WARNING:
The proper policy document is located
on the CAcert website .
This document is a work-in-progress to include future revisions only,
and is currently only relevant for the [policy] group.
Additions in BLUE strikes in ORANGE now up for vote in PG,.

• Ulrich Schroeter 20110804: marked all changes after p20080401.1
• Ulrich Schroeter 20110804: minimalistic link corrections incl. replaced all wiki.cacert.org/wiki/ by wiki.cacert.org/ links
• Ulrich Schroeter 20110804: updated policy header with new style, add Licence info p20100722 License our Policies under CC-BY-SA-3.0-AU
• INOPIAE 20110731: Attempt to review the policy starting with the first part Preliminaries.
• Teus Hagen : Next status: proposal will replace former Draft OA Policy of 2008
• Teus Hagen : Status: Changed for Feb 2009 OA WoT concept, sync with (individual) AP.
• Policy Group 20080401: p20080401.1 Vote to DRAFT with changes
• Policy Group 20110804: m20070918.x Vote to POLICY

Name: OAP COD11 Status: POLICY m20070918.x -------- with DRAFT p20080401.1 Editor: Jens Paul Licence: CC-by-sa+DRP

Organisation Assurance Policy

0. Preliminaries

This policy describes how Organisation Assurers ("OAs") conduct Assurances on Organisations. It fits within the overall web-of-trust or Assurance process of CAcert.

This policy is not a Controlled document, for purposes of Configuration Control Specification ("CCS").

0.1. Definition of Terms

Organisation Member (Organisation)

An Organisation Member is an organisation who has agreed to the CAcert Community Agreement (CCA) and has created successfully a CAcert login account on the CAcert web site.

Organisation Assurance (OrgA)

An Organisation Assurance is the process by which a Member of CAcert Community (Organisation Assurer) identifies an organisation (Assuree).

Prospective Organisation Member

An organisation who participates in the process of an Organisation Assurance, but has not yet created a CAcert login account.

Organisation Name

An Organisation Name is the full name of the organisation.

Organisation Assurer (OA)

A Member of CAcert Community who identifies an organisation.

Organisation Administrator (OrgAdmin)

An Assurer that is appointed by the organisation to administer the certificates in behalf of the organisation.

Organisation Assurance Officer (OAO)

The Organisation Assurance Officer manages this policy and reports to the CAcert Inc. Committee ("Board").

Prospective Organisation Assurer (pOA)

An Assurer who is being trained to become an Organisation Assurer and is supervised by Organisation Assurers.

0.2. The CAcert Web of Trust

An Organisation Assurer allocates a number of Assurance Points to the (Organisation) Member being Assured. CAcert combines the Assurance Points into a global verifies that the Organisation exists and that the applicant for the assurance is in the power to sign the COAP form to make sure that the process is included in the Web-of-Trust (or "WoT").

CAcert explicitly chooses to meet its various goals by construction of a Web-of-Trust of all Members.

0.3. Related Documentation

Documentation on Organisation Assurance is split between this Organisation Assurance Policy (OAP) and the (organisation) Organisation Assurance Handbook. The policy is controlled by Configuration Control Specification (CCS) under Policy on Policy (PoP) policy document regime. Because Organisation Assurance is an active area, much of the practice is handed over to the Assurance Handbook, which is not a controlled policy document, and can more easily respond to experience and circumstances. It is also more readable.

See also Assurance Policy (AP) and CAcert Policy Statement (CPS) Certification Practice Statement (CPS).

Not yet reviewed:

1. Organisation Assurance Purpose

Organisations with assured status can issue certificates via their O-Admin directly with their own domains within.

The purpose and statement of the certificate remains the same as with ordinary users (natural persons) and as described in the CPS.

• The organisation named within is identified.

• The organisation has been verified according to this policy.

• The organisation is within the jurisdiction and can be taken to CAcert Arbitration.

