6b4ef587b7
git-svn-id: http://svn.cacert.org/CAcert/Policies@2010 14b1bab8-4ef6-0310-b690-991c95c89dfd
162 lines
5.3 KiB
HTML
162 lines
5.3 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
|
|
<TITLE> CACert Remote Verification Policy (RVP) </TITLE>
|
|
<META NAME="CHANGEDBY" CONTENT="Teus Hagen">
|
|
<META NAME="CHANGED" CONTENT="20090211;15005300">
|
|
</HEAD>
|
|
|
|
<BODY LANG="en-US" DIR="LTR">
|
|
<P><BR><BR>
|
|
</P>
|
|
|
|
<H1>CAcert Remote Verification Policy (RVP) </H1>
|
|
|
|
<P><A HREF="PolicyOnPolicy.html"><IMG SRC="images/cacert-wip.png" NAME="graphics1" ALT="CAcert Policy Status" ALIGN=BOTTOM WIDTH=90 HEIGHT=33 BORDER=0></A><BR>Author:
|
|
Pete Stephenson<BR>Creation date: 2008-07-12<BR>
|
|
Status: WIP 2008-07-12 <BR>
|
|
Edited by: Teus Hagen, 2009-02-11<BR>
|
|
Next status: DRAFT 2009<BR>
|
|
<!-- $Id$ --></P>
|
|
|
|
<H2>0. Preliminaries </H2>
|
|
|
|
<P>This sub-policy extends the Assurance Policy ("AP")
|
|
and Organisation Assurance Policy (“OAP”) by providing a
|
|
framework for Members to verify for individual Members their identity
|
|
and for organisation Members their organisation (trade) name via Trusted Third
|
|
Provider ("TTP"s) including Government Authorities,
|
|
Certification Authorities and Commercial Identity Providers, under
|
|
the supervision of a CAcert (Organisation) Assurer.
|
|
</P>
|
|
|
|
<P>Successful completion of the verification of name process defined
|
|
in RVP sub-policies shall result in the allocation of 10 extra
|
|
Assurance Points added to the maximum of Assurance Points the Assurer,
|
|
supervising the assurance process for the Member, can allocate.
|
|
</P>
|
|
|
|
<H2>1. Scope </H2>
|
|
|
|
<P>This sub-policy is available to all individual and organisation
|
|
Community Members. </P>
|
|
|
|
<H2>2. Roles </H2>
|
|
|
|
<H3>2.1 CAcert (Organisation) Assurer</H3>
|
|
|
|
<P>The CAcert (Organisation) Assurer must check the CAcert
|
|
(Organisation) Assurance Programme form. The identity verification or
|
|
organisation name verification is remotely performed by the Trusted
|
|
Verification Provider (2.2).</P>
|
|
|
|
<P>The Trusted Verification Provider who is involved in the
|
|
verification process should be accepted by the Assurer.
|
|
</P>
|
|
|
|
<P>
|
|
<i>
|
|
iang: This clause above probably <b>will NOT meet</b> the criteria DRC C.9.a: "MUST be satisfied as to the identity and competency of the TTP in identification procedures, as though they were to be conducting the assurance themselves."
|
|
</i>
|
|
</P>
|
|
|
|
<P>The Assurer will keep the following signed documents:</P>
|
|
<OL>
|
|
<LI><P>Signed document (e.g. CAP or COAP form) for CAcert Community Agreement with the Member.</P></LI>
|
|
<LI><P>Signed report of the Trusted Verification Provider for the name verification.</P></LI>
|
|
</OL>
|
|
|
|
<P>
|
|
<i>
|
|
iang: This clause probably will meet the criteria DRC C.9.b: "RAs provide the CA with complete documentation on each verified applicant for a certificate."
|
|
Although, it is not clear how the Signed Report is delivered from TVP to CA.
|
|
</i>
|
|
</P>
|
|
|
|
|
|
<H3>2.2 Trusted Verification Provider ("TVP") </H3>
|
|
|
|
<P>Each TVA:: </P>
|
|
|
|
<OL>
|
|
<LI><P>must be <STRONG><I>verifiably
|
|
practicing identification procedures</I></STRONG>, typically one of
|
|
the following:</P>
|
|
<OL>
|
|
<LI><P><STRONG>Government Authorities</STRONG>
|
|
responsible for issuing ID documents for individuals, trade office
|
|
extracts for organisations, or providing taxation functions
|
|
</P>
|
|
<LI><P><STRONG>Certification Authorities</STRONG>
|
|
issuing authentication tokens (including certificates) based on a
|
|
published identity and/or trade name verification process
|
|
</P>
|
|
<LI><P><STRONG>Commercial Identity
|
|
Providers</STRONG> providing identity verification as a commercial
|
|
service.</P>
|
|
<LI><P><B>Commercial Trade name
|
|
Registrars</B> providing trade name verification.</P>
|
|
</OL>
|
|
<LI><P>must provide a secure mechanism
|
|
for validating a member's identity and/or organisation name or trade
|
|
name, including:
|
|
</P>
|
|
<OL>
|
|
<LI><P><STRONG>Authentication Tokens</STRONG>
|
|
which are delivered to the user and verifiable in a
|
|
cryptographically strong fashion
|
|
</P>
|
|
<LI><P><STRONG>Online Verification</STRONG>
|
|
via a web interface, ideally which is verified by SSL/TLS
|
|
</P>
|
|
<LI><P><STRONG>Out-of-Band</STRONG>
|
|
communication directly with CAcert, Inc. as to the outcome of the
|
|
verification
|
|
</P>
|
|
</OL>
|
|
<LI><P>should conduct identification of name procedures similar in
|
|
nature to CAcert's existing procedures (eg examining ID documents,
|
|
trade office extracts, obtaining 'assurances' from other trusted
|
|
members)
|
|
</P>
|
|
</OL>
|
|
|
|
<H3>2.3 Member </H3>
|
|
|
|
<P>A Member (the subject of a verification) using the Remote
|
|
Verification program: </P>
|
|
|
|
<OL>
|
|
<LI><P>must agree to be bound the CAcert
|
|
Community Agreement (CCA).</P>
|
|
<LI><P>must disclose any conflicts of
|
|
interest (including but not limited to relationships with
|
|
(Organisation) Assurer)
|
|
</P>
|
|
<LI><P>must cover the costs of their assurance (if any), including
|
|
fees imposed by TVPs and Assurer.</P>
|
|
</OL>
|
|
|
|
<H2>3. Processes </H2>
|
|
|
|
<H3>3.1 Verification </H3>
|
|
|
|
<OL>
|
|
<LI><P>Member shall create a CAcert
|
|
account and agree to the CAcert Community Agreement (CCA)
|
|
</P>
|
|
<LI><P>Member shall complete the procedure specified by the
|
|
applicable sub-policy(s), including being verified by the TVP .</P>
|
|
</OL>
|
|
|
|
<H2>4. Documentation </H2>
|
|
|
|
<P>Where documentation is required by the verification process it
|
|
shall be subject to the prevailing records management policies which
|
|
may require that it be kept for a certain period or destroyed
|
|
immediately after processing.
|
|
</P>
|
|
|
|
</BODY>
|
|
</HTML>
|