committed the blue into black, from Ulrich.

git-svn-id: http://svn.cacert.org/CAcert/Policies@2017 14b1bab8-4ef6-0310-b690-991c95c89dfd
2010-09-01 09:56:50 +00:00 · 2010-09-01 09:56:50 +00:00 · 9fbb6d5ba7
commit 9fbb6d5ba7
parent f77a7e6661
1 changed files with 126 additions and 165 deletions
--- a/TTPAssistedAssurancePolicy.html
+++ b/TTPAssistedAssurancePolicy.html
@ -38,11 +38,11 @@
   <a href="PolicyOnPolicy.html"><img align="right" src="images/cacert-wip.png" alt="CAcert Policy Status" height="31" width="88" style="border-style: none;" /></a>
   Editor: Iang<br />
   Creation Date : <a href="//svn.cacert.org/CAcert/Assurance/Minutes/20091215HamburgMiniTOP.html">20091215</a><br />
-   Status: WIP 20100705<br />
+   Status: WIP 2010901<br />
-   Licence: <a href="//wiki.cacert.org/Policy#Licence" title="this document is Copyright CAcert, licensed openly under CC-by-sa with all disputes resolved under DRP.  More at wiki.cacert.org/Policy" > CC-by-sa/DRP </a><br />
+   Licence: <a href="//wiki.cacert.org/Policy#Licence" title="this document is Copyright CAcert, licensed openly under CC-by-sa with all disputes resolved under DRP.  More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br />
  </p>
-  <h2> <a name="0"> 0. </a> Preliminaries </h2>
+  <h2 id="s0"> 0. Preliminaries </h2>
  <p>
   This sub-policy extends the
   <a href="//www.cacert.org/policy/AssurancePolicy.php">
@ -50,25 +50,21 @@
   by specifying how Assurers can be assisted by
   outsourcing the identity documents verification
   component of assurance to trusted third parties (TTPs).
 <span class="change">
   Definitions can be found in AP or in
   <a href="//wiki.cacert.org/AssuranceHandbook">Assurance Handbook</a>
   ("AH").
 </span>
  </p>
-  <h2> <a name="1"> 1. </a> Scope </h2>
+  <h2 id="s1"> 1. Scope </h2>
  <p>
   This sub-policy is restricted to members located
   in areas not well-served with Assurers.
 <span class="change">
   It serves a goal of promoting both Assurers and Members is those areas.
 </span>
  </p>
-  <h2> <a name="1"> 2. </a> Roles </h2>
+  <h2 id="s2"> 2. Roles </h2>
-  <h3> <a name="1"> 2.1 </a> Trusted Third Party </h3>
+  <h3 id="s2.1"> 2.1 Trusted Third Party </h3>
  <p>
   A Trusted Third Party ("TTP") is a person who is traditionally respected
   for making reliable statements to others, especially over identification
@ -76,24 +72,12 @@
   Notaries (European), bank managers, accountants
   and lawyers.
  </p>
  <p class="strike">
   The Board maintains a list of approved classes of TTP
   and forms of documents.
   The list is expected to vary according to the
   different juridical traditions of different regions.
  </p>
-  <h3> <a name="2.2"> 2.2 </a> The Assurer <span class="change">(aka TTP-admin)</a> </h3>
+  <h3 id="s2.2"> 2.2 The Assurer (aka TTP-admin) </h3>
    <p class="q">uli: (Synonyms: TTP-Assurer, TTP-Admin)</p>
  <p>
   To employ a TTP in an assurance,
-   the Assurer must
+   the Assurer must be a Senior Assurer.
 <span class="change">
   be a Senior Assurer.
 </span>
 <span class="strike">
   have 50 experience points, and pass other checks as imposed by the Board from time to time.
 </span>
   The Assurer must be familiar with the local
   language and customs.
  </p>
@ -104,20 +88,19 @@
   </ul>
-  <h3> <a name="2.3"> 2.3 </a> Member </h3>
+  <h3 id="s2.3"> 2.3 Member </h3>
  <p>
   A Member ("assuree") who is located in a place not well-served
   by Assurers may use the TTP-assisted Assurance.
  </p>
-  <h2> <a name="3"> 3. </a> The Assurance </h2>
+  <h2 id="s3"> 3. The Assurance </h2>
-<p class="q">Iang:  I suggest this be section 3:</p>
+  <p>
  <p class="change">
  Assurance assisted by TTP must meet these requirements:
  </p>
-  <ol class="change" type="a"><li>
+  <ol type="a"><li>
      The Assurer must positively confirm the identity and
      suitability of the TTP.
    </li><li>
@ -128,21 +111,129 @@
      The Assurer makes a reliable statement to confirm the
      Assurance Statement.
