+
+
+
WARNING:
+ The proper policy document is located
+
+ on the CAcert website .
+ This document is a work-in-progress to include future revisions only,
+
+ and is currently only relevant for the [policy] group.
+ Additions in BLUE strikes in ORANGE now up for vote in PG,.
+
-Document:
-Initial Author: Jens Paul
-Edited by: Teus Hagen
-Original creation date: 2007-09-18
-Status: Changed for Feb 2009 OA WoT concept, sync with (individual) AP.
-Next status: proposal will replace former Draft OA Policy of 2008
This policy describes how Organisation Assurers ("OAs")
conduct Assurances on Organisations. It fits within the overall
-web-of-trust or Assurance process of CAcert.
+web-of-trust or Assurance process of CAcert.
+
+This policy is not a Controlled document, for purposes of Configuration Control Specification ("CCS").
An Organisation Assurer allocates a number of Assurance Points to -the (Organisation) Member being Assured. CAcert combines the -Assurance Points into a global Web-of-Trust (or "WoT"). +
An Organisation Assurer allocates a number of Assurance +Points to the (Organisation) Member being Assured. CAcert combines the +Assurance Points into a global verifies that the +Organisation exists and that the applicant for the assurance is in the power to +sign the COAP form to make sure that the process is included in the +Web-of-Trust (or "WoT").
-CAcert explicitly chooses to meet its various goals by -construction of a Web-of-Trust of all Members. +
CAcert explicitly chooses to meet its various goals by +construction of a Web-of-Trust of all Members.
-Documentation on Organisation Assurance is split between this Organisation -Assurance Policy (OAP) and the (organisation) Assurance Handbook. -The policy is controlled by Configuration Control Specification (CCS) -under Policy on Policy (PoP) +
Documentation on Organisation Assurance is split between this Organisation +Assurance Policy (OAP) and the (organisation) Organisation Assurance Handbook. +The policy is controlled by Configuration Control Specification (CCS) +under Policy on Policy (PoP) policy document regime. Because Organisation Assurance is an active area, much of the practice is handed over to the Assurance Handbook, which is not a controlled policy document, and can more easily -respond to experience and circumstances. It is also more readable. +respond to experience and circumstances. It is also more readable.
-See also Assurance Policy (AP) -and CAcert Policy Statement (CPS). +
See also Assurance Policy (AP) +and CAcert Policy Statement (CPS) +Certification Practice Statement (CPS).
- -Organisations with assured status can issue certificates via their -O-Admin directly with their own domains within. +
Not yet reviewed:
+Organisations with assured status can issue certificates via their +O-Admin directly with their own domains within.
The purpose and statement of the certificate remains the same as with ordinary users (natural persons) and as described in the CPS. @@ -82,87 +196,87 @@ with ordinary users (natural persons) and as described in the CPS.
The organisation is within the jurisdiction and can be taken to CAcert Arbitration.
-The Assurance Statement makes the following claims about the organisation: +
The Assurance Statement makes the following claims about the organisation:
The organisation is a bona fide (organisation) Member. In +
The organisation is a bona fide (organisation) Member. In other words, the organisation is a member of the CAcert Community as - defined by the CAcert Community Agreement (CCA); + defined by the CAcert Community Agreement (CCA);
-The Member has a (login) account with CAcert's on-line registration and service system;
-The Member can be determined from any CAcert certificate issued by the Account;
-The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement;
-Some information on the Organisation Member are known and +
The Member has a (login) account with CAcert's on-line registration and service system;
+The Member can be determined from any CAcert certificate issued by the Account;
+The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement;
+Some information on the Organisation Member are known and verified by CAcert: the Organisation Name(s), form of organisation, domain names, Individual Members for contact and liaison purpose, - secondary distinguishing feature (e.g. corporate number).
+ secondary distinguishing feature (e.g. corporate number).The confidence level of the Assurance Statement is expressed by the (Organisation) Assurance Points. +
The confidence level of the Assurance Statement is expressed by the (Organisation) Assurance Points.
-Organisations can expect the normal privacy provisions provided to +
Organisations can expect the normal privacy provisions provided to Individuals. However, any business arrangements that are not strictly provided for in this policy are likely outside normal -privacy.
+privacy. -The primary goal of the Organisation Assurance Statement is for +
The primary goal of the Organisation Assurance Statement is for the express purpose of certificates to meet the needs of the Relying Party Statement, which latter is found in the Certification -Practice Statement (CPS). +Practice Statement (CPS).
