git-svn-id: http://svn.cacert.org/CAcert/Policies@1495 14b1bab8-4ef6-0310-b690-991c95c89dfd
parent
115d38ea9c
commit
85efb085d2
@ -1,240 +1,207 @@
|
|||||||
<html>
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
||||||
<head>
|
<HTML>
|
||||||
<title>Third Party Verification System Policy</title>
|
<HEAD>
|
||||||
</head>
|
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=windows-1252">
|
||||||
<body>
|
<TITLE>Third Party Verification System Policy</TITLE>
|
||||||
<h1>Third Party Verification System Policy</h1>
|
<META NAME="GENERATOR" CONTENT="OpenOffice.org 3.0 (Win32)">
|
||||||
|
<META NAME="CREATED" CONTENT="0;0">
|
||||||
<h2> Preamble </h2>
|
<META NAME="CHANGED" CONTENT="20090504;23580100">
|
||||||
|
</HEAD>
|
||||||
<p>
|
<BODY LANG="fr-FR" DIR="LTR">
|
||||||
This is a subsidiary policy under Assurance Policy (COD13).
|
<H1>Third Party Verification System Policy</H1>
|
||||||
It documents the acceptance of Thawte-issued certificates
|
<H2>Preamble
|
||||||
and disclosers as inputs into the assurance process.
|
</H2>
|
||||||
</p>
|
<P>This is a subsidiary policy under Assurance Policy (COD13). It
|
||||||
|
documents the acceptance of Thawte-issued certificates and disclosers
|
||||||
<h2> Third Party Certificate </h2>
|
as inputs into the assurance process.
|
||||||
|
</P>
|
||||||
|
<H2>Third Party Certificate
|
||||||
<p>
|
</H2>
|
||||||
The CAs listed in Appendix A are approved to "this system".
|
<P>The CAs listed in Appendix A are approved to "this system".
|
||||||
</p>
|
</P>
|
||||||
|
<P>If a certificate is examined by an Assurer (e.g., signed email)
|
||||||
<p>
|
|
||||||
If a certificate is examined by an Assurer (e.g., signed email)
|
|
||||||
and determined to provide evidence of a Name and email address that
|
and determined to provide evidence of a Name and email address that
|
||||||
matches the Name stored in the CAcert system,
|
matches the Name stored in the CAcert system, the Assurer may
|
||||||
the Assurer may allocate 25 (???) Assurance Points
|
allocate 25 (???) Assurance Points (or as determined in the Appendix
|
||||||
(or as determined in the Appendix A).
|
A).
|
||||||
</p>
|
</P>
|
||||||
|
<P>This is only available to Assurers who are:
|
||||||
<p>
|
</P>
|
||||||
This is only available to Assurers who are:
|
<OL>
|
||||||
</p>
|
<LI><P STYLE="margin-bottom: 0cm">Full Assurer with 50 Experience
|
||||||
|
Points
|
||||||
<ol><li>
|
</P>
|
||||||
Full Assurer with 50 Experience Points
|
<LI><P>Assigned the Tverify role by support.
|
||||||
</li><li>
|
</P>
|
||||||
Assigned the Tverify role by support.
|
</OL>
|
||||||
</li></ol>
|
<P>This may be only awarded once per Member.
|
||||||
|
</P>
|
||||||
<p>
|
<P>This may be done automatically by the existing Tverify system.
|
||||||
This may be only awarded once per Member.
|
</P>
|
||||||
</p>
|
<H2>Other Web of Trust
|
||||||
|
</H2>
|
||||||
<p>
|
<P>Webs of Trust listed in Appendix B are approved for this system.
|
||||||
This may be done automatically by the existing
|
</P>
|
||||||
Tverify system.
|
<P>If evidence of full "assurer status" in the other Web of
|
||||||
</p>
|
Trust is provided to an Assurer, then the Assurer may award 25
|
||||||
|
Assurance Points, in addition to the above 25 points from the
|
||||||
|
certificate.
|
||||||
<h2> Other Web of Trust </h2>
|
</P>
|
||||||
|
<P>The Assurer must go to the other system and verify the Name. And
|
||||||
<p>
|
DoB??? But the user has to enable each Assurer to check the DoB by
|
||||||
Webs of Trust listed in Appendix B are approved for this system.
|
means of the permitting an assurance in the other system.
