Made definitions clear, well defined and consistant in use. Capitalized defines words. Deleted paragraphs about discussion stuff as those should be in wiki page on this topic.
git-svn-id: http://svn.cacert.org/CAcert/Policies@861 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
parent
aafee15734
commit
79333d0420
1 changed files with 183 additions and 190 deletions
|
@ -4,7 +4,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||||
<head>
|
<head>
|
||||||
<title>
|
<title>
|
||||||
Assurance Poilicy
|
Assurance Policy
|
||||||
</title>
|
</title>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
@ -24,55 +24,72 @@
|
||||||
<h2 >0. Preamble</h2>
|
<h2 >0. Preamble</h2>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
Assurance is the process by which a member of CAcert identifies another member.
|
Definitions of terms:
|
||||||
With sufficient assurances, a member may (a) issue certificates with their names included, (b) participate in assuring others, and (c) other related activities.
|
<dl>
|
||||||
|
<dt><em>Assurance</em></dt>
|
||||||
|
<dd>Assurance is the process by which a Member of CAcert Community (Assurer) identifies an individual (Assuree).
|
||||||
|
<br>
|
||||||
|
With sufficient assurances, a Member may (a) issue certificates with their Names included, (b) participate in assuring others, and (c) other related activities.
|
||||||
The strength of these activities is based on the strength of the assurance.
|
The strength of these activities is based on the strength of the assurance.
|
||||||
|
</dd>
|
||||||
|
<dt><em>Member</em></dt>
|
||||||
|
<dd>An individual who has agreed to the CAcert Community agreement and has created successfully a CAcert (web)account on http://www.cacert.org.
|
||||||
|
<dt><em>Name</em></dt>
|
||||||
|
<dd>A Name is the full name (first name(s), family name(s), name extensions,abreviation of name(s), etc.) of an individual. The Name is technically spoken a string exactly taken from a governemental issued photo ID. Transliteration of characters to a character table defined by CAcert is permitted.
|
||||||
|
</dd>
|
||||||
|
<dt><em>Secundary Distinguished Feature</em> (DoB)</dt>
|
||||||
|
<dd>A Name for an individual is discrimated from similar full names by a secondary distinguished feature, as recorded on the on-line CAcert (web) account.
|
||||||
|
Currently this is the date of birth (DoB) of the individual.
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
<h3 >The CAcert Web of Trust</h3>
|
<h3 >The CAcert Web of Trust</h3>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
Each assurance claims a number of points, applied to the assured member.
|
Each assurance claims a number of Assurance Points, applied to the assured Member or Member prospect.
|
||||||
By combining the assurances, and the points, CAcert constructs a global <em>web of trust</em> ("WoT").
|
By combining the assurances, and the Assurance Points, CAcert constructs a global <em>Web of Trust</em> ("WoT").
|
||||||
<p >
|
<p >
|
||||||
CAcert explicitly chooses to meet its various goals by construction of a web of trust of all members.
|
CAcert explicitly chooses to meet its various goals by construction of a web-of-trust of all Members.
|
||||||
This is done by members meeting face-to-face, identifying and sharing claims in a network.
|
This is done by face-to-face meeting, identifying and sharing claims in a network.
|
||||||
Maintaining a sufficient strength for the web of trust is a high-level objective of the Assurance process.
|
Maintaining a sufficient strength for the web-of-trust is a high-level objective of the Assurance process.
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
|
|
||||||
<h3 >Related Documentation</h3>
|
<h3 >Related Documentation</h3>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
Documentation on Assurance is split between this policy and the <a href="/wiki/AssuranceHandbook2">Assurance Handbook</a>.
|
Documentation on Assurance is split between this Assurance Policy (AP) and the <a href="/wiki/AssuranceHandbook2">Assurance Handbook</a>.
|
||||||
The policy is controlled by <a href="/wiki/PolicyDrafts/ConfigurationControlSpecification">CCS</a> under <a class="http" href="http://www.cacert.org/policy/PolicyOnPolicy.php">PoP</a>.
|
The policy is controlled by <a href="/wiki/PolicyDrafts/ConfigurationControlSpecification">Configuration Control Specification (CCS)</a> under <a class="http" href="http://www.cacert.org/policy/PolicyOnPolicy.php">Policy of Policy (PoP)</a> policy documents.
|
||||||
|
<br>
|
||||||
Because Assurance is an active area, much of the practice is handed over to the Assurance Handbook, which is not a controlled document, and can more easily respond to experience and circumstances.
|
Because Assurance is an active area, much of the practice is handed over to the Assurance Handbook, which is not a controlled document, and can more easily respond to experience and circumstances.
|
||||||
It is also more readable.
|
It is also more readable.
|
||||||
<p >
|
<p >
|
||||||
See also <a class="http" href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php">Organisation Assurance Policy</a> and <a class="http" href="http://svn.cacert.org/CAcert/policy.htm">CPS</a>.
|
See also <a class="http" href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php">Organisation Assurance Policy (OAP)</a> and <a class="http" href="http://svn.cacert.org/CAcert/policy.htm">CAcert Policy Statement (CPS)</a>.