-When a certificate is issued, some of the Organisation Assurance +
When a certificate is issued, some of the Organisation Assurance Statement may be incorporated, e.g. Organisation name. Other parts may be implied, e.g. Membership, exact account and status. They all are part of the Relying Party Statement. In short, this means that other Members of the Community may rely on the information -verified by Assurance and found in the certificate.
-In particular, certificates are sometimes considered to provide +verified by Assurance and found in the certificate.
+In particular, certificates are sometimes considered to provide reliable indications of e.g. the Member's Organisation name, organisation domain names, and organisation email address. The nature of Assurance, the number of Assurance Points, and other policies and processes should be understood as limitations on any -reliance. +reliance.
-The name of the organisation as recorded in the Member's CAcert -login account. The general standard of a name is: +
The name of the organisation as recorded in the Member's CAcert +login account. The general standard of a name is:
The name should be recorded as written in a government-issued +
The name should be recorded as written in a government-issued organisation registration extract e.g. extract from governmental - trade office registrar.
-The organisation name should be recorded as completely as + trade office registrar.
+The organisation name should be recorded as completely as possible. That is without abbreviations, and without transliteration - of characters. + of characters.
-The organisation name is recorded as a string of characters, - encoded in unicode transformation format.
+The organisation name is recorded as a string of characters, + encoded in unicode transformation format.
In order to handle the contradictions in the above general +
In order to handle the contradictions in the above general standard, a Member may record multiple names or multiple variations of a name in her CAcert online Account. Examples of variations include trade names, variations of trade names, abbreviations of a name, different language or country variations, and transliterations of characters in a name. All names should be defined within the -organisation registration extract.
+organisation registration extract. -An organisation Name which has reached the level of 50 +
An organisation Name which has reached the level of 50 (Organisation) Assurance Points is defined as an Assured organisation Name. An Assured Name can be used as Organisation Name in a certificate issued by CAcert. A Member with at least one Assured Name has reached the Assured Member status. Additional capabilities are -described in Table 1. +described in Table 1.
-Table 1: -Assurance Capability+
Table 1: +Assurance Capability
|
- Minimum Assurance Points +Minimum Assurance Points |
- Capability +Capability |
- Status +Status |
- Comment +Comment |
|
- 0 +0 |
- Request Organisation Assurance +Request Organisation Assurance |
- Prospective Organisation Member +Prospective Organisation Member |
- Organisation taking part of an Organisation + Organisation taking part of an Organisation Assurance, who does not have created a CAcert login account (yet). The allocation of Assurance Points is awaiting login - account creation. + account creation. |
|
- 0 +0 |
- Request unnamed certificates +Request unnamed certificates |
- (Organisation) Member +(Organisation) Member |
- Although the Organisation Member's details are - recorded in the account, they are not highly assured. +Although the Organisation Member's details are + recorded in the account, they are not highly assured. |
|
- 50 +50 |
- Request certificates with the name of the - organisation +Request certificates with the name of the + organisation |
- Assured Organisation Member +Assured Organisation Member |
- Statements of Assurance: the organisation name is - assured to 50 Assurance Points or more +Statements of Assurance: the organisation name is + assured to 50 Assurance Points or more |
A Member may check the status of another Member, especially for an +
A Member may check the status of another Member, especially for an assurance process. Status may be implied from information in a certificate. The number of Assurance Points for each Member is not -published. +published.
The CAcert Policy Statement (CPS) +
The CAcert Policy Statement (CPS)
Document no longer exist
What was referenced here?
PoP? or CPS?
and other policies may list other capabilities that rely on
- Assurance Points.
+ Assurance Points.
When an organisation is assured, it becomes in effect an Assurer +
When an organisation is assured, it becomes in effect an Assurer
for its local names. These names are used in certificates
issued under the listed domains. When issued, the organisation
takes primary responsibility as Member.
Each name has to be
checked against the internal systems of the organisation. The
internal systems have to match some standard, as covered in SubPols
/ OA Manual.
If they internal systems do not support this
- application, then the regular Assurance process can be used instead.
The (Organisation) Assurance Officer ("AO") manages this +
The (Organisation) Assurance Officer ("AO") manages this policy and reports to the CAcert Inc. Committee ("Board").
