cacert/cacert-webdb
9
0
Fork 0
Code Issues Pull requests 3 Projects Releases 4 Wiki Activity

Fix for https://bugs.cacert.org/view.php?id=1131

Browse source 
"Rename _all_ Policies from .php to .html and fix all links (was: Rename
PolicyOnPolicy.php to .html)"
This commit is contained in:
Wytze van der Raay 2015-01-08 15:02:47 +00:00
parent ca85a98ce1
commit e2de6e8f7e
39 changed files with 11395 additions and 7171 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
includes/general_stuff.php
View file

@ -47,7 +47,7 @@ google_color_border = "FFFFFF";
<? if(array_key_exists('mconn',$_SESSION) && $_SESSION['mconn']) { ?>
<a href="https://<?=$_SESSION['_config']['normalhostname']?>/index.php?id=1"><?=_("Join")?></a>
<? } ?>
<a href="/policy/CAcertCommunityAgreement.php"><?=_("Community Agreement")?></a>
<a href="/policy/CAcertCommunityAgreement.html"><?=_("Community Agreement")?></a>
<a href="/index.php?id=3"><?=_("Root Certificate")?></a>
</div>
<? if(array_key_exists('mconn',$_SESSION) && $_SESSION['mconn']) { ?>

4
pages/index/0.php
View file

@ -23,7 +23,7 @@
<p><?=sprintf(_("If you want to have free certificates issued to you, %s join the CAcert Community %s."),'<a href="https://www.cacert.org/index.php?id=1">', '</a>')?></p>
<p><?=sprintf(_("If you want to use certificates issued by CAcert, read the CAcert %s Root Distribution License %s."),'<a href="/policy/RootDistributionLicense.php">',"</a>")?>
<p><?=sprintf(_("If you want to use certificates issued by CAcert, read the CAcert %s Root Distribution License %s."),'<a href="/policy/RootDistributionLicense.html">',"</a>")?>
<?=sprintf(_("This license applies to using the CAcert %s root keys %s."),'<a href="/index.php?id=3">','</a>')?></p>
@ -87,7 +87,7 @@
<p><?=sprintf(_("Have you passed the CAcert %s Assurer Challenge %s yet?"),'<a href="http://wiki.cacert.org/wiki/AssurerChallenge">','</a>')?></p>
<p><?=sprintf(_("Have you read the CAcert %sCommunity Agreement%s yet?"),'<a href="/policy/CAcertCommunityAgreement.php">','</a>')?></p>
<p><?=sprintf(_("Have you read the CAcert %sCommunity Agreement%s yet?"),'<a href="/policy/CAcertCommunityAgreement.html">','</a>')?></p>
<p><?=sprintf(_("For general documentation and help, please visit the CAcert %sWiki Documentation site %s."),'<a href="http://wiki.CAcert.org">','</a>')?>
<?=sprintf(_("For specific policies, see the CAcert %sApproved Policies page%s."),'<a href="/policy/">',"</a>")?></p>

2
pages/index/1.php
View file

@ -165,7 +165,7 @@
<td class="DataTD" colspan="3"><?=_("When you click on next, we will send a confirmation email to the email address you have entered above.")?></td>
</tr>
<tr>
<td class="DataTD" colspan="3"><input type="checkbox" name="cca_agree" value="1" <?=array_key_exists('cca_agree',$_SESSION['signup'])? ($_SESSION['signup']['cca_agree'] == "1" ?"checked=\"checked\"":""):"" ?> ><?=_("I agree to the terms and conditions of the CAcert Community Agreement")?>: <a href="/policy/CAcertCommunityAgreement.php">http://www.cacert.org/policy/CAcertCommunityAgreement.php</a></td>
<td class="DataTD" colspan="3"><input type="checkbox" name="cca_agree" value="1" <?=array_key_exists('cca_agree',$_SESSION['signup'])? ($_SESSION['signup']['cca_agree'] == "1" ?"checked=\"checked\"":""):"" ?> ><?=_("I agree to the terms and conditions of the CAcert Community Agreement")?>: <a href="/policy/CAcertCommunityAgreement.html">http://www.cacert.org/policy/CAcertCommunityAgreement.html</a></td>
</tr>
<tr>

2
pages/index/10.php
View file

@ -17,5 +17,5 @@
*/
header('HTTP/1.0 301 Moved Permanently');
header('Location: http://www.cacert.org/policy/CertificationPracticeStatement.php');
header('Location: http://www.cacert.org/policy/CertificationPracticeStatement.html');
exit();

2
pages/index/16.php
View file

@ -16,7 +16,7 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
<p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.php'>","</a>")?></p>
<p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.html'>","</a>")?></p>
<p>
Class 1 <?=_("PKI Key")?><br>

2
pages/index/3.php
View file

@ -16,7 +16,7 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
<p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.php'>","</a>")?></p>
<p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.html'>","</a>")?></p>
<h3><?=_("Windows Installer") ?></h3>
<ul class="no_indent">

2
pages/wot/6.php
View file

@ -82,7 +82,7 @@
AssureTextLine("",_("Only tick the next box if the Assurance was face to face."));
AssureBoxLine("assertion",_("I believe that the assertion of identity I am making is correct, complete and verifiable. I have seen original documentation attesting to this identity. I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute, and I may be held responsible."),array_key_exists('assertion',$_POST) && $_POST['assertion'] == 1);
AssureBoxLine("rules",_("I have read and understood the CAcert Community Agreement (CCA), Assurance Policy and the Assurance Handbook. I am making this Assurance subject to and in compliance with the CCA, Assurance policy and handbook."),array_key_exists('rules',$_POST) && $_POST['rules'] == 1);
AssureTextLine(_("Policy"),"<a href=\"/policy/CAcertCommunityAgreement.php\" target=\"_blank\">"._("CAcert Community Agreement")."</a> -<a href=\"/policy/AssurancePolicy.php\" target=\"_blank\">"._("Assurance Policy")."</a> - <a href=\"http://wiki.cacert.org/AssuranceHandbook2\" target=\"_blank\">"._("Assurance Handbook")."</a>");
AssureTextLine(_("Policy"),"<a href=\"/policy/CAcertCommunityAgreement.html\" target=\"_blank\">"._("CAcert Community Agreement")."</a> - <a href=\"/policy/AssurancePolicy.html\" target=\"_blank\">"._("Assurance Policy")."</a> - <a href=\"http://wiki.cacert.org/AssuranceHandbook2\" target=\"_blank\">"._("Assurance Handbook")."</a>");
AssureInboxLine("points",_("Points"),"","<br />(Max. ".maxpoints().")");
AssureFoot($id,_("I confirm this Assurance"));
?>

2
www/.htaccess
View file

@ -4,4 +4,4 @@ errordocument 404 /error404.php
errordocument 403 /error403.php
errordocument 401 /error401.php
RedirectPermanent /cps.php http://www.cacert.org/policy/CertificationPracticeStatement.php
RedirectPermanent /cps.php http://www.cacert.org/policy/CertificationPracticeStatement.html

6
www/cap.html.php
View file

@ -16,7 +16,7 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
loadem("index");
showheader(_("Identity Verification Form (CAP) form"));
Version: $Id: cap.html.php,v 1.2 2011/06/10 18:30:41 wytze Exp $
Version: $Id: cap.html.php,v 1.3 2015/01/08 15:02:40 wytze Exp $
*/
echo '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">', "\n";
echo '<html>', "\n";
@ -146,7 +146,7 @@
echo '<tbody>', "\n";
echo '<tr>', "\n";
echo ' <td colspan="3">'._("Make sure you have read and agreed with the CAcert Community Agreement");
echo '(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>)<br>', "\n";
echo '(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.html">CCA</a>)<br>', "\n";
echo '</td>', " \n", '</tr>', "\n";
/*
echo '</tbody>', "\n";
@ -158,7 +158,7 @@
echo '</td>', "\n".'</tr>', "\n";
echo '<tr>', "\n". ' <td colspan="3"><input type="checkbox" checked name="checked" value="2"> ';
echo _("I agree to the CAcert Community Agreement.").' (';
echo '<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>)</dd>', "\n";
echo '<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.html">CCA</a>)</dd>', "\n";
echo '</td>', "\n".'</tr>', "\n";
/*
echo '</tbody>', "\n";

2
www/cap.php
View file

@ -146,7 +146,7 @@
$this->SetFont("Arial", "", "9");
if($_SESSION['_config']['language'] == "ja")
$this->SetFont('SJIS','',9);
$this->MultiCell($this->w - 29, 3, recode($_SESSION['_config']['recode'], _("I agree to the CAcert Community Agreement.")." ( http://www.cacert.org/policy/CAcertCommunityAgreement.php )"));
$this->MultiCell($this->w - 29, 3, recode($_SESSION['_config']['recode'], _("I agree to the CAcert Community Agreement.")." ( http://www.cacert.org/policy/CAcertCommunityAgreement.html )"));
// new da end
$this->SetXY(13, $top + 55); //45->55
$this->Write(0, recode($_SESSION['_config']['recode'], _("Applicant's signature")).": __________________________________");

10
www/capnew.php
View file

@ -17,8 +17,8 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
// $Id: capnew.php,v 1.4 2012/01/24 14:26:05 root Exp $
define('REV', '$Revision: 1.4 $');
// $Id: capnew.php,v 1.5 2015/01/08 15:02:40 wytze Exp $
define('REV', '$Revision: 1.5 $');
/*
** Created from old cap.php 2003, which used the now obsoleted ftpdf package
@ -235,7 +235,7 @@ if( defined( 'TEST' ) ) {
//$_GET['orientation'] = 'portrait'; // default 2 pages, or portrait
}
$_GET['nocca'] = isset($_SERVER['CCA']) ? $_SERVER['CCA'] : '';
//$_GET['policy1'] = 'policy/PolicyOnPolicy.php';
//$_GET['policy1'] = 'policy/PolicyOnPolicy.html';
if( isset($_SERVER['FORM']) AND $_SERVER['FORM'] == 'noform' )
$_GET['noform'] = 'true';
@ -310,7 +310,7 @@ define('ARBIT', WIKI.'/ArbitrationForum');
// CAcert Community Agreement
define('CCA', 'CAcertCommunityAgreement'); // default policy to print
define('POLICY','policy/'); // default polciy doc directory
define('EXT','.php'); // default polciy doc extention, should be html
define('EXT','.html'); // default polciy doc extention, should be html
/* finger print CAcert Root Key */ // should obtain this automatically
define('CLASS1_SHA1','135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33');
define('CLASS3_SHA1','AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCE');
@ -387,7 +387,7 @@ function utf8_is_ascii_ctrl($str) {
// extend TCPF with custom functions
class CAPPDF extends TCPDF {
// do cap form version numbering automatically '$Revision: 1.4 $'
// do cap form version numbering automatically '$Revision: 1.5 $'
/*public*/ function Version() {
strtok(REV, ' ');
return(strtok(' '));

6
www/coap.html.php
View file

@ -14,7 +14,7 @@
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Version: $Id: coap.html.php,v 1.2 2011/06/10 18:30:41 wytze Exp $
Version: $Id: coap.html.php,v 1.3 2015/01/08 15:02:41 wytze Exp $
*/
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
@ -189,7 +189,7 @@ table#TAB1 td { border: 0 }
<?php
echo _("Make sure you have read and agreed with the CAcert Community Agreement");
?>
(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>)</i><br></td>
(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.html">CCA</a>)</i><br></td>
</tr>
<tr><td colspan=2><p></td></tr>
<tr>
@ -210,7 +210,7 @@ table#TAB1 td { border: 0 }
<?php
echo ' '. _("I agree to the CAcert Community Agreement.").' (';
?>
<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>)</dd></td>
<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.html">CCA</a>)</dd></td>
</tr>
<tr>
<td colspan="2"><input type="checkbox" checked name="checked" value="2">

8
www/coapnew.php
View file

@ -17,8 +17,8 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
// $Id: coapnew.php,v 1.4 2012/01/24 14:26:05 root Exp $
define('REV', '$Revision: 1.4 $');
// $Id: coapnew.php,v 1.5 2015/01/08 15:02:41 wytze Exp $
define('REV', '$Revision: 1.5 $');
/*
** Created from old cap.php 2003, which used the now obsoleted ftpdf package
@ -345,7 +345,7 @@ define('ARBIT', WIKI."/ArbitrationForum");
// CAcert Community Agreement
define('CCA', "CAcertCommunityAgreement"); // default policy to print
define('POLICY','policy/'); // default polciy doc directory
define('EXT','.php'); // default polciy doc extention, should be html
define('EXT','.html'); // default polciy doc extention, should be html
/* finger print CAcert Root Key */ // should obtain this automatically
define('CLASS1_SHA1','135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33');
define('CLASS3_SHA1','AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCE');
@ -422,7 +422,7 @@ function utf8_is_ascii_ctrl($str) {
// extend TCPF with custom functions
class COAPPDF extends TCPDF {
// do cap form version numbering automatically "$Revision: 1.4 $"
// do cap form version numbering automatically "$Revision: 1.5 $"
/*public*/ function Version() {
strtok(REV, " ");
return(strtok(" "));

