CAcert Remote Verification Policy (RVP)

CAcert Policy Status
Author: Pete Stephenson
Creation date: 2008-07-12
Status: WIP 2008-07-12
Edited by: Teus Hagen, 2009-02-11
Next status: DRAFT 2009

0. Preliminaries

This sub-policy extends the Assurance Policy ("AP") and Organisation Assurance Policy (“OAP”) by providing a framework for Members to verify for individual Members their identity and for organisation Members their organisation (trade) name via Trusted Third Provider ("TTP"s) including Government Authorities, Certification Authorities and Commercial Identity Providers, under the supervision of a CAcert (Organisation) Assurer.

Successful completion of the verification of name process defined in RVP sub-policies shall result in the allocation of 10 extra Assurance Points added to the maximum of Assurance Points the Assurer, supervising the assurance process for the Member, can allocate.

1. Scope

This sub-policy is available to all individual and organisation Community Members.

2. Roles

2.1 CAcert (Organisation) Assurer

The CAcert (Organisation) Assurer must check the CAcert (Organisation) Assurance Programme form. The identity verification or organisation name verification is remotely performed by the Trusted Verification Provider (2.2).

The Trusted Verification Provider who is involved in the verification process should be accepted by the Assurer.

iang: This clause above probably will NOT meet the criteria DRC C.9.a: "MUST be satisfied as to the identity and competency of the TTP in identification procedures, as though they were to be conducting the assurance themselves."

The Assurer will keep the following signed documents:

  1. Signed document (e.g. CAP or COAP form) for CAcert Community Agreement with the Member.

  2. Signed report of the Trusted Verification Provider for the name verification.

iang: This clause probably will meet the criteria DRC C.9.b: "RAs provide the CA with complete documentation on each verified applicant for a certificate." Although, it is not clear how the Signed Report is delivered from TVP to CA.

2.2 Trusted Verification Provider ("TVP")

Each TVA::

  1. must be verifiably practicing identification procedures, typically one of the following:

    1. Government Authorities responsible for issuing ID documents for individuals, trade office extracts for organisations, or providing taxation functions

    2. Certification Authorities issuing authentication tokens (including certificates) based on a published identity and/or trade name verification process

    3. Commercial Identity Providers providing identity verification as a commercial service.

    4. Commercial Trade name Registrars providing trade name verification.

  2. must provide a secure mechanism for validating a member's identity and/or organisation name or trade name, including:

    1. Authentication Tokens which are delivered to the user and verifiable in a cryptographically strong fashion

    2. Online Verification via a web interface, ideally which is verified by SSL/TLS

    3. Out-of-Band communication directly with CAcert, Inc. as to the outcome of the verification

  3. should conduct identification of name procedures similar in nature to CAcert's existing procedures (eg examining ID documents, trade office extracts, obtaining 'assurances' from other trusted members)

2.3 Member

A Member (the subject of a verification) using the Remote Verification program:

  1. must agree to be bound the CAcert Community Agreement (CCA).

  2. must disclose any conflicts of interest (including but not limited to relationships with (Organisation) Assurer)

  3. must cover the costs of their assurance (if any), including fees imposed by TVPs and Assurer.

3. Processes

3.1 Verification

  1. Member shall create a CAcert account and agree to the CAcert Community Agreement (CCA)

  2. Member shall complete the procedure specified by the applicable sub-policy(s), including being verified by the TVP .

4. Documentation

Where documentation is required by the verification process it shall be subject to the prevailing records management policies which may require that it be kept for a certain period or destroyed immediately after processing.