272 lines
6.9 KiB
HTML
272 lines
6.9 KiB
HTML
|
<!DOCTYPE html>
|
||
|
<html>
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
|
||
|
<title> CAcert -- TTP-Assisted Assurance Policy </title>
|
||
|
<style type="text/css">
|
||
|
<!--
|
||
|
.comment {
|
||
|
color : steelblue;
|
||
|
}
|
||
|
-->
|
||
|
</style>
|
||
|
</head>
|
||
|
<body>
|
||
|
|
||
|
<div class="comment">
|
||
|
<table width="100%">
|
||
|
|
||
|
<tbody>
|
||
|
<tr>
|
||
|
<td rowspan="2">
|
||
|
Name: TTP-Assist <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD13.2</a>
|
||
|
<br>
|
||
|
Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
|
||
|
<br>
|
||
|
Editor: <a style="color: steelblue" href="https://wiki.cacert.org/UlrichSchroeter">Ulrich Schroeter</a>
|
||
|
<br>
|
||
|
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy"> CC-by-sa+DRP </a>
|
||
|
<br>
|
||
|
</td>
|
||
|
<td align="right" valign="top">
|
||
|
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
|
||
|
<img src="images/cacert-policy.png" alt="TTP-Assist Status - POLICY" style="border-style: none;" height="31" width="88">
|
||
|
</a>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
|
||
|
|
||
|
<h1> TTP-Assisted Assurance Policy </h1>
|
||
|
|
||
|
|
||
|
<h2 id="g0.1">0. Preliminaries </h2>
|
||
|
|
||
|
<p>
|
||
|
This sub-policy extends the
|
||
|
<a href="https://www.cacert.org/policy/AssurancePolicy.php">
|
||
|
Assurance Policy</a> ("AP" => COD13)
|
||
|
by specifying how Assurers can be assisted by
|
||
|
outsourcing the identity documents verification
|
||
|
component of assurance to trusted third parties (TTPs).
|
||
|
Other definitions and terms can be found in AP or in
|
||
|
<a href="https://wiki.cacert.org/AssuranceHandbook">Assurance Handbook</a>
|
||
|
("AH").
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<h2 id="g0.2">1. Scope </h2>
|
||
|
|
||
|
<p>
|
||
|
This sub-policy is restricted to members located
|
||
|
in areas not well-served with Assurers.
|
||
|
It serves a goal of promoting both Assurers and Members in those areas.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<h2 id="g0.3">2. Roles </h2>
|
||
|
|
||
|
|
||
|
<h3 id="g0.3.1">2.1 Trusted Third Party </h3>
|
||
|
|
||
|
<p>
|
||
|
A Trusted Third Party ("TTP") is a person who is traditionally respected
|
||
|
for making reliable statements to others, especially over identification
|
||
|
documents. Typically, notaries public (anglo),
|
||
|
Notaries (European), bank managers, accountants
|
||
|
and lawyers.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<h3 id="g0.3.2">2.2 The Assurer (aka TTP-admin) </h3>
|
||
|
|
||
|
<p>
|
||
|
To employ a TTP in an assurance,
|
||
|
the Assurer must be a <a href="https://wiki.cacert.org/SeniorAssurer">Senior Assurer</a>.
|
||
|
The Assurer must be familiar with the local
|
||
|
language and customs.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<h3 id="g0.3.3">2.3 Member </h3>
|
||
|
|
||
|
|
||
|
<p>
|
||
|
A Member ("assuree") who is located in a place not well-served
|
||
|
by Assurers may use the TTP-assisted assurance.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<h2 id="g0.4">3. The Assurance </h2>
|
||
|
|
||
|
|
||
|
<p>
|
||
|
Assurance assisted by TTP must meet these requirements:
|
||
|
</p>
|
||
|
|
||
|
<ol style="list-style-type: lower-alpha;">
|
||
|
<li id="s3.a">
|
||
|
The Assurer must positively confirm the identity and
|
||
|
suitability of the TTP.
|
||
|
</li>
|
||
|
<li id="s3.b">
|
||
|
The TTP and the Member must meet face-to-face.
|
||
|
</li>
|
||
|
<li id="s3.c">
|
||
|
The TTP confirms the details supporting the Assurance Statement.
|
||
|
</li>
|
||
|
<li id="s3.d">
|
||
|
The Assurer makes a reliable statement to confirm the
|
||
|
Assurance Statement.
|
||
|
</li>
|
||
|
<li id="s3.e">
|
||
|
Assurance must be marked as TTP-Assisted
|
||
|
(e.g., by use of TTPAdmin flag).
|
||
|
</li>
|
||
|
</ol>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<h2 id="g0.5">4. Assurance Officer ("AO") </h2>
|
||
|
|
||
|
<p>
|
||
|
The Board routinely delegates its responsibilities to the
|
||
|
Assurance Officer (and this section assumes that, but does
|
||
|
not require it).