750
www/policy/AssurancePolicy.html Normal file
View file

@ -0,0 +1,750 @@
<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Assurance Policy</title>
<!--meta name="CREATED" content="20080530;0" -->
<!--meta name="CHANGEDBY" content="Teus Hagen" -->
<!--meta name="CHANGED" content="20080709;12381800" -->
<!--meta name="CREATEDBY" content="Ian Grigg" -->
<!--meta name="CHANGEDBY" content="Teus Hagen" -->
<!--meta name="CHANGEDBY" content="Robert Cruikshank" -->
<!--meta name="CHANGEDBY" content="Teus Hagen" -->
<style type="text/css">
P { color: #000000 }
TD P { color: #000000 }
H1 { color: #000000 }
H2 { color: #000000 }
DT { color: #000000; font-style: italic; }
DD { color: #000000 }
H3 { color: #000000 }
TH P { color: #000000 }
.r{ text-align: right; }
.l{ text-align: left; }
.c{ text-align : center; }
.vTop{ vertical-align: top; }
.size075{font-size: .75em;}
.size1{font-size: 1.1em;}
.size2{font-size: 1.5em;}
.size3{font-size: 2em;}
.parentC {margin-left:auto; margin-right:auto;}
.padding5 td{padding: 5px;}
.padding2 td{padding: 2px;}
.margin0 {margin: 0px;}
</style></head>
<body style="direction: ltr; color: rgb(0, 0, 0);" lang="en-GB">
<div class="comment">
<table style="width: 100%;">
<tr>
<td>
Name: AP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD13</a><br>
Status: POLICY <a style="color: steelblue" href="https://wiki.cacert.org/PolicyDecisions#p20090105.2">p20090105.2</a><br>
Editor: <a style="color: steelblue" href="https://wiki.cacert.org/TeusHagen">Teus Hagen</a><br>
Creation date: 2008-05-30<br>
Last change by: Iang<br>
Last change date: 2009-01-08<br>
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br>
</td>
<td class="r vTop">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.html"><img src="images/cacert-policy.png" alt="AP Status - POLICY" height="31" width="88" style="border-style: none;"></a>
</td>
</tr>
</table>
</div>
<h1>Assurance Policy for CAcert Community Members</h1>
<h2 id="s0">0. Preamble</h2>
<h3 id="s0.1">0.1. Definition of Terms</h3>
<dl>
<dt>Member</dt>
<dd> A Member is an individual who has agreed to the CAcert
Community Agreement
(<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html" target="_blank">CCA</a>)
and has created successfully
a CAcert login account on the CAcert web site. </dd>
<dt>Assurance</dt>
<dd> Assurance is the process by which a Member of CAcert
Community (Assurer) identifies an individual (<span lang="en-US">Assuree</span>).
</dd>
<dt>Prospective Member</dt>
<dd> An individual who participates in the process of Assurance,
but has not yet created a CAcert login account. </dd>
<dt>Name</dt>
<dd> A Name is the full name of an individual.
</dd>
<dt>Secondary Distinguishing Feature</dt>
<dd> An additional personal data item of the Member
that assists discrimination from Members with similar full names.
(Currently this is the Date of Birth (DoB).)
</dd>
</dl>
<h3 id="s0.2">0.2. The CAcert Web of Trust</h3>
<p>
In face-to-face meetings,
an Assurer allocates a number of Assurance Points
to the Member being Assured.
CAcert combines the Assurance Points
into a global <i>Web-of-Trust</i> (or "WoT").
</p>
<p>
CAcert explicitly chooses to meet its various goals by
construction of a Web-of-Trust of all Members.
</p>
<h3 id="s0.3">0.3. Related Documentation</h3>
<p>
Documentation on Assurance is split between this
Assurance Policy (AP) and the
<a href="https://wiki.cacert.org/AssuranceHandbook2" target="_blank">Assurance
Handbook</a>. The policy is controlled by Configuration Control
Specification
(<a href="https://svn.cacert.org/CAcert/Policies/ConfigurationControlSpecification.html" target="_blank">CCS</a>)
under Policy on Policy
(<a href="https://www.cacert.org/policy/PolicyOnPolicy.html" target="_blank">PoP</a>)
policy document regime. Because Assurance is an active area, much
of the practice is handed over to the Assurance Handbook, which is
not a controlled policy document, and can more easily respond to
experience and circumstances. It is also more readable.
</p>
<p>
See also Organisation Assurance Policy (<a href="https://www.cacert.org/policy/OrganisationAssurancePolicy.html" target="_blank">OAP</a>)
and CAcert Policy Statement (<a href="https://www.cacert.org/policy/CertificationPracticeStatement.html" target="_blank">CPS</a>).
</p>
<h2 id="s1">1. Assurance Purpose</h2>
<p>The purpose of Assurance is to add confidence
in the Assurance Statement made by the CAcert Community of a Member. </p>
<p>With sufficient assurances, a Member may: (a) issue certificates
with their assured Name included, (b) participate in assuring others,
and (c) other related activities. The strength of these activities is
based on the strength of the assurance. </p>
<h3 id="s1.1">1.1. The Assurance Statement</h3>
<p>
The Assurance Statement makes the following claims
about a person:
</p>
<ol>
<li>
<p>The person is a bona fide Member. In other words, the
person is a member of the CAcert Community as defined by the CAcert
Community Agreement (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html" target="_blank">CCA</a>); </p>
</li>
<li>
<p>The Member has a (login) account with CAcert's on-line
registration and service system; </p>
</li>
<li>
<p>The Member can be determined from any CAcert certificate
issued by the Account; </p>
</li>
<li>
<p>The Member is bound into CAcert's Arbitration as defined
by the CAcert Community Agreement; </p>
</li>
<li>
<p>Some personal details of the Member are known to CAcert:
the individual Name(s), primary and other listed individual email
address(es), secondary distinguishing feature (e.g. DoB). </p>
</li>
</ol>
<p>The confidence level of the Assurance Statement is expressed by
the Assurance Points. </p>
<h3 id="s1.2">1.2. Relying Party Statement</h3>
<p>The primary goal of the Assurance Statement is for the express
purpose of certificates to meet the needs of the <em>Relying Party
Statement</em>, which latter is found in the Certification Practice
Statement (<a href="https://www.cacert.org/policy/CertificationPracticeStatement.html" target="_blank">CPS</a>).
</p>
<p>When a certificate is issued, some of the Assurance Statement may
be incorporated, e.g. Name. Other parts may be implied, e.g.
Membership, exact account and status. They all are part of the
<em>Relying Party Statement</em>. In short, this means that other
Members of the Community may rely on the information verified by
Assurance and found in the certificate.</p>
<p>In particular, certificates are sometimes considered to provide
reliable indications of e.g. the Member's Name and email address. The
nature of Assurance, the number of Assurance Points, and other
policies and processes should be understood as limitations on any
reliance. </p>
<h2 id="s2">2. The Member</h2>
<h3 id="s2.1">2.1. The Member's Name </h3>
<p>
At least one individual Name is recorded in the Member's
CAcert login account. The general standard of a Name is:
</p>
<ul>
<li>
<p>
The Name should be recorded as written in a
government-issued photo identity document (ID).
</p>
</li>
<li>
<p>
The Name should be recorded as completely as possible.
That is, including all middle names, any titles and extensions,
without abbreviations, and without transliteration of characters.
</p>
</li>
<li>
<p>The Name is recorded as a string of characters,
encoded in unicode
transformation format.</p>
</li>
</ul>
<h3 id="s2.2">2.2. Multiple Names and variations</h3>
<p>
In order to handle the contradictions in the above general standard,
a Member may record multiple Names or multiple variations of a Name
in her CAcert online Account.
Examples of variations include married names,
variations of initials of first or middle names,
abbreviations of a first name,
different language or country variations,
and transliterations of characters in a name.
</p>
<h3 id="s2.3">2.3. Status and Capabilities</h3>
<p>
A Name which has reached
the level of 50 Assurance Points is defined as an Assured
Name. An Assured Name can be used in a certificate issued by CAcert.
A Member with at least one Assured Name has reached the Assured
Member status.
Additional capabilities are described in Table 1.
</p>
<blockquote>
<p class="l size075"><em>Table 1:
Assurance Capability</em></p>
<table class="padding5 margin0" border="1">
<tbody>
<tr>
<td style="width: 10%;">
<p class="l"><em>Minimum Assurance Points</em></p>
</td>
<td style="width: 15%;">
<p class="l"><em>Capability</em></p>
</td>
<td style="width: 15%;">
<p class="l"><em>Status</em></p>
</td>
<td style="width: 60%;">
<p class="l"><em>Comment</em></p>
</td>
</tr>
<tr class="vTop">
<td>
<p class="c">0</p>
</td>
<td>
<p class="l">Request Assurance</p>
</td>
<td>
<p class="l">Prospective Member</p>
</td>
<td>
<p class="l">Individual taking part of an
Assurance, who does not have created a CAcert login account (yet). The
allocation of Assurance Points is awaiting login account creation.</p>
</td>
</tr>
<tr class="vTop">
<td>
<p class="c">0</p>
</td>
<td>
<p class="l">Request unnamed certificates</p>
</td>
<td>
<p class="l">Member</p>
</td>
<td>
<p class="l">Although the Member's details are
recorded in the account, they are not highly assured.</p>
</td>
</tr>
<tr class="vTop">
<td>
<p class="c">50</p>
</td>
<td>
<p class="l">Request named certificates</p>
</td>
<td>
<p class="l">Assured Member</p>
</td>
<td>
<p class="l">Statements of Assurance: the Name is
assured to 50 Assurance Points or more</p>
</td>
</tr>
<tr class="vTop">
<td>
<p class="c">100</p>
</td>
<td>
<p class="l">Become an Assurer</p>
</td>
<td>
<p class="l">Prospective Assurer</p>
</td>
<td>
<p class="l">Assured to 100 Assurance Points (or
more) on at least one Name, and passing the Assurer Challenge.</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p>
A Member may check the status of another Member, especially
for an assurance process.
Status may be implied from information in a certificate.
The number of Assurance Points for each Member is not published.
</p>
<p>
The CAcert Policy Statement
(<a href="https://www.cacert.org/policy/CertificationPracticeStatement.html" target="_blank">CPS</a>)
and other policies may list other capabilities that rely on Assurance
Points.
</p>
<h2 id="s3">3. The Assurer</h2>
<p>An Assurer is a Member with the following: </p>
<ul>
<li>
<p>Is assured to a minimum of 100 Assurance Points; </p>
</li>
<li>
<p>Has passed the CAcert Assurer Challenge. </p>
</li>
</ul>
<p>The Assurer Challenge is administered by the Education Team on
behalf of the Assurance Officer. </p>
<h3 id="s3.1">3.1. The Obligations of the Assurer</h3>
<p>The Assurer is obliged to: </p>
<ul>
<li>
<p>Follow this Assurance Policy; </p>
</li>
<li>
<p>Follow any additional rules of detail laid out by the
CAcert Assurance Officer; </p>
</li>
<li>
<p>Be guided by the CAcert <a href="https://wiki.cacert.org/AssuranceHandbook2" target="_blank">Assurance Handbook</a> in their
judgement; </p>
</li>
<li>
<p>Make a good faith effort at identifying and verifying
Members; </p>
</li>
<li>
<p>Maintain the documentation on each Assurance; </p>
</li>
<li>
<p>Deliver documentation to Arbitration, or as otherwise
directed by the Arbitrator; </p>
</li>
<li>
<p>Keep up-to-date with developments within the CAcert
Community. </p>
</li>
</ul>
<h2 id="s4">4. The Assurance</h2>
<h3 id="s4.1">4.1. The Assurance Process</h3>
<p>The Assurer conducts the process of Assurance with each
Member. </p>
<p>The process consists of: </p>
<ol>
<li>
<p>Voluntary agreement by both Assurer and Member or