1.1.The Organisation Assurance Statement

The Assurance Statement makes the following claims about the organisation:

1. The organisation is a bona fide (organisation) Member. In other words, the organisation is a member of the CAcert Community as defined by the CAcert Community Agreement (CCA);

2. The Member has a (login) account with CAcert's on-line registration and service system;

3. The Member can be determined from any CAcert certificate issued by the Account;

4. The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement;

5. Some information on the Organisation Member are known and verified by CAcert: the Organisation Name(s), form of organisation, domain names, Individual Members for contact and liaison purpose, secondary distinguishing feature (e.g. corporate number).

The confidence level of the Assurance Statement is expressed by the (Organisation) Assurance Points.

Organisations can expect the normal privacy provisions provided to Individuals.  However, any business arrangements that are not strictly provided for in this policy are likely outside normal privacy. 

1.2. Relying Party Statement

The primary goal of the Organisation Assurance Statement is for the express purpose of certificates to meet the needs of the Relying Party Statement, which latter is found in the Certification Practice Statement (CPS).

When a certificate is issued, some of the Organisation Assurance Statement may be incorporated, e.g. Organisation name. Other parts may be implied, e.g. Membership, exact account and status. They all are part of the Relying Party Statement. In short, this means that other Members of the Community may rely on the information verified by Assurance and found in the certificate.

In particular, certificates are sometimes considered to provide reliable indications of e.g. the Member's Organisation name, organisation domain names, and organisation email address. The nature of Assurance, the number of Assurance Points, and other policies and processes should be understood as limitations on any reliance.

2. The Organisation Member

2.1. The Organisation Member's name

The name of the organisation as recorded in the Member's CAcert login account. The general standard of a name is:

• The name should be recorded as written in a government-issued organisation registration extract e.g. extract from governmental trade office registrar.

• The organisation name should be recorded as completely as possible. That is without abbreviations, and without transliteration of characters.

• The organisation name is recorded as a string of characters, encoded in unicode transformation format.

2.2. Multiple trade names and variations

In order to handle the contradictions in the above general standard, a Member may record multiple names or multiple variations of a name in her CAcert online Account. Examples of variations include trade names, variations of trade names, abbreviations of a name, different language or country variations, and transliterations of characters in a name. All names should be defined within the organisation registration extract.

2.3. Status and Capabilities

An organisation Name which has reached the level of 50 (Organisation) Assurance Points is defined as an Assured organisation Name. An Assured Name can be used as Organisation Name in a certificate issued by CAcert. A Member with at least one Assured Name has reached the Assured Member status. Additional capabilities are described in Table 1.

Table 1: Assurance Capability

Minimum Assurance Points	Capability	Status	Comment
0	Request Organisation Assurance	Prospective Organisation Member	Organisation taking part of an Organisation Assurance, who does not have created a CAcert login account (yet). The allocation of Assurance Points is awaiting login account creation.
0	Request unnamed certificates	(Organisation) Member	Although the Organisation Member's details are recorded in the account, they are not highly assured.
50	Request certificates with the name of the organisation	Assured Organisation Member	Statements of Assurance: the organisation name is assured to 50 Assurance Points or more

A Member may check the status of another Member, especially for an assurance process. Status may be implied from information in a certificate. The number of Assurance Points for each Member is not published.

The CAcert Policy Statement (CPS)
Document no longer exist
What was referenced here?
PoP? or CPS?
and other policies may list other capabilities that rely on Assurance Points.

When an organisation is assured, it becomes in effect an Assurer for its local names.  These names are used in certificates issued under the listed domains.  When issued, the organisation takes primary responsibility as Member.

Each name has to be checked against the internal systems of the organisation.  The internal systems have to match some standard, as covered in SubPols / OA Manual.

If they internal systems do not support this application, then the regular Assurance process can be used instead.

3. Roles and Structure

3.1 Organisation Assurance Officer

The (Organisation) Assurance Officer ("AO") manages this policy and reports to the CAcert Inc. Committee ("Board").

The AO manages all OAs and is responsible for process, the CAcert Organisation Assurance Programme ("COAP") form, OA training and testing, manuals, quality control. In these responsibilities, other Officers will assist.

The OA is appointed by the Board. Where the OA is failing the Board decides.