|
||||||
</p>
|
</P>
|
||||||
|
<P>Assurers enabled for this system must be:
|
||||||
<p>
|
</P>
|
||||||
If evidence of full "assurer status" in the other Web of Trust
|
<OL>
|
||||||
is provided to an Assurer,
|
<LI><P STYLE="margin-bottom: 0cm">Full Assurer with 50 Experience
|
||||||
then the Assurer may award 25 Assurance Points,
|
Points
|
||||||
in addition to the above 25 points from the certificate.
|
</P>
|
||||||
<p>
|
<LI><P STYLE="margin-bottom: 0cm">Assigned the Tverify role by
|
||||||
|
support.
|
||||||
<p>
|
</P>
|
||||||
The Assurer must go to the other system and verify the
|
<LI><P>Full "assurer status" in the other system.
|
||||||
Name.
|
</P>
|
||||||
And DoB??? But the user has to enable each Assurer to
|
</OL>
|
||||||
check the DoB by means of the permitting an assurance in the
|
<P>This may be only awarded once per Member.
|
||||||
other system.
|
</P>
|
||||||
</p>
|
<P><I>What about voting system....</I>
|
||||||
|
</P>
|
||||||
<p>
|
<UL>
|
||||||
Assurers enabled for this system must be:
|
<LI><P>optional : the user provides the web link in the directory of
|
||||||
</p>
|
Thawte notaries. The user must display his name and CAcert account
|
||||||
|
email address in the directory assurer message. The user can get 40
|
||||||
<ol><li>
|
extra points after manual checking,
|
||||||
Full Assurer with 50 Experience Points
|
</P>
|
||||||
</li><li>
|
</UL>
|
||||||
Assigned the Tverify role by support.
|
<UL>
|
||||||
</li><li>
|
<LI><P STYLE="margin-bottom: 0cm"><I>This proves that the person is
|
||||||
Full "assurer status" in the other system.
|
a "Thawte Notary" </I>
|
||||||
</li></ol>
|
</P>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm"><I>A TN has "100 Thawte trust
|
||||||
<p>
|
points" which means that the Name, DoB, email address (by
|
||||||
This may be only awarded once per Member.
|
connecting into the system) have been checked by 3 people at least. </I>
|
||||||
</p>
|
</P>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm"><I>Thawte Notary: There is no
|
||||||
<p>
|
"test". </I>
|
||||||
<i>What about voting system....</i>
|
</P>
|
||||||
</p>
|
<LI><P STYLE="margin-bottom: 0cm"><I>Thawte Notary: There are some
|
||||||
|
rules, what needs to be done, what not. <U>Find the rules</U>. </I>
|
||||||
|
</P>
|
||||||
|
<UL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm"><I>http://www.thawte.com/secure-email/web-of-trust-wot/wot_notary.html</I></P>
|
||||||
</li><li>
|
<LI><P STYLE="margin-bottom: 0cm"><I>http://www.thawte.com/secure-email/web-of-trust-wot/wot_rules.html</I></P>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm"><I><A HREF="http://www.thawte.com/secure-email/web-of-trust-wot/wot_validation.html">http://www.thawte.com/secure-email/web-of-trust-wot/wot_validation.html</A></I></P>
|
||||||
optional :
|
<LI><P STYLE="margin-bottom: 0cm"><I><A HREF="http://www.thawte.com/secure-email/web-of-trust-wot/wot_points.html">http://www.thawte.com/secure-email/web-of-trust-wot/wot_points.html</A></I></P>
|
||||||
the user provides the web link in the directory of Thawte
|
<LI><P STYLE="margin-bottom: 0cm"><I><A HREF="http://www.thawte.com/cps/">http://www.thawte.com/cps/</A>
|
||||||
notaries. The user must display his name and CAcert account email
|
=> section 3.1.9 Authentication of Individual Identity </I>
|
||||||
address in the directory assurer message. The user can get 40 extra
|
</P>
|
||||||
points after manual checking,
|
</UL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm"><I>Thawte Notary: complaints are
|
||||||
<ul><li><i>
|
reported to Thawte support, and support then requests all forms and
|
||||||
This proves that the person is a "Thawte Notary"
|
documentation and copies of IDs, and support may do something ...
|
||||||
</i></li><li><i>
|
<U>but this was before the change of liability, they may not care
|
||||||
A TN has "100 Thawte trust points" which means that the Name, DoB, email address (by connecting into the system) have been checked by 3 people at least.
|
anymore</U> </I>
|
||||||
</i></li><li><i>
|
</P>
|
||||||
Thawte Notary: There is no "test".
|
<LI><P><I>Probably this should be 25 points? </I>
|
||||||
</i></li><li><i>
|
</P>
|
||||||
Thawte Notary: There are some rules, what needs to be done, what not.