Prospective Member to conduct the Assurance; </p>
</li>
<li>
<p>Personal meeting of Assurer and Member or Prospective
Member; </p>
</li>
<li>
<p>Recording of essential details on CAcert Assurance
Programme form; </p>
</li>
<li>
<p>Examination of Identity documents by Assurer and
verification of recorded details (the Name(s) and Secondary
Distinguishing Feature, e.g., DoB); </p>
</li>
<li>
<p>Allocation of Assurance Points by Assurer; </p>
</li>
<li>
<p>Optional: supervision of reciprocal Assurance made by
Assuree (Mutual Assurance); </p>
</li>
<li>
<p>Safekeeping of the CAcert Assurance Programme (<a href="https://www.cacert.org/cap.php" target="_blank">CAP</a>)
forms by Assurer. </p>
</li>
</ol>
<h3 id="s4.2">4.2. Mutual Assurance</h3>
<p>Mutual Assurance follows the principle of reciprocity. This
means
that the Assurance may be two-way, and that each member participating
in the Assurance procedure should be able to show evidence of their
identity to the other. </p>
<p>In the event that an Assurer is assured by a Member who is not
certified as an Assurer, the Assurer supervises the Assurance
procedure and process, and is responsible for the results. </p>
<p>Reciprocity maintains a balance between the (new) member and
the
Assurer, and reduces any sense of power. It is also an important aid
to the assurance training for future Assurers. </p>
<h3 id="s4.3">4.3. Assurance Points</h3>
<p>The Assurance applies Assurance Points to each Member which
measure the increase of confidence in the Statement (above).
Assurance Points should not be interpreted for any other purpose.
Note that, even though they are sometimes referred to as <em>Web-of-Trust</em>
(Assurance) Points, or <em>Trust</em> Points, the meaning
of the word
'Trust' is not well defined. </p>
<p><em>Assurance Points Allocation</em><br>
An Assurer can allocate a
number of Assurance Points to the Member according to the Assurer's
experience (Experience Point system, see below). The allocation of
the maximum means that the Assurer is 100% confident in the
information presented: </p>
<ul>
<li>
<p>Detail on form, system, documents, person in accordance; </p>
</li>
<li>
<p>Sufficient quality identity documents have been checked; </p>
</li>
<li>
<p>Assurer's familiarity with identity documents; </p>
</li>
<li>
<p>The Assurance Statement is confirmed. </p>
</li>
</ul>
<p>
Any lesser confidence should result in less Assurance Points for a
Name. If the Assurer has no confidence in the information presented,
then <em>zero</em> Assurance Points may be allocated by the Assurer.
For example, this may happen if the identity documents are totally
unfamiliar to the Assurer. The number of Assurance Points from <em>zero</em>
to <em>maximum</em> is guided by the Assurance Handbook
and the judgement of the Assurer.
If there is negative confidence the Assurer should consider
filing a dispute.
</p>
<p>Multiple Names should be allocated Assurance Points
independently within a single Assurance. </p>
<p>
A Member who is not an Assurer may award an Assurer in a
reciprocal process a maximum of 2 Assurance Points, according to
her judgement. The Assurer should strive to have the Member allocate
according to the Member's judgement, and stay on the cautious side;
the Member new to the assurance process
should allocate <em>zero</em> Assurance Points
until she gains some confidence in what is happening.
</p>
<p>
In general, for a Member to reach 50 Assurance Points, the Member must
have participated in at least two assurances, and
at least one Name will have been assured to that level.
</p>
<p>
To reach 100 Assurance
Points, at least one Name of the Assured Member must have been
assured at least three times.
</p>
<p>
The maximum number of Assurance
Points which can be allocated for an Assurance under this policy
and under any act under any
Subsidiary Policy (below) is 50 Assurance Points.
</p>
<h3 id="s4.4">4.4. Experience Points</h3>
<p>The maximum number of Assurance Points that may be awarded by
an
Assurer is determined by the Experience Points of the Assurer. </p>
<blockquote>
<p class="l size075" ><em>Table 2:
Maximum of Assurance Points </em>
</p>
<table class="padding margin0" border="1" style="width: 15%;">
<tbody>
<tr>
<td>
<p><em>Assurer's Experience Points</em></p>
</td>
<td>
<p><em>Allocatable Assurance Points</em></p>
</td>
</tr>
<tr>
<td>
<p class="c">0</p>
</td>
<td>
<p class="c">10</p>
</td>
</tr>
<tr>
<td>
<p class="c">10</p>
</td>
<td>
<p class="c">15</p>
</td>
</tr>
<tr>
<td>
<p class="c">20</p>
</td>
<td>
<p class="c">20</p>
</td>
</tr>
<tr>
<td>
<p class="c">30</p>
</td>
<td>
<p class="c">25</p>
</td>
</tr>
<tr>
<td>
<p class="c">40</p>
</td>
<td>
<p class="c">30</p>
</td>
</tr>
<tr>
<td>
<p class="c">&gt;=50</p>
</td>
<td>
<p class="c">35</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p>An Assurer is given a maximum of 2 Experience Points for every
completed Assurance. On reaching Assurer status, the Experience
Points start at 0 (zero). </p>
<p>Less Experience Points (1) may be given for mass Assurance
events,
where each Assurance is quicker. </p>
<p>Additional Experience Points may be granted temporarily or
permanently to an Assurer by CAcert Inc.'s Committee (board), on
recommendation from the Assurance Officer. </p>
<p>Experience Points are not to be confused with Assurance
Points. </p>
<h3 id="s4.5">4.5. CAcert Assurance Programme (CAP) form</h3>
<p>The CAcert Assurance Programme (<a href="https://www.cacert.org/cap.php" target="_blank">CAP</a>)
form requests the following details of each Member or Prospective
Member: </p>
<ul>
<li>
<p>Name(s), as recorded in the on-line account; </p>
</li>
<li>
<p>Primary email address, as recorded in the on-line account;
</p>
</li>
<li>
<p>Secondary Distinguishing Feature, as recorded in the
on-line account (normally, date of birth); </p>
</li>
<li>
<p>Statement of agreement with the CAcert Community
Agreement; </p>
</li>
<li>
<p>Permission to the Assurer to conduct the Assurance
(required for privacy reasons); </p>
</li>
<li>
<p>Date and signature of the Assuree. </p>
</li>
</ul>
<p>The CAP form requests the following details of the Assurer: </p>
<ul>
<li>
<p>At least one Name as recorded in the on-line account of
the Assurer; </p>
</li>
<li>
<p>Assurance Points for each Name in the identity
document(s); </p>
</li>
<li>
<p>Statement of Assurance; </p>
</li>
<li>
<p>Optional: If the Assurance is reciprocal, then the
Assurer's email address and Secondary Distinguishing Feature are
required as well; </p>
</li>
<li>
<p>Date, location of Assurance and signature of Assurer. </p>
</li>
</ul>
<p>The CAP forms are to be kept at least for 7 years by the
Assurer. </p>
<h2 id="s5">5. The Assurance Officer</h2>
<p>The Committee (board) of CAcert Inc. appoints an Assurance
Officer
with the following responsibilities: </p>
<ul>
<li>
<p>Reporting to the Committee and advising on all matters to
do with Assurance; </p>
</li>
<li>
<p>Training and testing of Assurers, in association with the
Education Team; </p>
</li>
<li>
<p>Updating this Assurance Policy, under the process
established by Policy on Policy (<a href="https://www.cacert.org/policy/PolicyOnPolicy.html" target="_blank">PoP</a>); </p>
</li>
<li>
<p>Management of all Subsidiary Policies (see below) for
Assurances, under Policy on Policy; </p>
</li>
<li>
<p>Managing and creating rules of detail or procedure where
inappropriate for policies; </p>
</li>
<li>
<p>Incorporating rulings from Arbitration into policies,
procedures or guidelines; </p>
</li>
<li>
<p>Assisting the Arbitrator in any requests; </p>
</li>
<li>
<p>Managing the Assurer Handbook; </p>
</li>
<li>
<p>Maintaining a sufficient strength in the Assurance process
(web-of-trust) to meet the agreed needs of the Community. </p>
</li>
</ul>
<h2 id="s6">6. Subsidiary Policies</h2>
<p>The Assurance Officer manages various exceptions and additional
processes. Each must be covered by an approved Subsidiary Policy
(refer to <a href="https://www.cacert.org/policy/PolicyOnPolicy.html" target="_blank">Policy on Policy</a> =&gt; CAcert Official Document COD1).
Subsidiary Policies specify any additional tests of knowledge
required and variations to process and documentation, within the
general standard stated here. </p>
<h3 id="s6.1">6.1. Standard</h3>
<p>Each Subsidiary Policy must augment and improve the general
standards in this Assurance Policy. It is the responsibility of each
Subsidiary Policy to describe how it maintains and improves the
specific and overall goals. It must describe exceptions and potential
areas of risk. </p>
<h3 id="s6.2">6.2. High Risk Applications</h3>
<p>In addition to the Assurance or Experience Points ratings set
here and in other subsidiary policies, the Assurance Officer or policies can
designate certain applications as high risk. If so, additional
measures may be added to the Assurance process that specifically
address the risks.</p>
<p>Additional measures may include:
</p>
<ul>
<li>
<p>Additional information can be required in process of assurance: </p>
<ul>
<li>unique numbers of identity documents,</li>
<li>photocopy of identity documents,</li>
<li>photo of User,</li>
<li>address of User.</li>
</ul>
<p>Additional Information is to be kept by Assurer, attached to
CAcert Assurance Programme (<a href="https://www.cacert.org/cap.php" target="_blank">CAP</a>)
form. Assurance Points allocation by this assurance is unchanged.
User's CAcert login account should be annotated to record type of
additional information;</p>
</li>
<li>
<p>Arbitration: </p>
<ul>
<li> Member to participate in Arbitration. This confirms
their acceptance of the forum as well as trains in the process and
import,
</li>
<li> Member to file Arbitration to present case. This
allows Arbitrator as final authority;
</li>
</ul>
</li>
<li>
<p>Additional training; </p>
</li>
<li>
<p>Member to be Assurer (at least 100 Assurance Points and
passed Assurer Challenge); </p>
</li>
<li>
<p>Member agrees to additional specific agreement(s); </p>
</li>
<li>
<p>Additional checking/auditing of systems data by CAcert
support administrators. </p>
</li>
</ul>
<p>Applications that might attract additional measures include
code-signing certificates and administration roles. </p>
<h2 id="s7">7. Privacy</h2>
<p>CAcert is a "privacy" organisation, and takes the
privacy of its Members seriously. The process maintains the security
and privacy of both parties. </p>
<p>Information is collected primarily to make claims within the
certificates requested by users and to contact the Members. It is
used secondarily for training, testing, administration and other
internal purposes. </p>
<p>The Member's information can be accessed under these
circumstances: </p>
<ul>
<li>
<p>Under Arbitrator ruling, in a duly filed dispute (<a href="https://www.cacert.org/policy/DisputeResolutionPolicy.html" target="_blank">Dispute Resolution Policy</a>
=&gt; COD7); </p>
</li>
<li>
<p>An Assurer in the process of an Assurance, as permitted on
the CAcert Assurance Programme (<a href="https://www.cacert.org/cap.php" target="_blank">CAP</a>)
form; </p>
</li>
<li>
<p>CAcert support administration and CAcert systems
administration when operating under the authority of Arbitrator or
under CAcert policy. </p>
</li>
</ul>
<p><a href="http://validator.w3.org/check?uri=referer"><img src="images/valid-html50-blue.png" alt="Valid HTML 5" height="31" width="88"></a></p>
</body></html>