    </li><li>
 <i>
      Assurance must be marked as TTP-Assisted
      (e.g., by use of TTPAdmin flag).
 </i>
  </li></ol>
-<p class="q"> And all the rest in pink box be pushed into the HANDBOOK.  This way, the policy sets requirements and standards, and AO is responsible for meeting them as a PRACTICE. </p>
+
 <p class="q"> See Appendix A for example text for Handbook text.</p>
  <h2 id="s4"> 4. Assurance Officer ("AO") </h2>
  <p>
   The Board routinely delegates its responsibilities to the
   Assurance Officer (and this section assumes that, but does
   not require it).
  </p>
  <p>
   A report is requested annually from the Assurance Officer
   on performance of this policy for the association's
   annual report.
  </p>
  <h3 id="s4.1"> 4.1 Practice </h3>
  <p>
   Assurance Officer should prepare
   a detailed documentation under
     <a href="//wiki.cacert.org/AssuranceHandbook">AH</a>
     that meets the needs of this policy, including:
  </p>
  <ul><li>
     Form for TTPs
    </li><li>
     Guide for TTPs.
    </li><li>
     Form for TTP-assisted assurance (used by Assurer)
    </li><li>
     Guide and protocol
     <span class="q"> (Appendix A below)</span>
     for Assurers.
    </li><li>
     Mechanisms for contacting Assurers available for
     TTP-assisted Assurances.
    </li><li>
     Definition of
     <a href="https://wiki.cacert.org/AssuranceHandbook2#What_is_a_Senior_Assurer.3F">
     Senior Assurer</a>.
  </li></ul>
  <h3 id="s4.2"> 4.2 Deserts </h3>
  <p>
    The Assurance Officer maintains a list of regions
    that are designated as '<i>deserts,</i>' being areas that are so short
    of Assurers as to render face-to-face Assurance impractical.
    In each region, approved types of TTP are listed (e.g., Notary).
    The list is expected to vary according to the
    different juridical traditions of different regions.
    Changes to the regional lists are prepared by
    either an Organisation Assurer for that region
    (as described by OAP)
    or by two Assurers familiar with the traditions
    in that region.
    Changes are then submitted to the Board for approval.
  </p>
  <p>
    Use of a type of TTP not on the list must be approved by
    AO and notified to Board.
    It is an explicit goal to reduce the usage of
    TTP-assisted Assurances in favour of face-to-face Assurance.
  <p>
  <p>
    In coordination with internal and external auditors,
    the Assurance Officer shall design and implement a
    suitable programme to meet the needs of audit.
    Where approved by auditors or Board, the Assurance
    Officer may document and implement minor variations to this policy.
  </p>
  <h2 id="s5"> 5. Topup Assurance Points </h2>
  <p>
    AO is to operate a topup Assurance programme
    to help seed desert areas with Assurers.
  </p>
  <p>
    A topup Assurance is conducted by a third Senior Assurer
    according to the following requirements:
  </p>
  <ol><li>
      Assurer must be a Senior Assurer.
    </li><li>
      Assurer Challenge must be completed as passed by Member.
    </li><li>
      The topup must be requested by Member for purpose of enabling the Member to reach Assurer level.
    </li><li>
      The two TTP-Assisted Assurances already conducted are to be reviewed.
    </li><li>
      Topup may award up to 35 points.
    </li><li>
        Assurance must be marked as Topup
        (e.g., by use of new feature with TTPAdmin flag).
  </ol></li>
  <p>
    Each topup is to be reported to AO.
    Topup is only available in designated deserts.
  </p>
 <hr>
  <h2 id="A"> Appendix A - Handbook text, not for policy </h2>
 <blockquote><table border="1" bgcolor="lightpink"><tr><td>
  <center><p class="q">
     This pink part into the HANDBOOK when it goes to DRAFT, not part of policy!<br />
     This way, the policy sets requirements and standards,<br />
     and AO is responsible for meeting them as a PRACTICE.
  </p></center>
  <p>
   These steps are taken.
  </p>
-  <h3> <a name="3.1"> 3.1 </a> Preliminaries  </h3>
+  <h3> 3.1 Preliminaries  </h3>
  <ol> <li>
    <p>
    The Member creates her account
@ -163,9 +254,7 @@
   </li><li>
    The Assurer confirms that standard Assurances do not meet
    the needs of the Member.
 <span class="change">
    This is only likely in areas not well-served with Assurers.
 </span>
    </p>
   </li><li>
    <p>
@ -180,7 +269,7 @@
     and gives the Member a Token.
   </li></ol>
-  <h3> <a name="3.2"> 3.2 </a> Face-to-face meeting with the TTP  </h3>
+  <h3 id="s3.2"> 3.2 Face-to-face meeting with the TTP  </h3>
   <ol><li>
   <p>
    The TTP and the Member meet face-to-face.