|
</UL>
|
||||||
<u>Find the rules</u>.
|
<UL>
|
||||||
</i></li><li><i>
|
<LI><P>optional: The user provides a scan of a government photo id.
|
||||||
Thawte Notary: complaints are reported to Thawte support, and support then requests all forms and documentation and copies of IDs, and support may do something ... <u>but this was before the change of liability, they may not care anymore</u>
|
The user can get an extra 60 points after manual checking.
|
||||||
</i></li><li><i>
|
</P>
|
||||||
Probably this should be 25 points?
|
</UL>
|
||||||
</i></li></ul>
|
<UL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm"><I>May need to make this mandatory
|
||||||
</li><li>
|
so we can check the DoB. </I>
|
||||||
optional:
|
</P>
|
||||||
The user provides a scan of a government photo id. The user
|
<LI><P><I>Probably this should be 40 points? </I>
|
||||||
can get an extra 60 points after manual checking.
|
</P>
|
||||||
<ul><li><i>
|
</UL>
|
||||||
May need to make this mandatory so we can check the DoB.
|
<P><I>Agreed that experience as TN is not useful for CAcert
|
||||||
</i></li><li><i>
|
Experience Points. So Maximum is 100.</I>
|
||||||
Probably this should be 40 points?
|
</P>
|
||||||
</i></li></ul>
|
<H2>Manual Points Allocation
|
||||||
</li></ol>
|
</H2>
|
||||||
|
<P>If the user completes only step 1, the users get 50 points if the
|
||||||
<p>
|
Thawte name matches the CAcert name : The process is fully automated
|
||||||
<i> Agreed that experience as TN is not useful for CAcert Experience Points.
|
and the user still can do later the optional steps.
|
||||||
So Maximum is 100.</i>
|
</P>
|
||||||
</p>
|
<P>In case the user completes steps 2 or 3, a Tverify-authorised
|
||||||
|
Assurer does the following manual checks :
|
||||||
<h2> Manual Points Allocation </h2>
|
</P>
|
||||||
|
<OL>
|
||||||
<p>
|
<LI><P STYLE="margin-bottom: 0cm">check if the link to the Thawte
|
||||||
If the user completes only step 1, the users get 50 points if the
|
WoT directory matches the name and email address of the CAcert
|
||||||
Thawte name matches the CAcert name : The process is fully automated and
|
account, and
|
||||||
the user still can do later the optional steps.
|
</P>
|
||||||
</p>
|
<LI><P>check if the photo id macthes the name and date of birth of
|
||||||
|
the CAcert account.
|
||||||
<p>
|
</P>
|
||||||
In case the user completes steps 2 or 3, a Tverify-authorised Assurer does the following manual checks :
|
</OL>
|
||||||
</p>
|
<P>the CAcert Tverify community member votes Aye or Nay on the
|
||||||
|
request (faithfullness) and optionally adds a comment on the reason
|
||||||
|
why they reject the request.
|
||||||
<ol><li>
|
</P>
|
||||||
check if the link to the Thawte WoT directory matches the name and
|
<P>If the requests gets 4 Naye, the requests is rejected, the user
|
||||||
email address of the CAcert account, and
|
has to restart the process.
|
||||||
</li><li>
|
</P>
|
||||||
|
<P>if the request gets 4 Aye, the requests is completed and the
|
||||||
check if the photo id macthes the name and date of birth of the CAcert
|
appropriate amount of Assurance points are added to the account,
|
||||||
account.
|
logged as an Tverify assurance. <I>BY WHOM?</I>
|
||||||
</li></ol>
|
</P>
|
||||||
|
<P>Each user step can granted points only once. The maximum is 150
|
||||||
<p>
|
points. <B>BLECH</B>
|
||||||
the CAcert Tverify community member votes Aye or Nay on the request
|
</P>
|
||||||
(faithfullness) and optionally adds a comment on the reason why they reject
|
<H2>Manual Points Allocation
|
||||||
the request.
|
</H2>
|
||||||
</p>
|
<P>To be a Tverify Assurer, an Assurer must have:
|
||||||
|
</P>
|
||||||
<p>
|
<UL>
|
||||||
If the requests gets 4 Naye, the requests is rejected, the user has to
|
<LI><P>full Thawte "Notary" status.
|
||||||
restart the process.
|
</P>
|
||||||
</p>
|
</UL>
|
||||||
|
<P>Authorisation is done by .... the Support Officer (and confirmed
|
||||||
<p>
|
by ??? Assurance Officer).