727
www/policy/AssurancePolicy.php
View file

@ -1,723 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head>
<title>Assurance Policy</title>
<meta name="CREATED" content="20080530;0">
<meta name="CHANGEDBY" content="Teus Hagen">
<meta name="CHANGED" content="20080709;12381800">
<meta name="CREATEDBY" content="Ian Grigg">
<meta name="CHANGEDBY" content="Teus Hagen">
<meta name="CHANGEDBY" content="Robert Cruikshank">
<meta name="CHANGEDBY" content="Teus Hagen">
<style type="text/css">
<!--
P { color: #000000 }
TD P { color: #000000 }
H1 { color: #000000 }
H2 { color: #000000 }
DT { color: #000000 }
DD { color: #000000 }
H3 { color: #000000 }
TH P { color: #000000 }
-->
</style></head>
<body style="direction: ltr; color: rgb(0, 0, 0);" lang="en-GB">
<h1>Assurance Policy for CAcert Community Members</h1>
<p><a href="PolicyOnPolicy.php"><img src="/images/cacert-policy.png" id="graphics1" alt="CAcert Policy Status == POLICY" align="bottom" border="0" height="33" width="90"></a>
<br>
Editor: Teus Hagen<br>
Creation date: 2008-05-30<br>
Last change by: Iang<br>
Last change date: 2009-01-08<br>
Status: POLICY p20090105.2
</p>
<h2><a name="0">0.</a> Preamble</h2>
<h3><a name="0.1">0.1.</a> Definition of Terms</h3>
<dl>
<dt><i>Member</i> </dt>
<dd> A Member is an individual who has agreed to the CAcert
Community Agreement
(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php" target="_blank">CCA</a>)
and has created successfully
a CAcert login account on the CAcert web site. </dd>
<dt> <i>Assurance</i> </dt>
<dd> Assurance is the process by which a Member of CAcert
Community (Assurer) identifies an individual (<span lang="en-US">Assuree</span>).
</dd>
<dt> <i>Prospective Member</i> </dt>
<dd> An individual who participates in the process of Assurance,
but has not yet created a CAcert login account. </dd>
<dt> <i>Name</i> </dt>
<dd> A Name is the full name of an individual.
</dd>
<dt> <i>Secondary Distinguishing Feature</i>
</dt>
<dd> An additional personal data item of the Member
that assists discrimination from Members with similar full names.
(Currently this is the Date of Birth (DoB).)
</dd>
</dl>
<h3><a name="0.2">0.2.</a> The CAcert Web of Trust</h3>
<p>
In face-to-face meetings,
an Assurer allocates a number of Assurance Points
to the Member being Assured.
CAcert combines the Assurance Points
into a global <i>Web-of-Trust</i> (or "WoT").
</p>
<p>
CAcert explicitly chooses to meet its various goals by
construction of a Web-of-Trust of all Members.
</p>
<h3><a name="0.3">0.3.</a> Related Documentation</h3>
<p>
Documentation on Assurance is split between this
Assurance Policy (AP) and the
<a href="http://wiki.cacert.org/wiki/AssuranceHandbook2" target="_blank">Assurance
Handbook</a>. The policy is controlled by Configuration Control
Specification
(<a href="http://wiki.cacert.org/wiki/PolicyDrafts/ConfigurationControlSpecification" target="_blank">CCS</a>)
under Policy on Policy
(<a href="http://www.cacert.org/policy/PolicyOnPolicy.php" target="_blank">PoP</a>)
policy document regime. Because Assurance is an active area, much
of the practice is handed over to the Assurance Handbook, which is
not a controlled policy document, and can more easily respond to
experience and circumstances. It is also more readable.
</p>
<p>
See also Organisation Assurance Policy (<a href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php" target="_blank">OAP</a>)
and CAcert Policy Statement (<a href="http://www.cacert.org/policy/CertificationPracticeStatement.php" target="_blank">CPS</a>).
</p>
<h2><a name="1">1.</a> Assurance Purpose</h2>
<p>The purpose of Assurance is to add confidence
in the Assurance Statement made by the CAcert Community of a Member. </p>
<p>With sufficient assurances, a Member may: (a) issue certificates
with their assured Name included, (b) participate in assuring others,
and (c) other related activities. The strength of these activities is
based on the strength of the assurance. </p>
<h3><a name="1.1">1.1.</a>The Assurance Statement</h3>
<p>
The Assurance Statement makes the following claims
about a person:
</p>
<ol>
<li>
<p>The person is a bona fide Member. In other words, the
person is a member of the CAcert Community as defined by the CAcert
Community Agreement (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php" target="_blank">CCA</a>); </p>
</li>
<li>
<p>The Member has a (login) account with CAcert's on-line
registration and service system; </p>
</li>
<li>
<p>The Member can be determined from any CAcert certificate
issued by the Account; </p>
</li>
<li>
<p>The Member is bound into CAcert's Arbitration as defined
by the CAcert Community Agreement; </p>
</li>
<li>
<p>Some personal details of the Member are known to CAcert:
the individual Name(s), primary and other listed individual email
address(es), secondary distinguishing feature (e.g. DoB). </p>
</li>
</ol>
<p>The confidence level of the Assurance Statement is expressed by
the Assurance Points. </p>
<h3><a name="1.2">1.2.</a>Relying Party Statement</h3>
<p>The primary goal of the Assurance Statement is for the express
purpose of certificates to meet the needs of the <i>Relying Party
Statement</i>, which latter is found in the Certification Practice
Statement (<a href="http://www.cacert.org/policy/CertificationPracticeStatement.php" target="_blank">CPS</a>).
</p>
<p>When a certificate is issued, some of the Assurance Statement may
be incorporated, e.g. Name. Other parts may be implied, e.g.
Membership, exact account and status. They all are part of the
<i>Relying Party Statement</i>. In short, this means that other
Members of the Community may rely on the information verified by
Assurance and found in the certificate.</p>
<p>In particular, certificates are sometimes considered to provide
reliable indications of e.g. the Member's Name and email address. The
nature of Assurance, the number of Assurance Points, and other
policies and processes should be understood as limitations on any
reliance. </p>
<h2><a name="2">2.</a> The Member</h2>
<h3><a name="2.1">2.1.</a> The Member's Name </h3>
<p>
At least one individual Name is recorded in the Member's
CAcert login account. The general standard of a Name is:
</p>
<ul>
<li>
<p>
The Name should be recorded as written in a
government-issued photo identity document (ID).
</p>
</li>
<li>
<p>
The Name should be recorded as completely as possible.
That is, including all middle names, any titles and extensions,
without abbreviations, and without transliteration of characters.
</p>
</li>
<li>
<p>The Name is recorded as a string of characters,
encoded in <span lang="en-US">unicode</span>
transformation format.</p>
</li>
</ul>
<h3><a name="2.2">2.2.</a> Multiple Names and variations</h3>
<p>
In order to handle the contradictions in the above general standard,
a Member may record multiple Names or multiple variations of a Name
in her CAcert online Account.
Examples of variations include married names,
variations of initials of first or middle names,
abbreviations of a first name,
different language or country variations,
and transliterations of characters in a name.
</p>
<h3><a name="2.3">2.3.</a> Status and Capabilities</h3>
<p>
A Name which has reached
the level of 50 Assurance Points is defined as an Assured
Name. An Assured Name can be used in a certificate issued by CAcert.
A Member with at least one Assured Name has reached the Assured
Member status.
Additional capabilities are described in Table 1.
</p>
<blockquote>
<p align="left"><font size="2"><i>Table 1:
Assurance Capability</i></font></p>
<table border="1" cellpadding="5" cellspacing="0">
<tbody>
<tr>
<td width="10%">
<p align="left"><i>Minimum Assurance Points</i></p>
</td>
<td width="15%">
<p align="left"><i>Capability</i></p>
</td>
<td width="15%">
<p align="left"><i>Status</i></p>
</td>
<td width="60%">
<p align="left"><i>Comment</i></p>
</td>
</tr>
<tr valign="top">
<td>
<p align="center">0</p>
</td>
<td>
<p align="left">Request Assurance</p>
</td>
<td>
<p align="left">Prospective Member</p>
</td>
<td>
<p align="left">Individual taking part of an
Assurance, who does not have created a CAcert login account (yet). The
allocation of Assurance Points is awaiting login account creation.</p>
</td>
</tr>
<tr valign="top">
<td>
<p align="center">0</p>
</td>
<td>
<p align="left">Request unnamed certificates</p>
</td>
<td>
<p align="left">Member</p>
</td>
<td>
<p align="left">Although the Member's details are
recorded in the account, they are not highly assured.</p>
</td>
</tr>
<tr valign="top">
<td>
<p align="center">50</p>
</td>
<td>
<p align="left">Request named certificates</p>
</td>
<td>
<p align="left">Assured Member</p>
</td>
<td>
<p align="left">Statements of Assurance: the Name is
assured to 50 Assurance Points or more</p>
</td>
</tr>
<tr valign="top">
<td>
<p align="center">100</p>
</td>
<td>
<p align="left">Become an Assurer</p>
</td>
<td>
<p align="left">Prospective Assurer</p>
</td>
<td>
<p align="left">Assured to 100 Assurance Points (or
more) on at least one Name, and passing the Assurer Challenge.</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p>
A Member may check the status of another Member, especially
for an assurance process.
Status may be implied from information in a certificate.
The number of Assurance Points for each Member is not published.
</p>
<p>
The CAcert Policy Statement
(<a href="http://www.cacert.org/policy/CertificationPracticeStatement.php" target="_blank">CPS</a>)
and other policies may list other capabilities that rely on Assurance
Points.
</p>
<h2><a name="3">3.</a> The Assurer</h2>
<p>An Assurer is a Member with the following: </p>
<ul>
<li>
<p>Is assured to a minimum of 100 Assurance Points; </p>
</li>
<li>
<p>Has passed the CAcert Assurer Challenge. </p>
</li>
</ul>
<p>The Assurer Challenge is administered by the Education Team on
behalf of the Assurance Officer. </p>
<h3><a name="3.1">3.1.</a> The Obligations of the Assurer</h3>
<p>The Assurer is obliged to: </p>
<ul>
<li>
<p>Follow this Assurance Policy; </p>
</li>
<li>
<p>Follow any additional rules of detail laid out by the
CAcert Assurance Officer; </p>
</li>
<li>
<p>Be guided by the CAcert <a href="http://wiki.cacert.org/wiki/AssuranceHandbook2" target="_blank">Assurance Handbook</a> in their
judgement; </p>
</li>
<li>
<p>Make a good faith effort at identifying and verifying
Members; </p>
</li>
<li>
<p>Maintain the documentation on each Assurance; </p>
</li>
<li>
<p>Deliver documentation to Arbitration, or as otherwise
directed by the Arbitrator; </p>
</li>
<li>
<p>Keep up-to-date with developments within the CAcert
Community. </p>
</li>
</ul>
<h2><a name="4">4.</a> The Assurance</h2>
<h3><a name="4.1">4.1.</a> The Assurance Process</h3>
<p>The Assurer conducts the process of Assurance with each
Member. </p>
<p>The process consists of: </p>
<ol>
<li>
<p>Voluntary agreement by both Assurer and Member or
Prospective Member to conduct the Assurance; </p>
</li>
<li>
<p>Personal meeting of Assurer and Member or Prospective
Member; </p>
</li>
<li>
<p>Recording of essential details on CAcert Assurance
Programme form; </p>
</li>
<li>
<p>Examination of Identity documents by Assurer and
verification of recorded details (the Name(s) and Secondary
Distinguishing Feature, e.g., DoB); </p>
</li>
<li>
<p>Allocation of Assurance Points by Assurer; </p>
</li>
<li>
<p>Optional: supervision of reciprocal Assurance made by
Assuree (Mutual Assurance); </p>
</li>
<li>
<p>Safekeeping of the CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>)
forms by Assurer. </p>
</li>
</ol>
<h3><a name="4.2">4.2.</a> Mutual Assurance</h3>
<p>Mutual Assurance follows the principle of reciprocity. This
means
that the Assurance may be two-way, and that each member participating
in the Assurance procedure should be able to show evidence of their
identity to the other. </p>
<p>In the event that an Assurer is assured by a Member who is not
certified as an Assurer, the Assurer supervises the Assurance
procedure and process, and is responsible for the results. </p>
<p>Reciprocity maintains a balance between the (new) member and
the
Assurer, and reduces any sense of power. It is also an important aid
to the assurance training for future Assurers. </p>
<h3><a name="4.3">4.3.</a> Assurance Points</h3>
<p>The Assurance applies Assurance Points to each Member which
measure the increase of confidence in the Statement (above).
Assurance Points should not be interpreted for any other purpose.
Note that, even though they are sometimes referred to as <i>Web-of-Trust</i>
(Assurance) Points, or <i>Trust</i> Points, the meaning
of the word
'Trust' is not well defined. </p>
<p><i>Assurance Points Allocation</i><br>
An Assurer can allocate a
number of Assurance Points to the Member according to the Assurer's
experience (Experience Point system, see below). The allocation of
the maximum means that the Assurer is 100% confident in the
information presented: </p>
<ul>
<li>
<p>Detail on form, system, documents, person in accordance; </p>
</li>
<li>
<p>Sufficient quality identity documents have been checked; </p>
</li>
<li>
<p>Assurer's familiarity with identity documents; </p>
</li>
<li>
<p>The Assurance Statement is confirmed. </p>
</li>
</ul>
<p>
Any lesser confidence should result in less Assurance Points for a
Name. If the Assurer has no confidence in the information presented,
then <i>zero</i> Assurance Points may be allocated by the Assurer.
For example, this may happen if the identity documents are totally
unfamiliar to the Assurer. The number of Assurance Points from <i>zero</i>
to <i>maximum</i> is guided by the Assurance Handbook
and the judgement of the Assurer.
If there is negative confidence the Assurer should consider
filing a dispute.
</p>
<p>Multiple Names should be allocated Assurance Points
independently within a single Assurance. </p>
<p>
A Member who is not an Assurer may award an Assurer in a
reciprocal process a maximum of 2 Assurance Points, according to
her judgement. The Assurer should strive to have the Member allocate
according to the Member's judgement, and stay on the cautious side;
the Member new to the assurance process
should allocate <i>zero</i> Assurance Points
until she gains some confidence in what is happening.
</p>
<p>
In general, for a Member to reach 50 Assurance Points, the Member must
have participated in at least two assurances, and
at least one Name will have been assured to that level.
</p>
<p>
To reach 100 Assurance
Points, at least one Name of the Assured Member must have been
assured at least three times.
</p>
<p>
The maximum number of Assurance
Points which can be allocated for an Assurance under this policy
and under any act under any
Subsidiary Policy (below) is 50 Assurance Points.
</p>
<h3><a name="4.4">4.4.</a> Experience Points</h3>
<p>The maximum number of Assurance Points that may be awarded by
an
Assurer is determined by the Experience Points of the Assurer. </p>
<blockquote>
<p align="left"><font size="2"><i>Table 2:
Maximum of Assurance Points </i></font>
</p>
<table border="1" cellpadding="2" cellspacing="0" width="15%">
<tbody>
<tr>
<td>
<p><i>Assurer's Experience Points</i></p>
</td>
<td>
<p><i>Allocatable Assurance Points</i></p>
</td>
</tr>
<tr>
<td>
<p align="center">0</p>
</td>
<td>
<p align="center">10</p>
</td>
</tr>
<tr>
<td>
<p align="center">10</p>
</td>
<td>
<p align="center">15</p>
</td>
</tr>
<tr>
<td>
<p align="center">20</p>
</td>
<td>
<p align="center">20</p>
</td>
</tr>
<tr>
<td>
<p align="center">30</p>
</td>
<td>
<p align="center">25</p>
</td>
</tr>
<tr>
<td>
<p align="center">40</p>
</td>
<td>
<p align="center">30</p>
</td>
</tr>
<tr>
<td>
<p align="center">&gt;=50</p>
</td>
<td>
<p align="center">35</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p>An Assurer is given a maximum of 2 Experience Points for every
completed Assurance. On reaching Assurer status, the Experience
Points start at 0 (zero). </p>
<p>Less Experience Points (1) may be given for mass Assurance
events,
where each Assurance is quicker. </p>
<p>Additional Experience Points may be granted temporarily or
permanently to an Assurer by CAcert Inc.'s Committee (board), on
recommendation from the Assurance Officer. </p>
<p>Experience Points are not to be confused with Assurance
Points. </p>
<h3><a name="4.5">4.5.</a> CAcert Assurance Programme (CAP) form</h3>
<p>The CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>)
form requests the following details of each Member or Prospective
Member: </p>
<ul>
<li>
<p>Name(s), as recorded in the on-line account; </p>
</li>
<li>
<p>Primary email address, as recorded in the on-line account;
</p>
</li>
<li>
<p>Secondary Distinguishing Feature, as recorded in the
on-line account (normally, date of birth); </p>
</li>
<li>
<p>Statement of agreement with the CAcert Community
Agreement; </p>
</li>
<li>
<p>Permission to the Assurer to conduct the Assurance
(required for privacy reasons); </p>
</li>
<li>
<p>Date and signature of the Assuree. </p>
</li>
</ul>
<p>The CAP form requests the following details of the Assurer: </p>
<ul>
<li>
<p>At least one Name as recorded in the on-line account of
the Assurer; </p>
</li>
<li>
<p>Assurance Points for each Name in the identity
document(s); </p>
</li>
<li>
<p>Statement of Assurance; </p>
</li>
<li>
<p>Optional: If the Assurance is reciprocal, then the
Assurer's email address and Secondary Distinguishing Feature are
required as well; </p>
</li>
<li>
<p>Date, location of Assurance and signature of Assurer. </p>
</li>
</ul>
<p>The CAP forms are to be kept at least for 7 years by the
Assurer. </p>
<h2><a name="5">5.</a> The Assurance Officer</h2>
<p>The Committee (board) of CAcert Inc. appoints an Assurance
Officer
with the following responsibilities: </p>
<ul>
<li>
<p>Reporting to the Committee and advising on all matters to
do with Assurance; </p>
</li>
<li>
<p>Training and testing of Assurers, in association with the
Education Team; </p>
</li>
<li>
<p>Updating this Assurance Policy, under the process
established by Policy on Policy (<a href="https://www.cacert.org/policy/PolicyOnPolicy.php" target="_blank">PoP</a>); </p>
</li>
<li>
<p>Management of all Subsidiary Policies (see below) for
Assurances, under Policy on Policy; </p>
</li>
<li>
<p>Managing and creating rules of detail or procedure where
inappropriate for policies; </p>
</li>
<li>
<p>Incorporating rulings from Arbitration into policies,
procedures or guidelines; </p>
</li>
<li>
<p>Assisting the Arbitrator in any requests; </p>
</li>
<li>
<p>Managing the Assurer Handbook; </p>
</li>
<li>
<p>Maintaining a sufficient strength in the Assurance process
(web-of-trust) to meet the agreed needs of the Community. </p>
</li>
</ul>
<h2><a name="6">6.</a> Subsidiary Policies</h2>
<p>The Assurance Officer manages various exceptions and additional
processes. Each must be covered by an approved Subsidiary Policy
(refer to Policy on Policy =&gt; CAcert Official Document COD1).
Subsidiary Policies specify any additional tests of knowledge
required and variations to process and documentation, within the
general standard stated here. </p>
<h3><a name="6.1">6.1.</a> Standard</h3>
<p>Each Subsidiary Policy must augment and improve the general
standards in this Assurance Policy. It is the responsibility of each
Subsidiary Policy to describe how it maintains and improves the
specific and overall goals. It must describe exceptions and potential
areas of risk. </p>
<h3><a name="6.2">6.2.</a> High Risk Applications</h3>
<p>In addition to the Assurance or Experience Points ratings set
here and in other subsidiary policies, the Assurance Officer or policies can
designate certain applications as high risk. If so, additional
measures may be added to the Assurance process that specifically
address the risks.</p>
<p>Additional measures may include:
</p>
<ul>
<li>
<p>Additional information can be required in process of assurance: </p>
<ul>
<li>unique numbers of identity documents,</li>
<li>photocopy of identity documents,</li>
<li>photo of User,</li>
<li>address of User.</li>
</ul>
<p>Additional Information is to be kept by Assurer, attached to
CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>)
form. Assurance Points allocation by this assurance is unchanged.
User's CAcert login account should be annotated to record type of
additional information;</p>
</li>
<li>
<p>Arbitration: </p>
<ul>
<li> Member to participate in Arbitration. This confirms
their acceptance of the forum as well as trains in the process and
import,
</li>
<li> Member to file Arbitration to present case. This
allows Arbitrator as final authority;
</li>
</ul>
</li>
<li>
<p>Additional training; </p>
</li>
<li>
<p>Member to be Assurer (at least 100 Assurance Points and
passed Assurer Challenge); </p>
</li>
<li>
<p>Member agrees to additional specific agreement(s); </p>
</li>
<li>
<p>Additional checking/auditing of systems data by CAcert
support administrators. </p>
</li>
</ul>
<p>Applications that might attract additional measures include
code-signing certificates and administration roles. </p>
<h2><a name="7">7.</a> Privacy</h2>
<p>CAcert is a "privacy" organisation, and takes the
privacy of its Members seriously. The process maintains the security
and privacy of both parties. </p>
<p>Information is collected primarily to make claims within the
certificates requested by users and to contact the Members. It is
used secondarily for training, testing, administration and other
internal purposes. </p>
<p>The Member's information can be accessed under these
circumstances: </p>
<ul>
<li>
<p>Under Arbitrator ruling, in a duly filed dispute (<a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php" target="_blank">Dispute Resolution Policy</a>
=&gt; COD7); </p>
</li>
<li>
<p>An Assurer in the process of an Assurance, as permitted on
the CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>)
form; </p>
</li>
<li>
<p>CAcert support administration and CAcert systems
administration when operating under the authority of Arbitrator or
under CAcert policy. </p>
</li>
</ul>
<p><a href="http://validator.w3.org/check?uri=referer"><img src="/images/valid-xhtml11-blue" id="graphics2" alt="Valid XHTML 1.1" align="bottom" border="0" height="33" width="90"></a>
</p>
</body></html>
<?php
header('HTTP/1.0 301 Moved Permanently');
header('Location: AssurancePolicy.html');
exit();