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
|
|
||||||
<h2 >1. Purpose</h2>
|
<h2 >1. Purpose</h2>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The purpose of Assurance is to add confidence in the Assurance Statement made of a Member by the Community.
|
The purpose of Assurance is to add confidence in the Assurance Statement made of a Member by the CAcert Community.
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
<h3 >The Assurance Statement</h3>
|
<h3 >The Assurance Statement</h3>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The following claims can be made about a person who is assured: <ol type="1">
|
The following claims can be made about a person who is assured:
|
||||||
<li> The person is a bona fide CAcert Member.
|
<ol type="1">
|
||||||
In other words, the person is a member of the CAcert Community, as defined by the CAcert Community Agreement.
|
<li> The person is a bona fide Member.
|
||||||
|
In other words, the person is a member of the CAcert community, as defined by the CAcert Community Agreement (CCA).
|
||||||
</li>
|
</li>
|
||||||
<li> The Member has a login account with CAcert's online registration and service system.
|
<li> The Member has a (login) (web)Account with CAcert's on-line registration and service system.
|
||||||
</li>
|
</li>
|
||||||
<li> The Member account can be determined from any certificate issued by the account.
|
<li> The Member (Name) can be determined from any certificate issued by the Account.
|
||||||
</li>
|
</li>
|
||||||
<li> The Member is bound into CAcert's Arbitration.
|
<li> The Member is bound into CAcert's Arbitration (as defined by the CCA).
|
||||||
</li>
|
</li>
|
||||||
<li> Some personal details of the Member (names, emails, Date of Birth) are known to CAcert.
|
<li> Some personal details of the Member (Name(s), primary and other listed email address(es), secundary distinguished feature (eg DoB)) are known to CAcert.
|
||||||
</li></ol>
|
</li></ol>
|
||||||
<p >
|
<p >
|
||||||
The confidence level of the Assurance Statement is expressed by the Assurance Points.
|
The confidence level of the Assurance Statement is expressed by the Assurance Points.
|
||||||
|
@ -84,10 +101,10 @@ The confidence level of the Assurance Statement is expressed by the Assurance Po
|
||||||
<p >
|
<p >
|
||||||
The primary goal of the Assurance Statement is to meet the needs of the <em>Relying Party Statement</em>, which latter is found in the Certification Practice Statement (<a class="http" href="http://svn.cacert.org/CAcert/policy.htm">CPS</a>) for the express purpose of certificates.
|
The primary goal of the Assurance Statement is to meet the needs of the <em>Relying Party Statement</em>, which latter is found in the Certification Practice Statement (<a class="http" href="http://svn.cacert.org/CAcert/policy.htm">CPS</a>) for the express purpose of certificates.
|
||||||
<p >
|
<p >
|
||||||
When a certificate is issued, some or all of the Assurance Statement may be incorporated (e.g., name) or implied (e.g., membership or status) into the certificate and be part of the <em>Relying Party Statement</em>.
|
When a certificate is issued, some or all of the Assurance Statement may be incorporated (e.g., name) or implied (e.g., Membership or status) into the certificate and be part of the <em>Relying Party Statement</em>.
|
||||||
In short, this means that other Members of the Community may rely on the information verified by Assurance and found in the certificate.
|
In short, this means that other Members of the Community may rely on the information verified by Assurance and found in the certificate.
|
||||||
<p >
|
<p >
|
||||||
In particular, certificates are sometimes considered to provide reliable indications of the member's Name.
|
In particular, certificates are sometimes considered to provide reliable indications of the Member's Name.
|
||||||
The nature of Assurance, the number of Assurance Points, and other policies and processes should be understood as limitations on any reliance.
|
The nature of Assurance, the number of Assurance Points, and other policies and processes should be understood as limitations on any reliance.
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
|
@ -95,21 +112,23 @@ The nature of Assurance, the number of Assurance Points, and other policies and
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
<h3 >Names</h3>
|
<h3 >Name(s)</h3>
|
||||||
|
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The general standard is that the name of the Member is as written on a government-issued Identity document.
|
The general standard is that the individual name of the Member is as written on a government-issued Identity (photo) document.
|
||||||
<p >
|
<p >
|
||||||
<em>For more details see the <a href="/wiki/PolicyDrafts/PolicyOnNames">PolicyDrafts/PolicyOnNames</a>, where the discussion is carried on.
|
<em>For more details see the <a href="/wiki/PolicyDrafts/PolicyOnNames">PolicyDrafts/PolicyOnNames</a>, where the discussion is carried on.
|
||||||
This page will be copied into here when the discussion is complete.</em>
|
This page will be copied into here when the discussion is complete.</em>
|
||||||
<p >
|
<p >
|
||||||
<strong>Multiple Names.</strong> A Member may have multiple names.