3.2 Organisation Assurers

1. An OA must be an experienced Assurer

   1. Have 150 assurance points.

   2. Be fully trained and tested on all general Assurance processes.

2. Must be trained as Organisation Assurer.

   1. Global knowledge: This policy.

   2. Global knowledge: A OA manual covers how to do the process.

   3. Local knowledge: legal forms of organisations within jurisdiction.

   4. Basic governance.

   5. Training may be done a variety of ways, such as on-the-job, etc.

3. Must be tested.

   1. Global test: Covers this policy and the process.

   2. Local knowledge: Subsidiary Policy to specify.

   3. Tests to be created, approved, run, verified by CAcert only (not outsourced).

   4. Tests are conducted manually, not online/automatic. Testing includes both online / automated and manual tests with the manual tests confirming the on line tests.

   5. Documentation to be retained.

   6. Tests may include on-the-job components.

4. Must be approved.

   1. Two supervising OAs must sign-off on new OA, as trained, tested and passed.

   2. AO must sign-off on a new OA, as supervised, trained and tested.

5. The OA can decide when a CAcert (individual) Assurer has done several OA Application Advises to appoint this person to OA Assurer.

3.3 Organisation Assurance Advisor ("OAA")

In countries/states/provinces where no OA Assurers are operating for an OA Application (COAP) the OA can be advised by an experienced local CAcert (individual) Assurer to take the decision to accept the OA Application (COAP) of the organisation.

The local Assurer must have at least 150 Points, should know the language, and know the organisation trade office registry culture and quality.

3.4 Organisation Administrator

The Administrator within each Organisation ("O-Admin") is the one who handles the assurance requests and the issuing of certificates.

1. O-Admin must be an individual Assurer

   1. Have 100 assurance points.

   2. Fully trained and tested as Assurer.

2. Organisation is required to appoint the O-Admin(s), and appoint ones as required.

   1. On COAP Request Form.

   2. On the organisation Member account.

3. O-Admin must work with an assigned OA.

   1. Have contact details.

   2. Is named on the organisation Member account.

4. Policies

4.1 Policy

There is one policy being this present document, and several subsidiary policies.

1. This policy authorises the creation of subsidiary policies.

2. This policy is international.

3. Subsidiary policies are implementations of the policy.

4. Organisations are assured under an appropriate subsidiary policy.

4.2 Subsidiary Policies

The nature of the Subsidiary Policies ("SubPols"):

1. SubPols are purposed to check the organisation under the rules of the jurisdiction that creates the organisation. This does not evidence an intention by CAcert to enter into the local jurisdiction, nor an intention to impose the rules of that jurisdiction over any other organisation. CAcert assurances are conducted under the jurisdiction of CAcert.

2. For OAs, SubPol specifies the tests of local knowledge including the local organisation assurance COAP forms.

3. For assurances, SubPol specifies the local documentation forms which are acceptable under this SubPol to meet the standard.

4. SubPols are subjected to the normal policy approval process.

4.3 Freedom to Assemble

Subsidiary Policies are open, accessible and free to enter.

1. SubPols compete but are compatible.

2. No SubPol is a franchise.

3. Many will be on State or National lines, reflecting the legal tradition of organisations created ("incorporated") by states.

4. However, there is no need for strict national lines; it is possible to have 2 SubPols in one country, or one covering several countries with the same language (e.g., Austria with Germany, England with Wales but not Scotland).

5. There could also be SubPols for special organisations, one person organisations, UN agencies, churches, etc.

6. Where it is appropriate to use the SubPol in another situation (another country?), it can be so approved. (e.g., Austrian SubPol might be approved for Germany.) The SubPol must record this approval.

5. Process

5.1 Standard of Organisation Assurance

The essential standard of Organisation Assurance (see also 1.1 Organisation Assurance Statement) is:

1. the organisation exists

2. the organisation name is correct and consistent:

   1. in official documents specified in SubPol.

   2. on COAP form.

   3. in CAcert database.