531
www/policy/CAcertCommunityAgreement.html Normal file
View file

@ -0,0 +1,531 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" lang="en">
<title>CAcert Community Agreement</title>
<style>
.r{
text-align: right;
}
.vTop{
vertical-align: top;
}
dt{
font-style: italic;
}
</style>
</head>
<body>
<div class="comment">
<table style="width: 100%;">
<tr>
<td>
Name: CCA <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD9</a><br />
Status: POLICY <a style="color: steelblue" href="https://wiki.cacert.org/PolicyDecisions#p20080109">p20080109</a><br />
Editor: <a style="color: steelblue" href="https://wiki.cacert.org/Iang">Iang</a><br />
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br />
</td>
<td class="vTop r">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.html"><img src="images/cacert-policy.png" alt="CCA Status - POLICY" height="31" width="88" style="border-style: none;" /></a>
</td>
</tr>
</table>
</div>
<h2> CAcert Community Agreement </h2>
<h3 id="s0"> 0. Introduction </h3>
<p>
This agreement is between
you, being a registered member ("Member")
within CAcert's community at large ("Community")
and CAcert Incorporated ("CAcert"),
being an operator of services to the Community.
</p>
<h4 id="s0.1"> 0.1 Terms </h4>
<dl>
<dt>"CAcert"</dt><dd>
means CAcert Inc.,
a non-profit Association of Members incorporated in
New South Wales, Australia.
Note that Association Members are distinct from
the Members defined here.</dd>
<dt>"Member"</dt><dd>
means you, a registered participant within CAcert's Community,
with an account on the website and the
facility to request certificates.
Members may be individuals ("natural persons")
or organisations ("legal persons").</dd>
<dt>"Organisation"</dt><dd>
is defined under the Organisation Assurance programme,
and generally includes corporations and other entities
that become Members and become Assured.</dd>
<dt>"Community"</dt><dd>
means all of the Members
that are registered by this agreement
and other parties by other agreements,
all being under CAcert's Arbitration.</dd>
<dt>"Non-Related Person" ("NRP")</dt><dd>
being someone who is not a
Member, is not part of the Community,
and has not registered their agreement.
Such people are offered the NRP-DaL
another agreement allowing the USE of certificates.</dd>
<dt>"Non-Related Persons - Disclaimer and Licence" ("NRP-DaL")</dt><dd>
another agreement that is offered to persons outside the
Community.</dd>
<dt>"Arbitration"</dt><dd>
is the Community's forum for
resolving disputes, or jurisdiction.</dd>
<dt>"Dispute Resolution Policy" ("DRP" =&gt; COD7)</dt><dd>
is the policy and
rules for resolving disputes.</dd>
<dt>"USE"</dt><dd>
means the act by your software
to conduct its tasks, incorporating
the certificates according to software procedures.</dd>
<dt>"RELY"</dt><dd>
means your human act in taking on a
risk and liability on the basis of the claim(s)
bound within a certificate.</dd>
<dt>"OFFER"</dt><dd>
means the your act
of making available your certificate to another person.
Generally, you install and configure your software
to act as your agent and facilite this and other tasks.
OFFER does not imply suggestion of reliance.</dd>
<dt>"Issue"</dt><dd>
means creation of a certificate by CAcert.
To create a certificate,
CAcert affixes a digital signature from the root
onto a public key and other information.
This act would generally bind a statement or claim,
such as your name, to your key.</dd>
<dt>"Root"</dt><dd>
means CAcert's top level key,
used for signing certificates for Members.
In this document, the term includes any subroots.</dd>
<dt>"CAcert Official Document" ("COD" =&gt; COD3)</dt><dd>
in a standard format for describing the details of
operation and governance essential to a certificate authority.
Changes are managed and controlled.
CODs define more technical terms.
See 4.2 for listing of relevant CODs.</dd>
<dt>"Certification Practice Statement" ("CPS" =&gt; COD6)</dt><dd>
is the document that controls details
about operational matters within CAcert.</dd>
</dl>
<h3 id="s1"> 1. Agreement and Licence </h3>
<h4 id="s1.1"> 1.1 Agreement </h4>
<p>
You and CAcert both agree to the terms and conditions
in this agreement.
Your agreement is given by any of
</p>
<ul><li>
your signature on a form to request assurance of identity
("CAP" form),
</li><li>
your request on the website
to join the Community and create an account,
</li><li>
your request for Organisation Assurance,
</li><li>
your request for issuing of certificates, or
</li><li>
if you USE, RELY, or OFFER
any certificate issued to you.
</li></ul>
<p>
Your agreement
is effective from the date of the first event above
that makes this agreement known to you.
This Agreement
replaces and supercedes prior agreements,
including the NRP-DaL.
</p>
<h4 id="s1.2"> 1.2 Licence </h4>
<p>
As part of the Community, CAcert offers you these rights:
</p>
<ol><li>
You may USE any certificates issued by CAcert.
</li><li>
You may RELY on any certificate issued by CAcert,
as explained and limited by CPS (COD6).
</li><li>
You may OFFER certificates issued to you by CAcert
to Members for their RELIANCE.
</li><li>
You may OFFER certificates issued to you by CAcert
to NRPs for their USE, within the general principles
of the Community.
</li><li>
This Licence is free of cost,
non-exclusive, and non-transferrable.
</li></ol>
<h4 id="s1.3"> 1.3 Your Contributions </h4>
<p>
You agree to a non-exclusive non-restrictive non-revokable
transfer of Licence to CAcert for your contributions.
That is, if you post an idea or comment on a CAcert forum,
or email it to other Members,
your work can be used freely by the Community for
CAcert purposes, including placing under CAcert's licences
for wider publication.
</p>
<p>
You retain authorship rights, and the rights to also transfer
non-exclusive rights to other parties.
That is, you can still use your
ideas and contributions outside the Community.
</p>
<p>
Note that the following exceptions override this clause:
</p>
<ol><li>
Contributions to controlled documents are subject to
Policy on Policy ("PoP" =&gt; COD1)
</li><li>
Source code is subject to an open source licence regime.
</li></ol>
<h4 id="s1.4"> 1.4 Privacy </h4>
<p>
You give rights to CAcert to store, verify and process
and publish your data in accordance with policies in force.
These rights include shipping the data to foreign countries
for system administration, support and processing purposes.
Such shipping will only be done among
CAcert Community administrators and Assurers.
</p>
<p>
Privacy is further covered in the Privacy Policy ("PP" =&gt; COD5).
</p>
<h3 id="s2"> 2. Your Risks, Liabilities and Obligations </h3>
<p>
As a Member, you have risks, liabilities
and obligations within this agreement.
</p>
<h4 id="s2.1"> 2.1 Risks </h4>
<ol><li>
A certificate may prove unreliable.
</li><li>
Your account, keys or other security tools may be
lost or otherwise compromised.
</li><li>
You may find yourself subject to Arbitration
(DRP =&gt; COD7).
</li></ol>
<h4 id="s2.2"> 2.2 Liabilities </h4>
<ol><li>
You are liable for any penalties
as awarded against you by the Arbitrator.
</li><li>
Remedies are as defined in the DRP (COD7).
An Arbitrator's ruling may
include monetary amounts, awarded against you.
</li><li>
Your liability is limited to
a total maximum of
<b>1000 Euros</b>.
</li><li>
"Foreign Courts" may assert jurisdiction.
These include your local courts, and are outside our Arbitration.
Foreign Courts will generally refer to the Arbitration
Act of their country, which will generally refer
civil cases to Arbitration.
The Arbitration Act will not apply to criminal cases.
</li></ol>
<h4 id="s2.3"> 2.3 Obligations </h4>
<p>
You are obliged
</p>
<ol><li>
to provide accurate information
as part of Assurance.
You give permission for verification of the information
using CAcert-approved methods.
</li><li>
to make no false representations.
</li><li>
to submit all your disputes to Arbitration
(DRP =&gt; COD7).
</li></ol>
<h4 id="s2.4"> 2.4 Principles </h4>
<p>
As a Member of CAcert, you are a member of
the Community.
You are further obliged to
work within the spirit of the Principles
of the Community.
These are described in
<a href="https://svn.cacert.org/CAcert/principles.html">Principles of the Community</a>.
</p>
<h4 id="s2.5"> 2.5 Security </h4>
<p>
CAcert exists to help you to secure yourself.
You are primarily responsible for your own security.
Your security obligations include
</p>
<ol><li>
to secure yourself and your computing platform (e.g., PC),
</li><li>
to keep your email account in good working order,
</li><li>
to secure your CAcert account
(e.g., credentials such as username, password),
</li><li>
to secure your private keys,
</li><li>
to review certificates for accuracy,
and
</li><li>
when in doubt, notify CAcert,
</li><li>
when in doubt, take other reasonable actions, such as
revoking certificates,
changing account credentials,
and/or generating new keys.
</li></ol>
<p>
Where, above, 'secure' means to protect to a reasonable
degree, in proportion with your risks and the risks of
others.
</p>
<h3 id="s3"> 3. Law and Jurisdiction </h3>
<h4 id="s3.1"> 3.1 Governing Law </h4>
<p>
This agreement is governed under the law of
New South Wales, Australia,
being the home of the CAcert Inc. Association.
</p>
<h4 id="s3.2"> 3.2 Arbitration as Forum of Dispute Resolution </h4>
<p>
You agree, with CAcert and all of the Community,
that all disputes arising out
of or in connection to our use of CAcert services
shall be referred to and finally resolved
by Arbitration under the rules within the
Dispute Resolution Policy of CAcert
(DRP =&gt; COD7).
The rules select a single Arbitrator chosen by CAcert
from among senior Members in the Community.
The ruling of the Arbitrator is binding and
final on Members and CAcert alike.
</p>
<p>
In general, the jurisdiction for resolution of disputes
is within CAcert's own forum of Arbitration,
as defined and controlled by its own rules (DRP =&gt; COD7).
</p>
<p>
We use Arbitration for many purposes beyond the strict
nature of disputes, such as governance and oversight.
A systems administrator may
need authorisation to conduct a non-routine action,
and Arbitration may provide that authorisation.
Thus, you may find yourself party to Arbitration
that is simply support actions, and you may file disputes in
order to initiate support actions.
</p>
<h4 id="s3.3"> 3.3 Termination </h4>
<p>
You may terminate this agreement by resigning
from CAcert. You may do this at any time by
writing to CAcert's online support forum and
filing dispute to resign.
All services will be terminated, and your
certificates will be revoked.
However, some information will continue to
be held for certificate processing purposes.
</p>
<p>
The provisions on Arbitration survive any termination
by you by leaving CAcert.
That is, even if you resign from CAcert,
you are still bound by the DRP (COD7),
and the Arbitrator may reinstate any provision of this
agreement or bind you to a ruling.
</p>
<p>
Only the Arbitrator may terminate this agreement with you.
</p>
<h4 id="s3.4"> 3.4 Changes of Agreement </h4>
<p>
CAcert may from time to time vary the terms of this Agreement.
Changes will be done according to the documented CAcert policy
for changing policies, and is subject to scrutiny and feedback
by the Community.
Changes will be notified to you by email to your primary address.
</p>
<p>
If you do not agree to the changes, you may terminate as above.
Continued use of the service shall be deemed to be agreement
by you.
</p>
<h4 id="s3.5"> 3.5 Communication </h4>
<p>
Notifications to CAcert are to be sent by
email to the address
<b>support</b> <i>at</i> CAcert.org.
You should attach a digital signature,
but need not do so in the event of security
or similar urgency.
</p>
<p>
Notifications to you are sent
by CAcert to the primary email address
registered with your account.
You are responsible for keeping your email
account in good working order and able
to receive emails from CAcert.
</p>
<p>
Arbitration is generally conducted by email.
</p>
<h3 id="s4"> 4. Miscellaneous </h3>
<h4 id="s4.1"> 4.1 Other Parties Within the Community </h4>
<p>
As well as you and other Members in the Community,
CAcert forms agreements with third party
vendors and others.
Thus, such parties will also be in the Community.
Such agreements are also controlled by the same
policy process as this agreement, and they should
mirror and reinforce these terms.
</p>
<h4 id="s4.2"> 4.2 References and Other Binding Documents </h4>
<p>
This agreement is CAcert Official Document 9 (COD9)
and is a controlled document.
</p>
<p>
You are also bound by
</p>
<ol><li>
<a href="https://www.cacert.org/policy/CertificationPracticeStatement.html">
Certification Practice Statement</a> (CPS =&gt; COD6).
</li><li>
<a href="https://www.cacert.org/policy/DisputeResolutionPolicy.html">
Dispute Resolution Policy</a> (DRP =&gt; COD7).
</li><li>
<a href="https://www.cacert.org/policy/PrivacyPolicy.html">
Privacy Policy</a> (PP =&gt; COD5).
</li><li>
<a href="https://svn.cacert.org/CAcert/principles.html">
Principles of the Community</a>.
</li></ol>
<p>
Where documents are referred to as <i>=&gt; COD x</i>,
they are controlled documents
under the control of Policy on Policies (COD1).
</p>
<p>
This agreement and controlled documents above are primary,
and may not be replaced or waived except
by formal policy channels and by Arbitration.
</p>
<h4 id="s4.3"> 4.3 Informative References </h4>
<p>
The governing documents are in English.
Documents may be translated for convenience.
Because we cannot control the legal effect of translations,
the English documents are the ruling ones.
</p>
<p>
You are encouraged to be familiar with the
Assurer Handbook,
which provides a more readable introduction for much of
the information needed.
The Handbook is not however an agreement, and is overruled
by this agreement and others listed above.
</p>
<h4 id="s4.4"> 4.4 Not Covered in this Agreement </h4>
<p>
<b>Intellectual Property.</b>
This Licence does not transfer any intellectual
property rights ("IPR") to you. CAcert asserts and
maintains its IPR over its roots, issued certificates,
brands, logos and other assets.
Note that the certificates issued to you
are CAcert's intellectual property
and you do not have rights other than those stated.
</p>
<p><a href="http://validator.w3.org/check?uri=referer"><img src="images/valid-html50-blue.png" alt="Valid HTML 5" height="31" width="88"></a></p>
</body>
</html>