|
<strong>Multiple Names</strong>
|
||||||
For example, married names, variations of initials of first or middle names, and different language or country variations.
|
<br>
|
||||||
An individual name must be assured to the applicable level.
|
A Member may have multiple individual Names.
|
||||||
That is, each name to 50 points to be used in a certificate, and one name at least to 100 points to be an Assurer.
|
For example, married name, variations of initials of first or middle names, abbreviation of a first name, different language or country variations and transliterations of characters in a name.
|
||||||
<p >
|
Each individual Name must be assured to the applicable level.
|
||||||
(<em>Note that the Account system has not yet been changed to implement the multiple name feature.</em>)
|
That is, each Name to 50 Assurance Points to be used in a certificate.
|
||||||
|
<br>
|
||||||
|
For an Assurer at least one Name must have at least to 100 Assurance Points.
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
<h3 >Capabilities</h3>
|
<h3 >Capabilities</h3>
|
||||||
|
@ -131,17 +150,17 @@ A Member has the following capabilities derived from Assurance:
|
||||||
<tr align=left valign=top>
|
<tr align=left valign=top>
|
||||||
<td align=center>50</td>
|
<td align=center>50</td>
|
||||||
<td>request named certificates</td>
|
<td>request named certificates</td>
|
||||||
<td>the name and Assurance Statement is assured to 50 points or more</td>
|
<td>the name and Assurance Statement is assured to 50 Assurance Points or more</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr align=left valign=top>
|
<tr align=left valign=top>
|
||||||
<td align=center>100</td>
|
<td align=center>100</td>
|
||||||
<td>become an Assurer</td>
|
<td>become an Assurer</td>
|
||||||
<td>assured to 100 points or more, and other requirements listed below</td>
|
<td>assured to 100 Assurance Points or more, and other requirements listed below</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody></table></div>
|
</tbody></table></div>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The CPS and other policies may list other capabilities that rely on Assurance Points.
|
The CAcert Policy Statement (CPS) and other policies may list other capabilities that rely on Assurance Points.
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
<h2 >3. The Assurer</h2>
|
<h2 >3. The Assurer</h2>
|
||||||
|
@ -160,72 +179,65 @@ The Assurer Challenge is administered by the Education Team on behalf of the Ass
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The Assurer is obliged to: <ul>
|
The Assurer is obliged to: <ul>
|
||||||
<li>follow this Assurance Policy,
|
<li>Follow this Assurance Policy;
|
||||||
</li>
|
</li>
|
||||||
<li>follow any additional rules of detail laid out by the Assurance Officer,
|
<li>Follow any additional rules of detail laid out by the Assurance Officer;
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p >
|
<p >
|
||||||
be guided by the <a href="/wiki/AssuranceHandbook2">Assurance Handbook</a> in their judgement,
|
Be guided by the <a href="/wiki/AssuranceHandbook2">Assurance Handbook</a> in their judgement;
|
||||||
</li>
|
</li>
|
||||||
<li>make a good faith effort at identifying and verifying Members,
|
<li>Make a good faith effort at identifying and verifying Members;
|
||||||
</li>
|
</li>
|
||||||
<li>maintain the documentation on each Assurance,
|
<li>Maintain the documentation on each Assurance;
|
||||||
</li>
|
</li>
|
||||||
<li>deliver documentation to Arbitration, or as otherwise directed by the Arbitrator, and
|
<li>Deliver documentation to Arbitration, or as otherwise directed by the Arbitrator;
|
||||||
</li>
|
</li>
|
||||||
<li>keep up-to-date with developments within the CAcert Community.
|
<li>Keep up-to-date with developments within the CAcert Community.
|
||||||
</li></ul>
|
</li></ul>
|
||||||
<p >
|
<p >
|
||||||
<em>Comment: <strong>New.</strong> derived from earlier section, and other conventions.
|
|
||||||
Should be discussed, agreed.</em>
|
|
||||||
<p >
|
|
||||||
|
|
||||||
|
|
||||||
<h2 >4. The Assurance</h2>
|
<h2 >4. The Assurance</h2>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
<h3 >The process</h3>
|
<h3 >The Assurance Process</h3>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The Assurer conducts the process of Assurance with each Member.
|
The Assurer conducts the process of Assurance with each Member.
|
||||||
<p >
|
<p >
|
||||||
The process consists of <ol type="1">
|
The process consists of:
|
||||||
<li>voluntary agreement by both Assurer and Member to conduct the Assurance.
|
<ol type="1">
|
||||||
|
<li>Voluntary agreement by both Assurer and Member or prospect Member to conduct the Assurance;
|
||||||
</li>
|
</li>
|
||||||
<li>personal meeting of Assurer and Member
|
<li>Personal meeting of Assurer and Member or prospect Member;
|
||||||
</li>
|
</li>
|
||||||
<li>recording of essential details on CAP form (below).
|
<li>Recording of essential details on CAP form (below);
|
||||||
</li>
|
</li>
|
||||||
<li>examination of Identity documents by Assurer and verification of recorded details.