   4. form or type of legal entity is consistent

3. signing rights: requester can sign on behalf of the organisation.

4. the organisation has agreed to the terms of the CAcert Community Agreement , and is therefore subject to Arbitration.

5. Organisation Domain names must have been checked accordingly the CPS.

Acceptable documents to meet above standard are stated in the SubPol.

5.2 (Organisation) Assurance Points

The Organisation Assurance applies Assurance Points to each organisation Member which measure the increase of confidence in the Statement (above). Assurance Points should not be interpreted for any other purpose. Note that, even though they are sometimes referred to as Web-of-Trust (Assurance) Points, or Trust Points, the meaning of the word 'Trust' is not well defined.

Assurance Points Allocation
An Assurer can allocate a number of Assurance Points to the organisation Member. The allocation of the maximum means that the Assurer is 100% confident in the information presented:

• Detail on form, system, documents, organisation and O-Admin(s) in accordance;

• Sufficient quality organisation registration extract documents and organisation by-laws related to signature control of the organisation director have been checked;

• Assurer's familiarity with extract and by-laws documents;

• The Organisation Assurance Statement is confirmed.

Any lesser confidence should result in less Assurance Points for an organisation name. If the Organisation Assurer has no confidence in the information presented, then zero Assurance Points may be allocated by the Organisation Assurer. For example, this may happen if the identity documents are totally unfamiliar to the Organisation Assurer. The Organisation Assurer maybe assisted by a second (individual) Assurer as such gaining confidence and/or assist in allocating a second Organisation Assurance. The number of Assurance Points from zero to maximum is guided by the Assurance Handbook and the judgment of the Assurer. If there is negative confidence the Assurer should consider filing a dispute.

Multiple (trade) organisation names should be allocated Assurance Points independently within a single Assurance.

In general, for an organisation Member to reach 50 Assurance Points, the Member must have participated in at least two assurances, and at least one organisation name will have been assured to that level.

The maximum number of Assurance Points which can be allocated for an Assurance under this policy and under any act under any Subsidiary Policy (below) is 50 Assurance Points.

5.2 CAcert Organisation Assurance Programme (COAP)

The COAP form documents the checks and the resultant assurance results to meet the standard. Additional information to be provided on form:

1. CAcert account of O-Admin(S) (email address? of O-Admin individual Assurer Membership account)

2. Location:

   1. country (MUST).

   2. city (MUST).

   3. additional contact information (as required by SubPol).

3. Administrator account name(s) (1 or more)

4. Domain name(s)

5. Agreement with CAcert Community Agreement. Statement and initials box for organisation and also for OA.

6. Date of completion of Assurance. Records should be maintained for 7 years from this date.

The COAP should be in English. Where translations are provided, they should be matched to the English, and indication provided that the English is the ruling language (due to Arbitration requirements).

5.3 Jurisdiction

Organisation Assurances are carried out by CAcert Inc. under its Arbitration jurisdiction. Actions carried out by OAs are under this regime.

1. The organisation has agreed to the terms of the CAcert Community Agreement.

2. The organisation, the Organisation Assurers, CAcert and other related parties are bound into CAcert's jurisdiction and dispute resolution.

3. The OA is responsible for ensuring that the organisation reads, understands, intends and agrees to the CAcert Community Agreement. This OA responsibility should be recorded on COAP (statement and initials box).

6. Exceptions

1. Conflicts of Interest. An OA must not assure an organisation in which there is a close or direct relationship by, e.g., employment, family, financial interests. Other conflicts of interest must be disclosed.

2. Trusted Third Parties. TTPs are not generally approved to be part of organisation assurance, but may be approved by subsidiary policies according to local needs.

3. Exceptional Organisations. (e.g., Vatican, International Space Station, United Nations) can be dealt with as a single-organisation SubPol. The OA creates the checks, documents them, and subjects them to to normal policy approval.

4. DBA. Alternative names for organisations (DBA, "doing business as") can be added as long as they are proven independently. E.g., registration as DBA or holding of registered trade mark. This means that the anglo law tradition of unregistered DBAs is not accepted without further proof.