597
www/policy/CAcertCommunityAgreement.php
View file

@ -1,593 +1,4 @@
<?='<?xml version="1.0" encoding="utf-8"?>'?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
<title> CAcert Community Agreement </title>
<style type="text/css">
<!--
.comment {
color : steelblue;
}
.first-does-not-work {
color : red;
}
.q {
color : green;
font-weight: bold;
text-align: center;
font-style:italic;
}
.change {
color : blue;
font-weight: bold;
}
.change2 {
color : blue;
font-weight: bold;
}
.change3 {
color : blue;
font-weight: bold;
}
.change4 {
color : blue;
font-weight: bold;
}
.change5 {
color : blue;
font-weight: bold;
}
.change6 {
color : blue;
font-weight: bold;
}
.change7 {
color : blue ;
font-weight: bold;
}
.change8 {
color : blue;
font-weight: bold;
}
.change9 {
color : blue;
font-weight: bold;
}
.change10 {
color : blue;
font-weight: bold;
}
.change11 {
color : blue;
font-weight: bold;
}
.change12 {
color : blue;
font-weight: bold;
}
.change13 {
color : blue;
font-weight: bold;
}
.strike {
color : blue;
text-decoration:line-through;
}
.strike2 {
color : blue;
text-decoration:line-through;
}
.strike4 {
color : blue;
text-decoration:line-through;
}
.strike5 {
color : blue;
text-decoration:line-through;
}
.strike6 {
color : blue;
text-decoration:line-through;
}
.strike7 {
color : blue;
text-decoration:line-through;
}
.strike8 {
color : blue;
text-decoration:line-through;
}
.strike9 {
color : blue;
text-decoration:line-through;
}
.strike10 {
color : blue;
text-decoration:line-through;
}
.strike11 {
color : blue;
text-decoration:line-through;
}
.strike12 {
color : blue;
text-decoration:line-through;
}
.strike13 {
color : blue;
text-decoration:line-through;
}
-->
</style>
</head>
<body>
<div class="comment">
<table width="100%">
<tr>
<td rowspan="2">
Name: CCA <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD9</a><br />
Status: POLICY <a style="color: steelblue" href="https://wiki.cacert.org/PolicyDecisions#p20080109.1_CCA_to_POLICY_status">p20080109.1</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span class="draftadd">DRAFT <a style="color: steelblue" href="https://wiki.cacert.org/PolicyDecisions#p20140709_CCA_update_to_DRAFT">p20140709</a></span> <br />
Editor: <a style="color: steelblue" href="https://wiki.cacert.org/Community/HomePagesMembers/BenediktHeintel">Benedikt</a><br />
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy">CC-by-sa+DRP</a><br />
</td>
<td valign="top" align="right">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php"><img src="images/cacert-policy.png" alt="CCA Status - POLICY" height="31" width="88" style="border-style: none;" /></a>
<!-- XXXXXXXXXXXXXX delete this going to POLICY -->
<br />
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php"><img src="images/cacert-draft.png" alt="CCA Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>
</td>
</tr>
</table>
</div>
<h2>CAcert Community Agreement</h2>
<h3><a name="0">0.</a> Introduction</h3>
<p>This agreement is between you, being a registered member ("Member") within
CAcert's community at large ("Community") and CAcert Incorporated ("CAcert"),
being an operator of services to the Community.</p>
<h4><a name="0.1">0.1</a> Terms</h4>
<ol>
<li>"CAcert" means CAcert Inc., a non-profit Association of Members
incorporated in New South Wales, Australia. Note that Association Members
are distinct from the Members defined here.</li>
<li>"Member" means you, a registered participant within CAcert's Community,
with an account on the website and the facility to request certificates.
Members may be individuals ("natural persons") or organisations ("legal
persons").</li>
<li>"Organisation" is defined under the Organisation Assurance programme,
and generally includes corporations and other entities that become Members
and become Assured.</li>
<li>"Community" means all of the Members that are registered by this
agreement and other parties by other agreements, all being under CAcert's
Arbitration.</li>
<li>"Non-Related Person" ("NRP"), being someone who is not a Member, is not
part of the Community, and has not registered their agreement. <span class=
"strike7">Such people are offered the NRP-DaL another agreement allowing
the USE of certificates.</span></li>
<li><span class="strike7">"Non-Related Persons - Disclaimer and Licence"
("NRP-DaL"), another agreement that is offered to persons outside the
Community.</span><span class="change7">(withdrawn)</span></li>
<li>"Arbitration" is the Community's forum for resolving disputes, or
jurisdiction.</li>
<li>"Dispute Resolution Policy" ("DRP" =&gt; COD7) is the policy and rules
for resolving disputes.</li>
<li>"USE" means the act by your software to conduct its tasks,
incorporating the certificates according to software procedures.</li>
<li>"RELY" means your human act in taking on a risk and liability on the
basis of the claim(s) bound within a certificate.</li>
<li>"OFFER" means the your act of making available your certificate to
another person. Generally, you install and configure your software to act
as your agent and facilite this and other tasks. OFFER does not imply
suggestion of reliance.</li>
<li>"Issue" means creation of a certificate by CAcert. To create a
certificate, CAcert affixes a digital signature from the root onto a public
key and other information. This act would generally bind a statement or
claim, such as your name, to your key.</li>
<li>"Root" means CAcert's top level key, used for signing certificates for
Members. In this document, the term includes any subroots.</li>
<li>"CAcert Official Document" ("COD" <span class="strike4">=&gt;
COD3</span>) <span class="strike4">in a standard format for describing the
details of operation and governance essential to a certificate authority.
Changes are managed and controlled. CODs define more technical terms. See
4.2 for listing of relevant CODs.</span> <span class="change4">is an
official managed and controlled document (e. g. a Policy) of
CAcert.</span></li>
<li>"Certification Practice Statement" ("CPS" =&gt; COD6) is the document
that controls details about operational matters within CAcert.</li>
</ol>
<h3><a name="1">1.</a> Agreement and Licence</h3>
<h4><a name="1.1">1.1</a> Agreement</h4>
<p>You <span class="strike">and CAcert both</span> agree to the terms and
conditions in this agreement. Your agreement is given by <span class=
"change2">but not limited to</span> <span class="strike2">any of</span></p>
<ul>
<li>your signature on a form to request assurance of identity ("CAP"
form),</li>
<li>your request on the website to join the Community and create an
account,</li>
<li>your request for Organisation Assurance,</li>
<li>your request for issuing of certificates, or</li>
<li>if you USE, RELY, or OFFER any certificate issued to you.</li>
</ul>
<p>Your agreement is effective from the date of the first event above that
makes this agreement known to you. This Agreement replaces and <span class=
"strike2">supercedes prior agreements, including the NRP-DaL.</span>
<span class="change2">supersedes any prior agreements.</span></p>
<h4><a name="1.2">1.2</a> Licence</h4>
<p>As part of the Community, CAcert offers you these rights:</p>
<ol>
<li>You may USE any certificates issued by CAcert.</li>
<li>You may RELY on any certificate issued by CAcert, as explained and
limited by CPS (COD6).</li>
<li>You may OFFER certificates issued to you by CAcert to Members for their
RELIANCE.</li>
<li>You may OFFER certificates issued to you by CAcert to NRPs for their
USE, within the general principles of the Community.</li>
<li>This Licence is free of cost, non-exclusive, and
non-transferrable.</li>
</ol>
<h4><a name="1.3">1.3</a> Your Contributions</h4>
<p>You agree to a non-exclusive non-restrictive non-revokable transfer of
Licence to CAcert for your contributions. That is, if you post an idea or
comment on a CAcert forum, or email it to other Members, your work can be
used freely by the Community for CAcert purposes, including placing under
CAcert's licences for wider publication.</p>
<p>You retain authorship rights, and the rights to also transfer
non-exclusive rights to other parties. That is, you can still use your ideas
and contributions outside the Community.</p>
<p>Note that the following exceptions override this clause:</p>
<ol>
<li>Contributions to controlled documents are subject to Policy on Policy
("PoP" =&gt; COD1)</li>
<li>Source code is subject to an open source licence regime.</li>
<li><span class="change">Personal data</span></li>
<li><span class="change">Postings under competing licenses if clearly
stated when posted</span></li>
</ol>
<h4><a name="1.4">1.4</a> Privacy</h4>
<p>You give rights to CAcert to store, verify and
process and publish your data in accordance with policies in force. These
rights include shipping the data to foreign countries for system
administration, support and processing purposes. Such shipping will only be
done among CAcert Community administrators and Assurers.</p>
<p>Privacy is further covered in the Privacy Policy ("PP" =&gt; COD5).</p>
<h3><a name="2">2.</a> Your Risks, Liabilities and Obligations</h3>
<p>As a Member, you have risks, liabilities and obligations within this agreement.</p>
<h4><a name="2.1">2.1</a> Risks</h4>
<ol>
<li>A certificate may prove unreliable.</li>
<li>Your account, keys or other security tools may be
lost or otherwise compromised.</li>
<li>You may find yourself subject to Arbitration (DRP
=&gt; COD7).</li>
</ol>
<h4><a name="2.2">2.2</a> Liabilities</h4>
<ol>
<li>You are liable for any penalties as awarded
against you by the Arbitrator.</li>
<li>Remedies are as defined in the DRP (COD7). An
Arbitrator's ruling may include monetary amounts, awarded against
you.</li>
<li>Your liability is limited to a total maximum of
<b>1000 Euros</b>.</li>
<li>"Foreign Courts" may assert jurisdiction. These
include your local courts, and are outside our Arbitration. Foreign Courts
will generally refer to the Arbitration Act of their country, which will
generally refer civil cases to Arbitration. The Arbitration Act will not
apply to criminal cases.</li>
</ol>
<h4><a name="2.3">2.3</a> Obligations</h4>
<p>You are obliged</p>
<ol>
<li>to provide accurate information as part of
Assurance. You give permission for verification of the information using
CAcert-approved methods.</li>
<li>to make no false representations.</li>
<li>to submit all your disputes to Arbitration (DRP
=&gt; COD7).</li>
<li><span class="change">to assist the Arbitrator by truthfully providing
information, or with any other reasonable request.</span></li>
<li><span class="change7">to not share your CAcert account.</span></li>
</ol>
<h4><a name="2.4">2.4</a> Principles</h4>
<p>As a Member of CAcert, you are a member of the Community. You are further
obliged to work within the spirit of the Principles of the Community. These
are described in <a href=
"http://svn.cacert.org/CAcert/principles.html">Principles of the
Community</a>.</p>
<h4><a name="2.5">2.5</a> Security</h4>
<p>CAcert exists to help you to secure yourself. You are primarily
responsible for your own security. Your security obligations include</p>
<ol>
<li>to secure yourself and your computing platform (e. g. PC),</li>
<li>to keep your email account in good working order,</li>
<li>to secure your CAcert account (e. g., credentials such as username,
password),</li>
<li>to secure your private keys, <span class="change8">ensuring that they
are only used as indicated by the certificate, or by wider agreement with
others,</span></li>
<li>to review certificates for accuracy, and</li>
<li>when in doubt, notify CAcert,</li>
<li>when in doubt, take other reasonable actions, such as revoking
certificates, changing account credentials, and/or generating new
keys.</li>
</ol>
<p>Where, above, 'secure' means to protect to a reasonable degree, in
proportion with your risks and the risks of others.</p>
<h3><a name="3">3.</a> Law and Jurisdiction</h3>
<h4><a name="3.1">3.1</a> Governing Law</h4>
<p>This agreement is governed under the law of New South Wales, Australia,
being the home of the CAcert Inc. Association.</p>
<h4><a name="3.2">3.2</a> Arbitration as Forum of Dispute Resolution</h4>
<p>You agree, with CAcert and all of the Community, that all disputes arising
out of or in connection to our use of CAcert services shall be referred to
and finally resolved by Arbitration under the rules within the Dispute
Resolution Policy of CAcert (DRP =&gt; COD7). The rules select a single
Arbitrator chosen by CAcert from among senior Members in the Community. The
ruling of the Arbitrator is binding and final on Members and CAcert
alike.</p>
<p>In general, the jurisdiction for resolution of disputes is within CAcert's
own forum of Arbitration, as defined and controlled by its own rules (DRP
=&gt; COD7).</p>
<p>We use Arbitration for many purposes beyond the strict nature of disputes,
such as governance and oversight. A systems administrator may need
authorisation to conduct a non-routine action, and Arbitration may provide
that authorisation. Thus, you may find yourself party to Arbitration that is
simply support actions, and you may file disputes in order to initiate
support actions.</p>
<h4><a name="3.3">3.3</a> Termination</h4>
<p><span class="strike12">You may terminate this agreement by resigning from
CAcert. You may do this at any time by writing to CAcert's online support
forum and filing dispute to resign. All services will be terminated, and your
certificates will be revoked. However, some information will continue to be
held for certificate processing purposes.</span></p>
<p><span class="strike12">The provisions on Arbitration survive any
termination by you by leaving CAcert. That is, even if you resign from
CAcert, you are still bound by the DRP (COD7), and the Arbitrator may
reinstate any provision of this agreement or bind you to a ruling.</span></p>
<p><span class="strike12">Only the Arbitrator may terminate this agreement
with you.</span></p>
<p><span class="change12">The CAcert Community Agreement is
terminated</span></p>
<ol>
<li><span class="change12">based on a Policy Group decision following (PoP
=&gt; COD1). This terminates the Agreement with every member.</span></li>
<li><span class="change12">with a ruling of the Arbitrator or the
completion of a termination process defined by an Arbitrator ruling (DRP
=&gt; COD7).</span></li>
<li><span class="change12">by the end of existence of a member (i.e. death
in the case of individuals).</span></li>
</ol>
<p><span class="change12">A member may declare the wish to resign from CAcert
at any time by writing to <em>support AT cacert.org</em>. This triggers a
process for termination of this agreement with the member.</span></p>
<h4><span class="change12"><a name="3.3">3.3a</a> Consequences of
Termination</span></h4>
<p><span class="change12">The termination discontinues the right to USE,
OFFER and CREATE personal certificates in any account of the former member.
Those certificates will be revoked and all services to the former member will
be terminated as soon as possible. However, some information will continue to
be held for certificate processing purposes.</span></p>
<p><span class="change12">The provisions on Arbitration for the time of
membership survive any termination. Former members are still bound by the DRP
(COD7), and the Arbitrator may reinstate any provision of this agreement or
bind them to a ruling.</span></p>
<p><span class="change12">As far as Organisations are concerned details are
also defined in the Organisation Assurance Policy (OAP =&gt;
COD11).</span></p>
<p><span class="change12">Every member learning about the death of a member
or termination of existence of a member should notify <em>support AT
cacert.org</em>.</span></p>
<h4><a name="3.4">3.4</a> Changes of Agreement</h4>
<p>CAcert may from time to time vary the terms of this Agreement. Changes
will be done according to the documented CAcert policy for changing policies,
and is subject to scrutiny and feedback by the Community. Changes will be
notified to you by email to your primary address.</p>
<p>If you do not agree to the changes, you may terminate as above. Continued
use of the service shall be deemed to be agreement by you.</p>
<h4><a name="3.5">3.5</a> Communication</h4>
<p><span class="change6">You are responsible for keeping your primary email
account in good working order and able to receive emails from
CAcert.</span></p>
<p>Notifications to CAcert are to be sent by email to the address <em>support
AT cacert.org</em>. You should attach a digital signature<span class=
"strike6">, but need not do so in the event of security or similar
urgency</span>.</p>
<p><span class="strike6">Notifications to you are sent by CAcert to the
primary email address registered with your account. You are responsible for
keeping your email account in good working order and able to receive emails
from CAcert.</span></p>
<p><span class="strike6">Arbitration is generally conducted by
email.</span></p>
<h3><a name="4">4.</a> Miscellaneous</h3>
<h4><a name="4.1">4.1</a> <span class="strike10">Other Parties Within the
Community</span> <span class="change10">(withdrawn)</span></h4>
<p class="strike10">As well as you and other Members in the Community, CAcert
forms agreements with third party vendors and others. Thus, such parties will
also be in the Community. Such agreements are also controlled by the same
policy process as this agreement, and they should mirror and reinforce these
terms.</p>
<h4><a name="4.2">4.2</a> References and Other Binding Documents</h4>
<p class="strike11">This agreement is CAcert Official Document 9 (COD9) and
is a controlled document.</p>
<p>You are also bound by <span class="change11">the Policies of the Community
under the control of Policy on Policy ("PoP" =&gt; COD1) and listed in
<a href=
"https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">Controlled
Document List</a>.</span></p>
<ol>
<li><span class="strike11"><a href=
"http://www.cacert.org/policy/CertificationPracticeStatement.php">Certification
Practice Statement</a> (CPS =&gt; COD6).</span></li>
<li><span class="strike11"><a href=
"http://www.cacert.org/policy/DisputeResolutionPolicy.php">Dispute
Resolution Policy</a> (DRP =&gt; COD7).</span></li>
<li><span class="strike11"><a href="PrivacyPolicy.html">Privacy Policy</a>
(PP =&gt; COD5).</span></li>
<li><span class="strike11"><a href=
"http://svn.cacert.org/CAcert/principles.html">Principles of the
Community</a>.</span></li>
</ol>
<p class="strike11">Where documents are referred to as <i>=&gt; COD x</i>,
they are controlled documents under the control of Policy on Policies
(COD1).</p>
<p class="strike11">This agreement and controlled documents above are
primary, and may not be replaced or waived except by formal policy channels
and by Arbitration.</p>
<p class="change11">Controlled documents are primary, and may not be replaced
or waived except by formal policy channels and Arbitration.</p>
<p class="change11">This agreement is controlled document COD9.</p>
<h4><a name="4.3">4.3</a> Informative References</h4>
<p>The governing documents are in English. Documents may be translated for
convenience. Because we cannot control the legal effect of translations, the
English documents are the ruling ones.</p>
<p class="strike9">You are encouraged to be familiar with the Assurer
Handbook, which provides a more readable introduction for much of the
information needed. The Handbook is not however an agreement, and is
overruled by this agreement and others listed above.</p>
<p class="change9">Beside this Agreement and the Policies, there are other
documents, i. e. Policy Guides, Manuals and Handbooks, supporting and
explaining this Agreement and the Policies. These documents are not binding
and in doubt this Agreement and the Policies are valid.</p>
<h4><a name="4.4">4.4</a> <span class="strike9">Not Covered in this
Agreement</span> <span class="change9">(withdrawn)</span></h4>
<p class="strike9"><b>Intellectual Property.</b> This Licence does not
transfer any intellectual property rights ("IPR") to you. CAcert asserts and
maintains its IPR over its roots, issued certificates, brands, logos and
other assets. Note that the certificates issued to you are CAcert's
intellectual property and you do not have rights other than those stated.</p>
</body>
</html>
<?php
header('HTTP/1.0 301 Moved Permanently');
header('Location: CAcertCommunityAgreement.html');
exit();