|
<li>Examination of Identity documents by Assurer and verification of recorded details (Name(s) and secundary distinguishing feature, eg DoB);
|
||||||
</li>
|
</li>
|
||||||
<li>allocation of Assurance Points by Assurer.
|
<li>Allocation of Assurance Points by Assurer;
|
||||||
</li>
|
</li>
|
||||||
<li>safe keeping of the CAP forms by Assurer.
|
<li>Optional: supervision of reciprocal Assurance made by Assuree (Mutual Assurance);
|
||||||
|
</li>
|
||||||
|
<li>Safe keeping of the CAP forms by Assurer.
|
||||||
</li></ol>
|
</li></ol>
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
<h3 >Mutual Assurance</h3>
|
<h3 >Mutual Assurance</h3>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
Assurance follows the principle of reciprocity.
|
Mutual Assurance follows the principle of reciprocity.
|
||||||
This means that it may be two-way, and that each member should be able to show evidence of their status to the other.
|
This means that the Assurance may be two-way, and that each member participating in the Assurance procedure should be able to show evidence of their identity to the other.
|
||||||
<p >
|
<p >
|
||||||
In the event that an Assurer is assured by a Member who is not certified as an Assurer, the Assurer supervises the process and is responsible for the results.
|
In the event that an Assurer is assured by a Member who is not certified as an Assurer, the Assurer supervises the Assurance procedure and process, and is responsible for the results.
|
||||||
<p >
|
<p >
|
||||||
Reciprocity maintains a balance between the new Member and the Assurer, and reduces any sense of power.
|
Reciprocity maintains a balance between the (new) Member and the Assurer, and reduces any sense of power.
|
||||||
It is also an important aid to training for future Assurers.
|
It is also an important aid to the assurance training for future Assurers.
|
||||||
<p >
|
<p >
|
||||||
<em>Non-policy Notes:</em> <ul>
|
<em>Evidence of Assurer status</em>
|
||||||
<li>
|
<br>
|
||||||
<p >
|
On the question of providing evidence that one is an Assurer, <a class="http" href="http://svn.cacert.org/CAcert/policy.htm#p3.2">CAcert Policy Statement (CPS) says</a>: <em>The level at which each Member is Assured is public data. The number of Assurance Points for each Member is not published.</em>.
|
||||||
<em>the Account system has not yet been changed to implement the non-Assurer reciprocity feature.</em>
|
|
||||||
</li>
|
|
||||||
<li>
|
|
||||||
<p >
|
|
||||||
<em>On the question of providing evidence that one is an Assurer, <a class="http" href="http://svn.cacert.org/CAcert/policy.htm#p3.2">CPS says</a>: <strong>The level at which each Member is Assured is public data. The number of points for each Member is not published.</strong> That would answer the need, implementation pending ...</em>
|
|
||||||
</li></ul>
|
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
|
|
||||||
|
@ -234,60 +246,40 @@ It is also an important aid to training for future Assurers.
|
||||||
<p >
|
<p >
|
||||||
The Assurance applies Assurance Points to each Member which measure the increase of confidence in the Statement (above).
|
The Assurance applies Assurance Points to each Member which measure the increase of confidence in the Statement (above).
|
||||||
Assurance Points should not be interpreted for any other purpose.
|
Assurance Points should not be interpreted for any other purpose.
|
||||||
Note that, even though they are sometimes referred to as <em>Web-of-Trust</em> points, or <em>Trust</em> points, the meaning of the word 'trust' is not well defined.
|
Note that, even though they are sometimes referred to as <em>Web-of-Trust</em> (Assurance) Points, or <em>Trust</em> Points, the meaning of the word 'trust' is not well defined.
|
||||||
<p >
|
<p >
|
||||||
<strong>Allocation.</strong> An Assurer can allocate a number of Assurance Points to the Member according to the Assurer's Experience, see below.
|
<em>Assurance Points Allocation.</em>
|
||||||
The allocation of the maximum means that the Assurer is 100% confident in the information presented: <ul>
|
<br>An Assurer can allocate a number of Assurance Points to the Member according to the Assurer's experience (Experience Point system, see below).
|
||||||
<li>detail on form, system, documents, person in accordance,
|
The allocation of the maximum means that the Assurer is 100% confident in the information presented:
|
||||||
|
<ul>
|
||||||
|
<li>Detail on form, system, documents, person in accordance;
|
||||||
</li>
|
</li>
|
||||||
<li>sufficient quality identity documents have been checked,
|
<li>Sufficient quality identity documents have been checked;
|
||||||
</li>
|
</li>
|
||||||
<li>the Assurance Statement is confirmed.
|
<li>Assurer's familiarity with identity documents;
|
||||||
|
</li>
|
||||||
|
<li>The Assurance Statement is confirmed.
|
||||||
</li></ul>
|
</li></ul>
|
||||||
<p >
|
<p >
|
||||||
Any lesser confidence should give less points. If the Assurer has no confidence in the information presented, then zero points may be allocated.