@ -231,7 +320,7 @@
     </span>
  </li></ol>
- <h3> <a name="3.3"> 3.3 </a> Completion of the Assurance  </h3>
+ <h3 id="s3.3"> 3.3 Completion of the Assurance  </h3>
   <ol><li>
    <p>
     The Assurer must confirm the assurance using the paperwork,
@ -283,133 +372,5 @@
 </td></tr></table></blockquote>
  <h2> <a name="4"> 4. </a> Assurance Officer ("AO") </h2>
  <p>
   The Board routinely delegates its responsibilities to the
   Assurance Officer (and this section assumes that, but does
   not require it).
  </p>
  <p>
   A report is requested annually from the Assurance Officer
   on performance of this policy for the association's
   annual report.
  </p>
  <h3 id="s4.1"> 4.1 Practice </h3>
  <p>
   Assurance Officer should prepare
 <span class="change">
   a detailed documentation under
     <a href="//wiki.cacert.org/AssuranceHandbook">AH</a>
     that meets the needs of this policy, including:
 </span>
 <span class="strike">
   documentation
   to support the TTP-assisted Assurance, including:
 </span>
  </p>
  <ul><li>
     Form for TTPs
    </li><li>
     Guide for TTPs.
    </li><li>
     Form for TTP-assisted assurance (used by Assurer)
    </li><li>
     Guide <span class="change"> and protocol </span>
     <span class="q"> (pink box above)</span>
     for Assurers.
    </li><li>
     Mechanisms for contacting Assurers available for
     TTP-assisted Assurances.
    </li><li class="change">
     Definition of
     <a href="https://wiki.cacert.org/AssuranceHandbook2#What_is_a_Senior_Assurer.3F">
     Senior Assurer</a>.
  </li></ul>
  <h3 id="s4.2"> 4.2 Deserts </h3>
  <p>
 <span class="change">
    The Assurance Officer maintains a list of regions
    that are designated as '<i>deserts,</i>' being areas that are so short
    of Assurers as to render face-to-face Assurance impractical.
    In each region, approved types of TTP are listed (e.g., Notary).
   The list is expected to vary according to the
   different juridical traditions of different regions.
 </span>
    Changes to the regional lists are prepared by
    either an Organisation Assurer for that region
    (as described by OAP)
    or by two Assurers familiar with the traditions
    in that region.
    Changes are then submitted to the Board for approval.
  </p>
  <p>
   Use of a type of TTP not on the list must be approved by
 <span class="change">
   AO and notified to
 </span>
   Board.
 <span class="change">
   It is an explicit goal to reduce the usage of
   TTP-assisted Assurances in favour of face-to-face Assurance.
 </span>
  <p>
  <p>
    In coordination with internal and external auditors,
    the Assurance Officer shall design and implement a
    suitable programme to meet the needs of audit.
    Where approved by auditors or Board, the Assurance
    Officer may document and implement minor variations to this policy.
  </p>
  <h2 class="change"> <a name="5"> 5. </a> Topup Assurance Points </h2>
    <ul class="q"><li>uli: did we discuss the points gained thru a TTP assurance?</li>
    <li>From the calculation with the 35 pts, a TTP assuree never can reach the 100 pts level ...
    2x 35 = 70 pts max. So he probably can never become an Assurer. One goal with the
    TTP program is, to bring people upto 100 pts, so they can start to be a
    regular Assurer. This goal cannot be reached neither by the Nucleus program
    in conjunction to the TTP program. Is this as expected ?</li>
    <li>Alternate plan: issue 50 pts (temporarly) with 2 TTP assurances. As enough people
    are in an area, they can start Assure each other. With enough points received,
    the temporarly 50 pts can be decreased to the default 35 pts level
    (see also the Nucleus program). But issuing temporarly 50 pts, needs probably
    also a software update to the system.</li>
    <li>Iang:  see below for one idea we discussed.</li>
  </ul>
 <p class="change">
 AO is to operate a topup Assurance programme
 to help seed desert areas with Assurers.
 </p>
 <p class="change">
 A topup Assurance is conducted by a third Senior Assurer
 according to the following requirements:
 </p>
 <ol class="change"><li>
    Assurer must be a Senior Assurer.
  </li><li>
    Assurer Challenge must be completed as passed by Member.
  </li><li>
    The topup must be requested by Member for purpose of enabling the Member to reach Assurer level.
  </li><li>
    The two TTP-Assisted Assurances already conducted are to be reviewed.
  </li><li>
    Topup may award up to 35 points.
  </li><li>
      Assurance must be marked as Topup
      (e.g., by use of new feature with TTPAdmin flag).
 </ol></li>
 <p class="change">
 Each topup is to be reported to AO.
 Topup is only available in designated deserts.
 </p>
 </body>
 </html>