> Completion of the Assurance  </h3>
+   <ol><li>
+    <p>
+     The Assurer must confirm the assurance using the paperwork,
+    </p><p>
+    The Assurer must
+    be satisfied as to the identity and competency of the TTP
+    in identification procedures,
+    as though they were to be conducting the assurance themselves
+   </p>
+     <span class="q">
+     <p>iang:  this clause would probably meet DRC C.9.a:
+       <blockquote><u>"When the CA uses an external registration authority (RA), each RA is positively identified by CA personnel before being authorized to verify identities of subscribers and authorizations of individuals to represent organizational subscribers (see §A.2.v)."</u></blockquote>
+       For that reason, the above clause should be considered strongly,
+       and either discussed further in the Handbook, or include these
+       other Older suggestions:
+       <p>RA MUST authenticate the TTP to their satisfaction by:
+       </p>
+         <ol style="list-style-type: lower-roman;">
+          <li>searching for their details in an appropriate, official public registry (eg government site, association registry, telephone book) </li>
+          <li>contacting the TTP using these details to verify their identity </li>
+          <li>verifying that the TTP is suitable in terms of meeting the requirements of this policy </li>
+          <li>verifying that the meeting did indeed take place and that the Assuree was adequately identified </li>
+         </ol>
+       </span><br />
+     </i></blockquote>
+
+   </li><li>
+     The Assurer may contact the TTP, quoting Name and Verification Token.
+   </li><li>
+     On completion of the assurance, the Assurer
+     allocates standard full Assurance Points
+     (35 at time of writing)
+     to the Member.
+     Given the work involved, the Assurer should
+     strive to ensure that full points are allocated
+     by for example requesting any rework required.
+
+     <p class="q">iang:  this clause might be better off in the Handbook.  Dominik+1</p>
+    </li><li>
+     The assurance must be entered into the system
+     using the TTP flag/method.
+    </li><li>
+     The paperwork is held by the Assurer
+     according to the normal Assurance Policy rules
+     (at time of writing, for 7 years,
+     and available to Arbitrators only).
+
+   </li> </ol>
+
+  <h2> <a name="4"> 4. </a> Assurance Officer ("AO") </h2>
+  <p>
+   The Board routinely delegates its responsibilities to the
+   Assurance Officer (and this section assumes that, but does
+   not require it).
+  </p>
+
+  <p>
+   A report is requested annually from the Assurance Officer
+   on performance of this policy for the association's
+   annual report.
+  </p>
+  <p>
+   Assurance Officer should prepare documentation
+   to support the TTP-assisted Assurance, including:
+  </p>
+  <ul><li>
+     Form for TTPs
+    </li><li>
+     Guide for TTPs.
+    </li><li>
+     Form for TTP-assisted assurance (used by Assurer)
+    </li><li>
+     Guide for Assurers.
+    </li><li>
+     Mechanisms for contacting Assurers available for
+     TTP-assisted Assurances.
+  </li></ul>
+  <p>
+    The Assurance Officer maintains
+    a list of classes of TTPs, divided into regions.
+    Changes to the regional lists are prepared by
+    either an Organisation Assurer for that region
+    (as described by OAP)
+    or by two Assurers familiar with the traditions
+    in that region.
+    Changes are then submitted to the Board for approval.
+  </p>
+  <p>
+   Use of a TTP not on the list must be approved by Board.
+<span class="change">
+   It is an explicit goal to reduce the usage of
+   TTP-assisted Assurances in favour of face-to-face Assurance.
+</span>
+  <p>
+
+  <p>
+    In coordination with internal and external auditors,
+    the Assurance Officer shall design and implement a
+    suitable programme to meet the needs of audit.
+    Where approved by auditors or Board, the Assurance
+    Officer may document and implement minor variations to this policy.
+  </p>
+
+ </body>
+</html>