|
Any lesser confidence should give less Assurance Points for a Name. If the Assurer has no confidence in the information presented, then <em>zero </em> Assurance Points may be allocated by the Assurer.
|
||||||
For example, this may happen if the identity documents are totally unfamiliar to the Assurer.
|
For example, this may happen if the identity documents are totally unfamiliar to the Assurer.
|
||||||
The number of points from zero to maximum is guided by the Assurance Handbook and the judgement of the Assurer.
|
The number of Assurance Points from <em>zero</em> to <em>maximum </em> is guided by the Assurance Handbook and the judgement of the Assurer.
|
||||||
<p >
|
<p >
|
||||||
Multiple names (fields for reliance in certs) should be allocated separately in a single Assurance.
|
Multiple Names (fields for reliance in certificates) should be allocated separately in a single Assurance.
|
||||||
That is, the Assurer may allocate the maximum to one name, half that amount to another name, and zero to a third name.
|
That is, the Assurer may allocate the maximum to one Name, half that amount to another Name, and zero to a third Name.
|
||||||
<p >
|
<p >
|
||||||
A Member who is not an Assurer may award an Assurer in a reciprocal process a maximum of 2 Assurance Points, according to Member's judgement.
|
A (new) Member who is not an Assurer may award an Assurer in a reciprocal process a maximum of 2 Assurance Points, according to his judgement.
|
||||||
The Assurer should strive to have the Member allocate according to the Member's judgement, and err on the cautious side; a Member new to the process should allocate zero points until they get some confidence in what is happening.
|
The Assurer should strive to have the Member allocate according to the Member's judgement, and stay on the cautious side; a (new) Member new to the assurance process should allocate <em>zero</em> Assurance Points until they get some confidence in what is happening.
|
||||||
<p >
|
<p >
|
||||||
No assurance process can give more than 50 points.
|
No Assurance process can give more than 50 Assurance Points per Name.
|
||||||
This means that to reach 50 points, a Member must have been assured at least once.
|
This means that to reach 50 Assurance Points (certificate with a Name), a Member must have been assured at least once.
|
||||||
To reach 100 points, a Member must have been assured at least twice.
|
To reach 100 Assurance Points, at least one Name of the Member must have been assured at least twice.
|
||||||
<p >
|
<p >
|
||||||
<em>Non-policy Notes:</em> <ul>
|
|
||||||
<li>
|
|
||||||
<p >
|
|
||||||
<em>what form of assurance would exceed 50 points?</em> <ul>
|
|
||||||
<li>
|
|
||||||
<p >
|
|
||||||
<em>In the past, TTPs gave 75 points each.
|
|
||||||
Designed to give 150 points for two TTPs which creates an Assurer.
|
|
||||||
This is now scaled back to 50 points, per TTP.</em>
|
|
||||||
</li>
|
|
||||||
<li>
|
|
||||||
<p >
|
|
||||||
<em>In the past, <a href="/wiki/SuperAssurers">SuperAssurers</a> gave up to 150 points, as an old idea to seed an area with (full) Assurers.
|
|
||||||
This is no longer applicable as the Assurer Challenge will stop any "easy" Assurer creation.
|
|
||||||
Therefore Super-Assurer would now only work to Assure people.</em>
|
|
||||||
</li>
|
|
||||||
<li>
|
|
||||||
<p >
|
|
||||||
<em> <a href="/wiki/SuperAssurers">SuperAssurers</a> being limited to 50 points means that they can still bring people up to Assured level without any additional change.
|
|
||||||
Pending writing of policy.</em>
|
|
||||||
</li></ul>
|
|
||||||
</li></ul>
|
|
||||||
<p >
|
|
||||||
|
|
||||||
|
|
||||||
<h3 >Experience Points</h3>
|
<h3 >Experience Points</h3>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The maximum number of Assurance Points that may be awarded by an Assurer is determined by the Assurer's Experience Points.
|
The maximum number of Assurance Points that may be awarded by an Assurer is determined by the Experience Points of the Assurer.
|
||||||
<div><table border=1 cellspacing=0 width=15%>
|
<div><table border=1 cellspacing=0 width=15%>
|
||||||
<caption align=bottom>Assurance Points table</caption>
|
<caption align=bottom>Assurance Points table</caption>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -314,8 +306,10 @@ The maximum number of Assurance Points that may be awarded by an Assurer is dete
|
||||||
</table></div>
|
</table></div>
|
||||||
<p >
|
<p >
|
||||||
An Assurer is given a maximum of 2 Experience Points for every completed Assurance.
|
An Assurer is given a maximum of 2 Experience Points for every completed Assurance.
|
||||||
On reaching Assurer status, the points start at zero.
|
On reaching Assurer status, the Experience Points start at zero.
|
||||||
Less points (1) may be given for mass Assurance events, where each Assurance is quicker.
|
<p>
|
||||||
|
Less Experience Points (1) may be given for mass Assurance events, where each Assurance is quicker.
