CACert Remote Verification Policy (RVP)
Editor: Pete Stephenson
Creation date: 2008-07-12
Last change by: Pete
Last change date: 2008-07-14 21:42 MST
Status: WIP 2008-07-12
Next status: DRAFT 08-2008
0. Preamble
This sub-policy extends the Assurance Policy ("AP") by providing a framework for members to verify their identity via Trusted Verification Provider ("TVP"s) including Government Authorities, Certification Authorities and Commercial Identity Providers, under the supervision of the Assurance Officer ("AO").
Successful completion of the process defined in RVP sub-policies shall result in the allocation of up to 50 points depending on level of trust in the TVP and the verification process.
1. Scope
This sub-policy is available to all Members.
2. Roles
2.1 Trusted Verification Provider ("TVP")
Each TVP::
- MUST be verifiably practicing identification procedures, typically one of the following:
-
Government Authorities responsible for issuing ID documents or providing taxation functions
-
Certification Authorities issuing authentication tokens (including certificates) based on a published identity verification process
-
Commercial Identity Providers providing identity verification as a commercial service
- MUST provide a secure mechanism for validating a member's identity, including:
-
Authentication Tokens which are delivered to the user and verifiable in a cryptographically strong fashion;
-
Online Verification via a web interface, ideally which is verified by SSL/TLS;
-
Out-of-Band communication directly with CAcert as to the outcome of the verification;
- SHOULD conduct identification procedures similar in nature to CAcert's existing procedures (eg examining ID documents, obtaining "assurances" from other trusted members)
2.4 Member
A Member (the subject of a verification) using the Remote Verification program:
- MUST agree to be bound the CAcert Community Agreement (CCA), including the Disupute Resolution Policy (DRP)
- MUST disclose any conflicts of interest (including but not limited to relationships with Assurers)
- MUST cover the costs of their assurance (if any), including fees imposed by TTPs, TVPs, and Assurers
3. Processes
3.1 Verification
- Member SHALL create a CAcert account and agree to the CAcert Community Agreement (CCA)
- Member SHALL complete the procedure specified by the applicable sub-policy(s), including being verified by the TVP
4. Documentation
Where documentation is required by the verification process it shall be subject to the prevailing records management policies which may require that it be kept for a certain period or destroyed immediately after processing.