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<p>
|
||
|
A report is requested annually from the Assurance Officer
|
||
|
on performance of this policy for the association's
|
||
|
annual report.
|
||
|
</p>
|
||
|
|
||
|
<h3 id="g0.5.1">4.1 Practice </h3>
|
||
|
|
||
|
<p>
|
||
|
Assurance Officer should prepare a
|
||
|
<a href="https://wiki.cacert.org/TTP">detailed documentation</a>
|
||
|
under
|
||
|
<a href="https://wiki.cacert.org/AssuranceHandbook">AH</a>
|
||
|
that meets the needs of this policy, including:
|
||
|
</p>
|
||
|
|
||
|
<ul>
|
||
|
<li>
|
||
|
Form for TTPs
|
||
|
</li>
|
||
|
<li>
|
||
|
Guide for TTPs.
|
||
|
</li>
|
||
|
<li>
|
||
|
Form for TTP-assisted assurance (used by Assurer)
|
||
|
</li>
|
||
|
<li>
|
||
|
Guide and protocol for Assurers.
|
||
|
</li>
|
||
|
<li>
|
||
|
Mechanisms for contacting Assurers available for
|
||
|
TTP-assisted assurances.
|
||
|
</li>
|
||
|
<li>
|
||
|
Definition of
|
||
|
<a href="https://wiki.cacert.org/SeniorAssurer">
|
||
|
Senior Assurer</a>.
|
||
|
</li>
|
||
|
</ul>
|
||
|
|
||
|
|
||
|
<h3 id="g0.5.2">4.2 Deserts </h3>
|
||
|
|
||
|
<p>
|
||
|
The Assurance Officer maintains a
|
||
|
<a href="https://wiki.cacert.org/deserts">list of regions</a>
|
||
|
that are designated as '<i>deserts,</i>' being areas that are so short
|
||
|
of Assurers as to render face-to-face Assurance impractical.
|
||
|
In each region, approved types of TTP are listed (e.g., Notary).
|
||
|
The list is expected to vary according to the
|
||
|
different juridical traditions of different regions.
|
||
|
Changes to the regional lists are prepared by
|
||
|
either an Organisation Assurer for that region
|
||
|
(as described by OAP)
|
||
|
or by two Assurers familiar with the traditions
|
||
|
in that region.
|
||
|
Changes are then submitted to the Board for approval.
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
Use of a type of TTP not on the list must be approved by
|
||
|
AO and notified to Board.
|
||
|
It is an explicit goal to reduce the usage of
|
||
|
TTP-assisted assurances in favour of face-to-face Assurance.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<p>
|
||
|
In coordination with internal and external auditors,
|
||
|
the Assurance Officer shall design and implement a
|
||
|
suitable programme to meet the needs of audit.
|
||
|
Where approved by auditors or Board, the Assurance
|
||
|
Officer may document and implement minor variations to this policy.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<h2 id="g0.6">5. Topup Assurance </h2>
|
||
|
|
||
|
|
||
|
<p>
|
||
|
AO is to operate a <cite>Topup Assurance Programme</cite>
|
||
|
to help seed deserts with Assurers.
|
||
|
A topup assurance will add additional Assurance Points
|
||
|
to those gained from two previously conducted TTP-assisted assurances,
|
||
|
in order for a Member to reach 100 Assurance Points
|
||
|
for the express purpose of becoming an Assurer.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<p>
|
||
|
A topup assurance is conducted by a third Senior Assurer
|
||
|
according to the following requirements:
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<ol>
|
||
|
<li id="s5.1">
|
||
|
Assurer Challenge must be completed as passed by Member.
|
||
|
</li>
|
||
|
<li id="s5.2">
|
||
|
The topup must be requested by Member for
|
||
|
purpose of enabling the Member to reach Assurer level.
|
||
|
</li>
|
||
|
<li id="s5.3">
|
||
|
Topup Assurer must be a Senior Assurer,
|
||
|
and must be independent of the TTP-assist Assurers.
|
||
|
</li>
|
||
|
<li id="s5.4">
|
||
|
The Topup Assurer reviews the two TTP-assisted assurances,
|
||
|
and conducts other checks as set by the Assurance Officer.
|
||
|
The normal face-to-face meeting is not conducted.
|
||
|
</li>
|
||
|
<li id="s5.5">
|
||
|
Topup Assurer may award up to 35 points.
|
||
|
</li>
|
||
|
<li id="s5.6">
|
||
|
Assurance must be marked as Topup
|
||
|
(e.g., by use of new feature with TTPAdmin flag).
|
||
|
</li>
|
||
|
</ol>
|
||
|
|
||
|
|
||
|
<p>
|
||
|
Each topup is to be reported to AO.
|
||
|
Topup is only available in designated deserts.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
</body>
|
||
|
</html>
|