|
||||||
|
<p>
|
||||||
Additional Experience Points may be granted temporarily or permanently to an Assurer by CAcert Inc's Board, on recommendation from the Assurance Officer.
|
Additional Experience Points may be granted temporarily or permanently to an Assurer by CAcert Inc's Board, on recommendation from the Assurance Officer.
|
||||||
<p >
|
<p >
|
||||||
Experience Points are not to be confused with Assurance Points.
|
Experience Points are not to be confused with Assurance Points.
|
||||||
|
@ -323,88 +317,91 @@ Experience Points are not to be confused with Assurance Points.
|
||||||
<em>Comment: this part still needs to be agreed.</em>
|
<em>Comment: this part still needs to be agreed.</em>
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
<h3 >CAP Form</h3>
|
<h3 >CAcert Assurance Programme (CAP) form</h3>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The CAcert Assurance Programme Form requests the following details of each Member: <ul>
|
The CAcert Assurance Programme (CAP) form requests the following details of each Member or prospect Member:
|
||||||
<li>Name(s), as recorded in the online account,
|
<ul>
|
||||||
|
<li>Name(s), as recorded in the on-line account;
|
||||||
</li>
|
</li>
|
||||||
<li>primary email address, as recorded in the online account,
|
<li>Primary email address, as recorded in the on-line account;
|
||||||
</li>
|
</li>
|
||||||
<li>secondary distinguishing feature, as recorded in the online account (normally, date-of-birth),
|
<li>Secondary distinguishing feature, as recorded in the on-line account (normally, date of birth);
|
||||||
</li>
|
</li>
|
||||||
<li>Statement of agreement with the CAcert Community Agreement,
|
<li>Statement of agreement with the CAcert Community Agreement (CCA);
|
||||||
</li>
|
</li>
|
||||||
<li>Permission to the Assurer to conduct the Assurance (required for privacy reasons).
|
<li>Permission to the Assurer to conduct the Assurance (required for privacy reasons);
|
||||||
</li>
|
</li>
|
||||||
<li>Date and signature
|
<li>Date and signature of the Assuree.
|
||||||
|
</li></ul>
|
||||||
|
The CAP form requests the following details of the Assurer:
|
||||||
|
<ul>
|
||||||
|
<li>At least one Name as recorded in the on-line account of the Assurer;
|
||||||
|
</li>
|
||||||
|
<li>Assurance Points for each Name in the identity document(s);
|
||||||
|
</li>
|
||||||
|
<li>Statement of Assurance;
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
Optional: If the Assurance is reciprocal, then the Assurer's email address and secondary distinguishing feature are required as well.
|
||||||
|
</li>
|
||||||
|
<li>Date, location of Assurance and signature of Assurer.
|
||||||
</li></ul>
|
</li></ul>
|
||||||
<p >
|
<p >
|
||||||
If the assurance is not mutual, then the Assurer's email address and secondary distinguishing feature may be omitted.
|
The CAP forms are to be kept at least for 7 years by the Assurer.
|
||||||
<p >
|
|
||||||
The CAP forms are to be kept for 7 years by the Assurer.
|
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
|
|
||||||
<h2 >5. The Assurance Officer</h2>
|
<h2 >5. The Assurance Officer</h2>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The Board of CAcert Inc appoints an Assurance Officer with the following responsibilities: <ul>
|
The Commitee (Board) of CAcert Inc. appoints an Assurance Officer with the following responsibilities:
|
||||||
<li>reporting to the Board and advising on all matters to do with Assurance,
|
<ul>
|
||||||
|
<li>Reporting to the Board and advising on all matters to do with Assurance;
|
||||||
</li>
|
</li>
|
||||||
<li>training and testing of Assurers, in association with the Education Team,
|
<li>Training and testing of Assurers, in association with the Education Team;
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p >
|
Updating this Assurance Policy, under the process established by <a class="https" href="https://www.cacert.org/policy/PolicyOnPolicy.php">Policy on Policy</a>;
|
||||||
updating this Assurance Policy, under the process established by <a class="https" href="https://www.cacert.org/policy/PolicyOnPolicy.php">Policy on Policy</a>,
|
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p >
|
Management of all Subsidiary Policies (see below) for Assurances, under <a class="https" href="https://www.cacert.org/policy/PolicyOnPolicy.php">Policy on Policy</a>;
|
||||||
management of all Subsidiary Policies, under <a class="https" href="https://www.cacert.org/policy/PolicyOnPolicy.php">Policy on Policy</a>,
|
|
||||||
</li>
|
</li>
|
||||||
<li>managing and creating rules of detail or procedure where inappropriate for policies,
|
<li>Managing and creating rules of detail or procedure where inappropriate for policies;
|
||||||
</li>
|
</li>
|
||||||
<li>incorporating rulings from Arbitration into policies, procedures or guidelines,
|
<li>Incorporating rulings from Arbitration into policies, procedures or guidelines;
|
||||||
</li>
|
</li>
|
||||||
<li>assisting the Arbitrator in any requests,
|
<li>Assisting the Arbitrator in any requests;
|
||||||
</li>
|
</li>
|
||||||
<li>managing the Assurer Handbook,
|
<li>Managing the Assurer Handbook;
|
||||||
</li>
|
</li>
|
||||||
<li>maintaining a sufficient strength in the Assurance process (web of trust) to meet the agreed needs of the Community.