|
||||||
if the request gets 4 Aye, the requests is completed and the appropriate
|
</P>
|
||||||
amount of Assurance points are added to the account, logged as an Tverify
|
<P>Currently there are 7+ Assurers who are authorised to conduct the
|
||||||
assurance.
|
|
||||||
<i>BY WHOM?</i>
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Each user step can granted points only once. The maximum is 150 points.
|
|
||||||
<b>BLECH</b>
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h2> Manual Points Allocation </h2>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
To be a Tverify Assurer, an Assurer must have:
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<ul><li>
|
|
||||||
full Thawte "Notary" status.
|
|
||||||
</li></ul>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Authorisation is done by ....
|
|
||||||
the Support Officer (and confirmed by ??? Assurance Officer).
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Currently there are 7+ Assurers who are authorised to conduct the
|
|
||||||
Tverify additional procedure.
|
Tverify additional procedure.
|
||||||
</p>
|
</P>
|
||||||
|
<H2>System
|
||||||
<h2> System </h2>
|
</H2>
|
||||||
|
<P>An online system is run to accept the certificate. This is located
|
||||||
<p>
|
at https://tverify.cacert.org/ This is a critical / non-critical
|
||||||
An online system is run to accept the certificate.
|
system ????
|
||||||
This is located at https://tverify.cacert.org/
|
</P>
|
||||||
This is a critical / non-critical system ????
|
<H2>Legal
|
||||||
</p>
|
</H2>
|
||||||
|
<P>WHat do the Thawte docs say about reliance, etc. Is there a
|
||||||
<h2> Legal </h2>
|
possibility to do this? What is the liability position? <B>Chances
|
||||||
|
are, there is no liability and no reliance permitted.</B> Which means
|
||||||
<p>
|
... there is no reliance on the Name in the cert.
|
||||||
WHat do the Thawte docs say about reliance, etc.
|
</P>
|
||||||
Is there a possibility to do this?
|
<H2>OLD stuff
|
||||||
What is the liability position?
|
</H2>
|
||||||
<b>Chances are, there is no liability and no reliance permitted.</b>
|
<BLOCKQUOTE><B>OLD:</B>
|
||||||
Which means ... there is no reliance on the Name in the cert.
|
</BLOCKQUOTE>
|
||||||
</p>
|
<BLOCKQUOTE><B>mandatory </B>: the users provides a Thawte assured
|
||||||
|
certificate including the user name. If the name and email address in
|
||||||
|
the certificate matches the name and email address recorded by CAcert
|
||||||
|
exactly, the user is given 50 Assurance Points automatically by the
|
||||||
<h2> OLD stuff </h2>
|
online system.
|
||||||
<blockquote><b>OLD:</b>
|
</BLOCKQUOTE>
|
||||||
<p>
|
<UL>
|
||||||
<b> mandatory </b> : the users provides a
|
<LI><BLOCKQUOTE STYLE="margin-bottom: 0cm"><I>no checking of date of
|
||||||
Thawte assured certificate including the user name.
|
birth, </I>
|
||||||
If the name and email address in the certificate matches
|
</BLOCKQUOTE>
|
||||||
the name and email address recorded by CAcert exactly,
|
<LI><BLOCKQUOTE STYLE="margin-bottom: 0cm"><I>no alignment of these
|
||||||
the user is given 50 Assurance Points automatically
|
50 points with AP (statement, checking of date of birth, there may
|
||||||
by the online system.
|
be some rules about middle names and extracting the name fields out
|
||||||
</p>
|
of FirstName and LastName... this is in the system. <B>should check
|
||||||
<ul><li><i>
|
Thwarte doco to make a judgement call on what it is worth.</B> </I>
|
||||||
no checking of date of birth,
|
</BLOCKQUOTE>
|
||||||
</i></li><li><i>
|
<LI><BLOCKQUOTE><I>Probably this should be 25 points? </I>
|
||||||
no alignment of these 50 points with AP (statement, checking of date of birth,
|
</BLOCKQUOTE>
|
||||||
there may be some rules about middle names and extracting the name fields out of FirstName and LastName... this is in the system.
|
</UL>
|
||||||
<b>should check Thwarte doco to make a judgement call on what it is worth.</b>
|
</BODY>
|
||||||
</i></li><li><i>
|
</HTML>
|
||||||
Probably this should be 25 points?
|
|
||||||
</i></li></ul>
|
|
||||||
|
|
||||||
</blockquote>
|
|
||||||
</body></html>
|
|
Loading…
Reference in New Issue