The AO manages all OAs and is responsible for process, the CAcert @@ -311,9 +425,9 @@ Board decides.
Tests to be created, approved, run, verified by CAcert only (not outsourced).
-Testing includes both online / +
Tests are conducted manually, not online/automatic. Testing includes both online / automated and manual tests with the manual tests confirming the on - line tests. + line tests.
Documentation to be retained.
@@ -353,7 +467,7 @@ is the one who handles the assurance requests and the issuing of certificates.O-Admin must be an individual +
O-Admin must be an individual Assurer
Organisation is required to - appoint the O-Admin(s), and appoint ones as required. + appoint the O-Admin(s), and appoint ones as required.
On COAP Request Form.
-On the organisation Member - account.
+On the organisation Member + account.
O-Admin must work with an assigned OA. @@ -378,7 +492,7 @@ certificates.
Have contact details.
-Is named on the organisation Member account.
+Is named on the organisation Member account.
The essential standard of Organisation Assurance (see also 1.1 -Organisation Assurance Statement) is: +
The essential standard of Organisation Assurance (see also 1.1 +Organisation Assurance Statement) is:
the organisation exists @@ -482,40 +596,40 @@ Organisation Assurance Statement) is: terms of the CAcert Community Agreement , and is therefore subject to Arbitration.
-Organisation Domain names must have been checked accordingly - the CPS.
+Organisation Domain names must have been checked accordingly + the CPS.
Acceptable documents to meet above standard are stated in the SubPol.
-The Organisation Assurance applies Assurance Points to each +
The Organisation Assurance applies Assurance Points to each organisation Member which measure the increase of confidence in the Statement (above). Assurance Points should not be interpreted for any other purpose. Note that, even though they are sometimes referred to as Web-of-Trust (Assurance) Points, or Trust Points, -the meaning of the word 'Trust' is not well defined. +the meaning of the word 'Trust' is not well defined.
-Assurance Points Allocation
An Assurer can allocate a
+
Assurance Points Allocation
An Assurer can allocate a
number of Assurance Points to the organisation Member. The allocation
of the maximum means that the Assurer is 100% confident in the
-information presented:
+information presented:
Detail on form, system, documents, - organisation and O-Admin(s) in accordance; +
Detail on form, system, documents, + organisation and O-Admin(s) in accordance;
-Sufficient quality organisation +
Sufficient quality organisation registration extract documents and organisation by-laws related to - signature control of the organisation director have been checked; + signature control of the organisation director have been checked;
-Assurer's familiarity with extract - and by-laws documents; +
Assurer's familiarity with extract + and by-laws documents;
-The Organisation Assurance Statement is confirmed. +
The Organisation Assurance Statement is confirmed.
Any lesser confidence should result in less Assurance Points for +
Any lesser confidence should result in less Assurance Points for an organisation name. If the Organisation Assurer has no confidence in the information presented, then zero Assurance Points may be allocated by the Organisation Assurer. For example, this may @@ -525,29 +639,29 @@ second (individual) Assurer as such gaining confidence and/or assist in allocating a second Organisation Assurance. The number of Assurance Points from zero to maximum is guided by the Assurance Handbook and the judgment of the Assurer. If there is -negative confidence the Assurer should consider filing a dispute. +negative confidence the Assurer should consider filing a dispute.
-Multiple (trade) organisation names should be allocated Assurance -Points independently within a single Assurance. +
Multiple (trade) organisation names should be allocated Assurance +Points independently within a single Assurance.
-In general, for an organisation Member to reach 50 Assurance +
In general, for an organisation Member to reach 50 Assurance Points, the Member must have participated in at least two assurances, and at least one organisation name will have been assured to that -level. +level.
-The maximum number of Assurance Points which can be allocated for +
The maximum number of Assurance Points which can be allocated for an Assurance under this policy and under any act under any Subsidiary -Policy (below) is 50 Assurance Points. +Policy (below) is 50 Assurance Points.
-The COAP form documents the checks and the resultant assurance results to meet the standard. Additional information to be provided on form:
CAcert account of O-Admin(S) - (email address of O-Admin individual Assurer Membership account) +
CAcert account of O-Admin(S) + (email address? of O-Admin individual Assurer Membership account)
Location:
+ Status: POLICY m20070918.x
+ -------- with DRAFT p20080401.1
+ Editor: Jens Paul
+ Licence: CC-by-sa+DRP
+ +
+
+