|
<li>Maintaining a sufficient strength in the Assurance process (web-of-trust) to meet the agreed needs of the Community.
|
||||||
</li></ul>
|
</li></ul>
|
||||||
<p >
|
<p >
|
||||||
<em>Comment: <strong>New.</strong> derived from OAP and other conventions.
|
|
||||||
Should be discussed, agreed.</em>
|
|
||||||
<p >
|
|
||||||
|
|
||||||
|
|
||||||
<h2 >6. Subsidiary Policies</h2>
|
<h2 >6. Subsidiary Policies</h2>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
The Assurance Officer manages various exceptions and additional processes.
|
The Assurance Officer manages various exceptions and additional processes.
|
||||||
Each must be covered by an approved subsidiary policy (Policy on Policy => COD1).
|
Each must be covered by an approved Subsidiary Policy (refer to Policy on Policy => COD1).
|
||||||
Subsidiary policies specify any additional tests of knowledge required and variations to process and documentation, within the general standard stated here.
|
Subsidiary Policies specify any additional tests of knowledge required and variations to process and documentation, within the general standard stated here.
|
||||||
<p >
|
<p >
|
||||||
<em>Note: expected subsidiary policies are these:</em> <ul>
|
Examples of expected subsidiary policies are these:
|
||||||
|
<ul>
|
||||||
<li>
|
<li>
|
||||||
<p >
|
<em>Remote Assurer Check;</em>
|
||||||
<em> PolicyDrafts/TTPAssurerCheck (wip) </em>
|
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p >
|
<em>Super Assurer Policy;</em>
|
||||||
<em> PolicyDrafts/SuperAPolicy (wip) </em>
|
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p >
|
<em> Junior Assurer Policy;</em>
|
||||||
<em> Junior Assurer Policy (none started at least in <a href="/wiki/PolicyDrafts">PolicyDrafts</a>) </em>
|
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p >
|
<em> Code Signing Policy;</em>
|
||||||
<em> <a href="/wiki/PolicyDrafts/CodesigningAssurancePolicy">PolicyDrafts/CodesigningAssurancePolicy</a> (wip) </em>
|
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p >
|
<em>Organisation Assurance Policy and sub-policies per country or region.</em>
|
||||||
<em> <a class="http" href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php">Organisation Assurance Policy</a> (POLICY) and its <a class="http" href="http://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/">many SubPols</a> (wip/DRAFT) </em>
|
|
||||||
</li></ul>
|
</li></ul>
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
|
@ -412,32 +409,37 @@ Subsidiary policies specify any additional tests of knowledge required and varia
|
||||||
<h3 >Standard</h3>
|
<h3 >Standard</h3>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
Each subsidiary policy must augment and improve the general standards in this Assurance Policy.
|
Each Subsidiary Policy must augment and improve the general standards in this Assurance Policy.
|
||||||
It is the responsibility of each subsidiary policy to describe how it maintains and improves the specific and overall goals.
|
It is the responsibility of each Subsidiary Policy to describe how it maintains and improves the specific and overall goals.
|
||||||
It must describe exceptions and potential areas of risk.
|
It must describe exceptions and potential areas of risk.
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
<h3 >High Risk Applications</h3>
|
<h3 >High Risk Applications</h3>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
In addition to the points ratings set here in and in other policies, Assurance Officer or policies can designate certain applications as high risk.
|
In addition to the Assurance or Experience Points ratings set here in and in other policies, Assurance Officer or policies can designate certain applications as high risk.
|
||||||
If so, additional measures may be added to the Assurance process that specifically address the risks.
|
If so, additional measures may be added to the Assurance process that specifically address the risks.
|
||||||
These may include: <ul>
|
These may include:
|
||||||
<li>Additional information can be required in process of assurance. <ul>
|
<dl>
|
||||||
<li>unique numbers of identity documents
|
<dt>Additional information</dt>
|
||||||
|
<dd>Additional information can be required in process of assurance:
|
||||||
|
<ul>
|
||||||
|
<li>Unique numbers of identity documents;
|
||||||
</li>
|
</li>
|
||||||
<li>photocopy of identity documents
|
<li>Photocopy of identity documents;
|
||||||
</li>
|
</li>
|
||||||
<li>photo of User
|
<li>Photo of User;
|
||||||
</li>
|
</li>
|
||||||
<li>address of User
|
<li>Address of User.
|
||||||
</li></ul>
|
|
||||||
</li></ul>
|
</li></ul>
|
||||||
|
</dd></dl>
|
||||||
<p >
|
<p >
|
||||||
Additional Information is to be kept by Assurer, attached to CAP.