4698
www/policy/CertificationPracticeStatement.html Normal file
View file

File diff suppressed because it is too large Load diff

4091
www/policy/CertificationPracticeStatement.php
View file

File diff suppressed because it is too large Load diff

277
www/policy/ConfigurationControlSpecification.html Normal file
View file

@ -0,0 +1,277 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" lang="en">
<title>Configuration-Control Specification</title>
<style type="text/css">
<!--
body {
font-family : verdana, helvetica, arial, sans-serif;
}
th {
text-align : left;
}
.comment {
color : steelblue;
}
.q {
color : green;
font-weight: bold;
text-align: center;
font-style:italic;
}
a:hover {
color : gray;
}
-->
</style>
</head>
<body lang="en-GB">
<h1> Configuration-Control Specification </h1>
<!-- Absolute URL because the policies are located absolutely. -->
<div class="comment">
<table width="100%">
<tbody>
<tr>
<td rowspan="2">
Name: CCS <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD2</a>
<br>
Creation Date : 20091214
<br>
Editor: Iang
<br>
Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
<br>
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy">CC-by-sa+DRP</a>
</td>
<td align="right" valign="top">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
<img src="images/cacert-policy.png" alt="CCA Status - POLICY" style="border-style: none;" height="31" width="88">
</a>
</td>
</tr>
</tbody>
</table>
</div>
<h3 id="g0.0.1">Introduction </h3>
<!-- This section from A.1.a through A.1.c -->
<p>
The Configuration-Control Specification (CCS COD2) controls and tracks
those documents, processes and assets which are critical to the
business, security and governance of the CAcert operations.
</p>
<p>
This document is the procedure for CCS.
This document itself is a component of the CCS,
see §2.
<!-- A.1.c The configuration-control specification controls its own revision process. -->
All other documentation and process specified within
is derivative and is ruled by the CCS.
</p>
<p>
CCS is formated, inspired and designed to meet the needs of
David Ross Criteria -
<a href="http://rossde.com/CA_review/">Certificate Authority Review Checklist</a>
- section A.1 (DRC-A.1)
CCS may be seen as the index to systems audit under DRC.
</p>
<h3 id="g0.0.2">Documents </h3>
<!-- A.1.c-h: The configuration-control specification controls the revision process for the CCS,CP,CPS,PP,SP,R/L/O -->
<h4 id="g0.0.2.1">Controlled Document List </h4>
<p>
This CCS creates a
Controlled Document List (CDL)
of Primary or "root" documents known as Policies.
Primary documents may authorise other secondary documents
into the CDL, or "practices" outside the list.
</p>
<p>
The Controlled Document List
contains numbers, locations and status
of all controlled documents.
The list is part of this CCS.
</p>
<!-- See A.1.k, logging of documents. -->
<h4 id="g0.0.2.2">Change </h4>
<p>
Change to the documents
is as specified by
Policy on Policy (PoP).
Policy Officer is to manage the
<a href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">CDL</a>.
</p>
<h4 id="g0.0.2.3">Control </h4>
<p>
CAcert policies are required to be owned / transferred to CAcert. See PoP 6.2.
</p>
<h3 id="g0.0.3">Hardware </h3>
<!-- This section from A.1.j -->
<h4 id="g0.0.3.1">Controlled Hardware List </h4>
<p>
Critical systems are defined by Security Policy.
</p>
<h4 id="g0.0.3.2">Change </h4>
<p> See Security Policy. </p>
<h4 id="g0.0.3.3">Control </h4>
<p>
Security Policy places executive responsibility for Hardware with the Board of CAcert Inc.
Access is delegated to Access Engineers (SP 2) and Systems Administrators (SP 3).
Legal ownership may be delegated by agreement to other organisations (SP 9.4).
</p>
<h3 id="g0.0.4">Software </h3>
<!-- A.1.i: The configuration-control specification controls changes to software involved in: certs; data; comms to public -->
<h4 id="g0.0.4.1">Controlled Software List </h4>
<p>
Critical software is defined by Security Policy.
</p>
<!--
<ul class="q">
<li> Following are questions for exec + audit, not policy.
<li>One thing that is not so well covered by CAcert is the last bullet point of A.1.i</li>
<li>"communicating with subscribers and with the general public."</li>
<li>website is under SP; maillists,blogs,etc are not.</li>
<li>as community has deliberately gone this direction, I suggest we argue it that way.</li>
<li> What is far more problematic is the failure to do CCA &amp; Challenge notification.</li>
<li> What about translingo and voting? </li>
<li> See <a href="https://lists.cacert.org/wws/arc/cacert-sysadm/2010-02/msg00008.html">thread</a> </li>
</ul>
-->
<h4 id="g0.0.4.2">Change </h4>
<p> See Security Policy. </p>
<h4 id="g0.0.4.3">Control </h4>
<p>
CAcert owns its code, or requires control over open source code in use
by means of an approved free and open licence.
Such code must be identified and managed by Software Assessment.
</p>
<p>
Developers transfer full rights to CAcert
(in a similar fashion to documents),
or organise their contributions under a
proper free and open source code regime,
as approved by Board.
Where code is published
(beyond scope of this document)
care must be taken not to infringe licence conditions.
For example, mingling issues with GPL.
</p>
<p>
The Software Assessment Team Leader
maintains a registry of assignments
of title or full licence,
and a registry of software under approved open source licences.
</p>
<h3 id="g0.0.5">Certificates </h3>
<!-- This section from A.1.b -->
<p> This section applies to Root and Sub-root certificates, not to End-entity (subscriber, member) certificates. </p>
<h4 id="g0.0.5.1">Certificates List </h4>
<p> Certificates (Root and sub-root) are to be listed in the CPS. </p>
<h4 id="g0.0.5.2">Changes </h4>
<p>
Creation and handling of Certificates
is controlled by Security Policy.
Usage of Certificates
is controlled by Certification Practice Statement.
</p>
<h4 id="g0.0.5.3">Archive </h4>
<p> See Security Policy. </p>
<h3 id="g0.0.6">Logs </h3>
<!-- This section from A.1.k -->
<h4 id="g0.0.6.1">Controlled Logs List </h4>
<p> Logs are defined by Security Policy. </p>
<h4 id="g0.0.6.2">Changes </h4>
<p> Changes to Hardware, Software and Root Certificates are logged according to Security Policy. </p>
<h4 id="g0.0.6.3">Archive </h4>
<p> See Security Policy. </p>
<h3 id="g0.0.7">Data </h3>
<!-- This section from A.1.i-j, bullets 2,3 -->
<h4 id="g0.0.7.1">Types of Data </h4>
<p>
Types of critical member data is defined by Assurance Policy.
</p>
<h4 id="g0.0.7.2">Changes </h4>
<p>
Changes and access to critical member data
is as defined under Assurance Policy,
CAcert Community Agreement and
Dispute Resolution Policy.
Implementation of
collection and storage of critical member data
(user interface software and databases)
is defined by Security Policy.
</p>
<h4 id="g0.0.7.3">Archive </h4>
<p>
Data retention is controlled by Security Policy and CAcert Community Agreement.
</p>
</body>
</html>