|
Additional Information is to be kept by Assurer, attached to CAP form.
|
||||||
Points allocation by this assurance is unchanged.
|
Assurance Points allocation by this assurance is unchanged.
|
||||||
User's account should be annotated to record type of additional information. <ul>
|
User's CAcert (web)account should be annotated to record type of additional information:
|
||||||
<li>Arbitration: <ul>
|
<ul>
|
||||||
|
<li>Arbitration:
|
||||||
|
<ul>
|
||||||
<li>Member to participate in Arbitration.
|
<li>Member to participate in Arbitration.
|
||||||
This confirms their acceptance of the forum as well as trains in the process and import.
|
This confirms their acceptance of the forum as well as trains in the process and import.
|
||||||
</li>
|
</li>
|
||||||
|
@ -445,46 +447,37 @@ This confirms their acceptance of the forum as well as trains in the process and
|
||||||
This allows Arbitrator as final authority.
|
This allows Arbitrator as final authority.
|
||||||
</li></ul>
|
</li></ul>
|
||||||
</li>
|
</li>
|
||||||
<li class="gap">additional training.
|
<li class="gap">Additional training;
|
||||||
</li>
|
</li>
|
||||||
<li class="gap">Member to be full Assurer
|
<li class="gap">Member to be Assurer (>= 100 Assurance Points and passed Assurer Challenge);
|
||||||
</li>
|
</li>
|
||||||
<li class="gap">Member agrees to additional specific agreement
|
<li class="gap">Member agrees to additional specific agreement(s);
|
||||||
</li>
|
</li>
|
||||||
<li class="gap">additional checking/auditing of systems data by support administrators
|
<li class="gap">Additional checking/auditing of systems data by CAcert support administrators;
|
||||||
</li></ul>
|
</li></ul>
|
||||||
<p >
|
<p >
|
||||||
Applications that might attract additonal measures include code-signing certificates and administration roles.
|
Applications that might attract additonal measures include code-signing certificates and administration roles.
|
||||||
<p >
|
<p >
|
||||||
|
|
||||||
|
|
||||||
<h2 >Privacy</h2>
|
<h2 >Privacy</h2>
|
||||||
|
|
||||||
<p >
|
<p >
|
||||||
CAcert is a privacy organisation, and takes the privacy of its members seriously.
|
CAcert is a "privacy" organisation, and takes the privacy of its Members seriously.
|
||||||
The process maintains the security and privacy of both parties.
|
The process maintains the security and privacy of both parties.
|
||||||
<p >
|
<p >
|
||||||
Information is collected primarily to make claims within the certificates requested by users and to contact the users.
|
Information is collected primarily to make claims within the certificates requested by users and to contact the Members.
|
||||||
|
<br>
|
||||||
It is used secondarily for training, testing, administration and other internal purposes.
|
It is used secondarily for training, testing, administration and other internal purposes.
|
||||||
<p >
|
<p >
|
||||||
The Member's information can be accessed under these circumstances: <ul>
|
The Member's information can be accessed under these circumstances: <ul>
|
||||||
<li>
|
<li>
|
||||||
<p >
|
Under Arbitrator ruling, in a duly filed dispute (<a class="http" href="http://www.cacert.org/policy/DisputeResolutionPolicy.html">Dispute Resolution Policy</a> => COD7)
|
||||||
under Arbitrator ruling, in a duly filed dispute (<a class="http" href="http://www.cacert.org/policy/DisputeResolutionPolicy.html">Dispute Resolution Policy</a> => COD7)
|
|
||||||
</li>
|
</li>
|
||||||
<li>an Assurer in the process of an assurance, as permitted on the CAP form.
|
<li>An Assurer in the process of an Assurance, as permitted on the CAP form.
|
||||||
</li>
|
</li>
|
||||||
<li>support administration and systems administration when operating under the authority of Arbitrator or under policy.
|
<li>CAcert support administration and CAcert systems administration when operating under the authority of Arbitrator or under CAcert policy.
|
||||||
</li></ul>
|
</li></ul>
|
||||||
<p >
|
<p >
|
||||||
<em>Comment: should carefully review Privacy and decide if any additional statement is needed.
|
|
||||||
It seems out of place, we have a Privacy statement elsewhere.
|
|
||||||
Maybe move it to the Obligations of the Assurer?</em>
|
|
||||||
|
|
||||||
<p >
|
|
||||||
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<a href="http://validator.w3.org/check?uri=referer"><img src="../Images/valid-xhtml11-blue" alt="Valid XHTML 1.1" height="31" width="88" style="border-style: none;" /></a>
|
<a href="http://validator.w3.org/check?uri=referer"><img src="../Images/valid-xhtml11-blue" alt="Valid XHTML 1.1" height="31" width="88" style="border-style: none;" /></a>
|
||||||
</p>
|
</p>
|
||||||
</body>
|
</body>
|
||||||
|
|
Loading…
Reference in a new issue