780
www/policy/DisputeResolutionPolicy.html Normal file
View file

@ -0,0 +1,780 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
<title>Dispute Resulution Policy</title>
<style type="text/css">
<!--
.comment {
color : steelblue;
}
-->
</style>
</head>
<body>
<div class="comment">
<table width="100%">
<tbody>
<tr>
<td rowspan="2">
Name: DRP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD7</a>
<br>
Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
<br>
Created: m20070919.3
<br>
Changed: p20110108, p20121213, p20130116
<br>
Editor: <a style="color: steelblue" href="https://wiki.cacert.org/TeusHagen">Teus Hagen
</a>
<br>
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy"> CC-by-sa+DRP </a>
</td>
<td align="right" valign="top">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
<img src="images/cacert-policy.png" alt="DRP Status - POLICY" style="border-style: none;" height="31" width="88">
</a>
</td>
</tr>
</tbody>
</table>
</div>
<h1> Dispute&nbsp;Resolution&nbsp;Policy </h1>
<h2 id="g0.1">0. Introduction</h2>
<p>
This is the Dispute Resolution Policy
for the CAcert Community, consisting of CAcert Inc and Members who agree to the CAcert Community Agreement (CCA).
Disputes arising out of
operations by CAcert
Inc
and interactions between
Members
may be addressed through this policy.
This document also presents the rules for
resolution of disputes.
</p>
<h3 id="g0.1.1">0.1. Nature of Disputes </h3>
<p>
Disputes include:
</p>
<ul>
<li>
Requests for non-routine support actions.
CAcert support team has no authority to
act outside the normal support facilities made
available to
Members;
</li>
<li>
Classical disputes where a Member or another
assert claims and demand remedies;
</li>
<li>
Requests by external organisations, including
legal processes from foreign courts;
</li>
<li>
Events initiated for training purposes.
</li>
</ul>
<h2 id="g0.2">1. Filing</h2>
<h3 id="g0.2.1">1.1. Filing Party</h3>
<p>
Anyone may file a dispute.
In filing, they become <i>Claimants</i>.
</p>
<h3 id="g0.2.2">1.2. Channel for Filing</h3>
<p>
Disputes are filed by being sent to the normal
support channel of CAcert,
and a fee may be payable.
</p>
<p>
Such fees as are imposed on filing will be specified
on the dispute resolution page of the website.
</p>
<h3 id="g0.2.3">1.3. Case Manager</h3>
<p>
The Case Manager (CM) takes control of the filing.
</p>
<ol>
<li>
CM makes an initial determination as
to whether this filing is a dispute
for resolution, or it is a request
for routine support.
</li>
<li>
CM logs the case and establishes such
documentation and communications support as is customary.
</li>
<li>
If any party acts immediately on the filing
(such as an urgent security action),
the CM names these parties to the case.
</li>
<li>
CM selects the Arbitrator.
</li>
</ol>
<p>
The personnel within the CAcert support team
are Case Managers, by default, or as directed
by the Dispute Resolution Officer (DRO).
</p>
<h3 id="g0.2.4">1.4. Contents</h3>
<p>
The filing must specify:
</p>
<ul>
<li>
The filing party(s), being the <i>Claimant(s)</i>.
</li>
<li>
The party(s) to whom the complaint is addressed to,
being the <i>Respondent(s)</i>.
This will be CAcert in the
case of requests for support actions.
It may be a Member (possibly unidentified) in the
case where one Member has given rise to a complaint against another.
</li>
<li>
The <i>Complaint</i>.
For example, a trademark has been infringed,
privacy has been breached,
or a Member has defrauded using a certificate.
</li>
<li>
The action(s) requested by the filing party
(technically, called the <i>relief</i>).
For example, to delete an account,
to revoke a certificate, or to stop a
trademark infringement.
</li>
</ul>
<p>
If the filing is inadequate for lack of information
or for format, the Case Manager
may refile with the additional information,
attaching the original messages.
</p>
<h3 id="g0.2.5">1.5. The Arbitrator</h3>
<p>
The Case Manager selects the Arbitrator according
to the mechanism managed by the
DRO
and approved from time to time.
This mechanism is to maintain a list of Arbitrators available for
dispute resolution.
Each selected Arbitrator has the right to decline the dispute,
and should decline a dispute with which there exists a conflict
of interest.
The reason for declining should be stated.
If no Arbitrator accepts the dispute, the case is
closed with status "declined."
</p>
<p>
Arbitrators are experienced Assurers.
They should be independent and impartial, including
of CAcert Inc. itself where it becomes a party.
</p>
<h2 id="g0.3">2. The Arbitration</h2>
<h3 id="g0.3.1">2.1. Authority</h3>
<p>
The Board of CAcert Inc. and the
Members of the Community
vest in Arbitrators
full authority to hear disputes and deliver rulings
which are binding on CAcert Inc. and the
Members.
</p>
<h3 id="g0.3.2">2.2. Preliminaries</h3>
<p>
The Arbitrator conducts some preliminaries:
</p>
<ul>
<li>
The Arbitrator reviews the available documentation
and affirms the rules of dispute resolution.
Jurisdiction is established, see below.
</li>
<li>
The Arbitrator affirms the governing law (NSW, Australia).
The Arbitrator may select local law and local
procedures where Claimants and all Respondents
agree, are under such jurisdiction, and it is deemed
more appropriate.
However, this is strictly limited to those parties,
and especially, CAcert Inc. and other parties
remain under the governing law.
</li>
<li>
The Arbitrator reviews the Respondents and Claimants
with a view to dismissal or joining of additional parties.
E.g., support personnel may be joined if emergency action was
taken.
</li>
<li>
Any parties that are not
Members
and are not bound by the
CCA
are given the opportunity to enter into
CAcert and be bound by the
CCA
and these rules of arbitration.
If
these Non-Related Persons (NRPs)
remain outside,
their rights and remedies under CAcert's policies
and forum are strictly limited to
those
specified in the
Root Distribution License.
NRPs
may proceed with Arbitration subject to preliminary orders
of the Arbitrator.
</li>
<li>
Participating
Members
may not resign
from the Community
until the completion of the case.
</li>
<li>
The Arbitrator confirms that all parties accept
the forum of dispute resolution.
This is especially important where a
Member
might be
in a country with no Arbitration Act in law, or
where there is reason to believe that a party might
go to an external court.
</li>
<li>
The Arbitrator confirms that parties are representing
themselves. Parties are entitled to be legally
represented, but are not encouraged to do so,
bearing in mind the volunteer nature of the
organisation and the size of the dispute.
If they do so,
they must declare such, including any changes.
</li>
<li>
The Arbitrator may appoint experienced Assurers
to assist and represent parties, especially for NRPs.
The Case Manager must not provide such assistance.
</li>
<li>
The Arbitrator is bound to maintain the balance
of legal fairness.
</li>
<li>
The Arbitrator may make any preliminary orders,
including protection orders and orders referring
to emergency actions already taken.
</li>
<li>
The Arbitrator may request any written pleadings,
counterclaims, and/or statements of defence.
</li>
</ul>
<h3 id="g0.3.3">2.3. Jurisdiction </h3>
<p>
Jurisdiction - the right or power to hear and rule on
disputes - is initially established by clauses in the
CAcert Community Agreement.
The agreement must establish:
</p>
<ul>
<li>
That all Parties agree to binding Arbitration
in CAcert's forum of dispute resolution;
</li>
<li>
for all disputes relating to activities within
CAcert, issued certificates, roles and actions, etc;
</li>
<li>
as defined by these rules, including the selection
of a single Arbitrator;
</li>
<li>
under the Law of NSW, Australia; and
</li>
<li>
the Parties keep email accounts in good working order.
</li>
</ul>
<p>
An external court may have ("assert") jurisdiction to decide on
issues such as trademark, privacy, contract and fraud,
and may do so with legal remedies.
These are areas where jurisdiction may need
to be considered carefully:
</p>
<ul>
<li>
Where NRPs, being not Members of CAcert and not
bound by agreement, are parties to the dispute.
E.g., intellectual property disputes may involve
NRPs and their trademarks;
</li>
<li>
criminal actions or actions likely to result in criminal
proceedings,
e.g., fraud;
</li>
<li>
Contracts between
Members
that were formed without
a clause to seek arbitration in the forum;
</li>
<li>
Areas where laws fall outside the Arbitration Act,
such as privacy;
</li>
<li>
Legal process (subpoenas, etc) delivered by
an external court of "competent jurisdiction."
</li>
</ul>
<p>
The Arbitrator must consider jurisdiction and rule on a
case by case basis whether jurisdiction is asserted,
either wholly or partially, or declines to hear the case.
In the event of asserting
jurisdiction, and a NRP later decides to pursue rights in
another forum, the Arbitrator should seek the agreement
of the NRP to file the ruling as part of the new case.
</p>
<h3 id="g0.3.4">2.4. Basis in Law </h3>
<p>
Each country generally has an Arbitration Act
that elevates Arbitration as a strong dispute
resolution forum.
The Act generally defers to Arbitration
if the parties have so agreed.
That is, as
Members
,
you agree to resolve
all disputes before CAcert's forum.
This is sometimes called <i>private law</i>
or <i>alternative dispute resolution</i>.
</p>
<p>
As a matter of public policy, courts will generally
refer any case back to Arbitration.
Members
should understand that they will have
strictly limited rights to ask the courts to
seek to have a case heard or to override a Ruling.
</p>
<h3 id="g0.3.5">2.5. External Courts </h3>
<p>
When an external court claims and asserts its jurisdiction,
and issues a court order, subpoena or other service to CAcert,
the CM files the order as a dispute, with the external court
as <i>Claimant</i>.
The CM and other support staff are granted no authority to
act on the basis of any court order, and ordinarily
must await the order of the Arbitrator
(which might simply be a repeat of the external court order).
</p>
<p>
The Arbitrator establishes the bona fides of the
court, and rules.
The Arbitrator may rule to reject the order,
for jurisdiction or other reasons.
By way of example, if all Parties are
Members,
then jurisdiction more normally falls within the forum.
If the Arbitrator rules to reject,
he should do so only after consulting with CAcert Inc. counsel.
The Arbitrator's jurisidiction is ordinarily that of
dealing with the order, and
not that which the external court has claimed to.
</p>
<h3 id="g0.3.6">2.6. Process</h3>
<p>
The Arbitrator follows the procedure:
</p>
<ol>
<li>
Establish the facts.
The Arbitrator collects the evidence from the parties.
The Arbitrator may order CAcert Inc. or
Members
under jurisdiction to provide support or information.
The Arbitrator may use email, phone or face-to-face
meetings as proceedings.
</li>
<li>
Apply the Rules of Dispute Resolution,
the policies of CAcert and the governing law.
The Arbitrator may request that the parties
submit their views.
The Arbitrator also works to the mission of CAcert,
the benefit of all
Members
, and the community as a whole.
The Arbitrator may
seek
any assistance.
</li>
<li>
Makes a considered Ruling.
</li>
</ol>
<h2 id="g0.4">3. The Ruling</h2>
<h3 id="g0.4.1">3.1. The Contents </h3>
<p>
The Arbitrator records:
</p>
<ol>
<li>
The Identification of the Parties,
</li>
<li>
The Facts,
</li>
<li>
The logic of the rules and law,
</li>
<li>
The directions and actions to be taken by each party
(the ruling).
</li>
<li>
The date and place that the ruling is rendered.
</li>
</ol>
<h3 id="g0.4.2">3.2. Process </h3>
<p>
Once the Ruling is delivered, the case is closed.
The Case Manager is responsible for recording the
Ruling, publishing it, and advising Members.
</p>
<p>
Proceedings are ordinarily private.
The Ruling is ordinarily published,
within the bounds of the Privacy Policy.
The Ruling is written in English.
</p>
<p>
Only under exceptional circumstances can the
Arbitrator declare the Ruling private <i>under seal</i>.
Such a declaration must be reviewed in its entirety
by the Board,
and the Board must confirm or deny that declaration.
If it confirms, the existence of any Rulings under seal
must be published to the
Members
in a timely manner
(within days).
</p>
<h3 id="g0.4.3">3.3. Binding and Final </h3>
<p>
The Ruling is
ordinarily final and binding
on CAcert Inc.and all
Members
.
Ordinarily, all
Members
agree to be bound by this dispute
resolution policy.
Members
must declare in the Preliminaries
any default in agreement or binding.
</p>
<p>
If a person who is not a
Member
is a party to the dispute,
then the Ruling is not binding and final on that person,
but the Ruling must be presented in filing any dispute
in another forum such as the person's local courts.
</p>
<h3 id="g0.4.4">3.4. Review for Appeal</h3>
<p>
In the eventof clear injustices, egregious behaviour or
unconscionable Rulings,
a review may be requested by filing a dispute.
The new Arbitrator reviews the new dispute,
re-examines and reviews the entire case, then rules on
whether the case may be re-opened or not.
</p>
<p>
If the Review Arbitrator rules the case be re-opened,
then the Review Arbitrator refers the case to an Appeal Panel of 3.
The Appeal Panel is led by a Senior Arbitrator,
and is formed according to procedures established
by the DRO from time to time.
The Appeal Panel hears the case and delivers a final and binding Ruling.
</p>
<h3 id="g0.4.5">3.5. Liability </h3>
<p>
All liability of the Arbitrator for any act in
connection with deciding a dispute is excluded
by all parties, provided such act does not constitute
an intentional breach of duty.
All liability of the Arbitrators, CAcert Inc., its officers and its
employees (including Case Manager)
for any other act or omission in connection with
arbitration proceedings is excluded, provided such acts do not
constitute an intentional or grossly negligent breach of duty.
</p>
<p>
The above provisions may only be overridden by
appeal process
(by means of a new dispute causing referral to the Board).
</p>
<h3 id="g0.4.6">3.6. Remedies </h3>
<p>
The Arbitrator generally instructs using internal remedies,
that is ones that are within the general domain of
the Community,
but there are some external remedies at his disposal.
He may rule and instruct any of the parties on these issues.
</p>
<ul>
<li>
"community service" typically including
<ul>
<li>
attend and assure people at trade shows / open source gatherings,
</li>
<li>
writing documentation
</li>
<li>
serve in a role - support, dispute arbitration
</li>
</ul>
or others as decided.
</li>
<li>
Fined by loss of assurance points, which may result
in losing Assurer or Assured status.
</li>
<li>
Retraining in role.
</li>
<li>
Revoking of any certificates.
</li>
<li>
Monetary fine up to the liability cap established for
each party as described in the
CAcert Community Agreement.
</li>
<li>
Exclusion from community.
</li>
<li>
Reporting to applicable authorities.
</li>
<li>
Changes to policies and procedures.
</li>
</ul>
<p>
The Arbitrator is not limited within the general domain
of CAcert, and may instruct novel remedies as seen fit.
Novel remedies outside the domain may be routinely
confirmed by the Board by way of appeal process,
in order to establish precedent.
</p>
<h2 id="g0.5">4. Appendix</h2>
<h3 id="g0.5.1">4.1. The Advantages of this Forum </h3>
<p>
The advantage of this process for
Members
is:
</p>
<ul>
<li>
CAcert and Members operate across many jurisdictions.
Arbitration allows us to select a single set of
rules across all jurisdictions.
</li>
<li>
Arbitration allows CAcert to appropriately separate
out the routine support actions from difficult dispute
actions. Support personnel have no authority to
act, the appropriately selected Arbitrator has all
authority to act.
Good governance is thus maintained.
</li>
<li>
This forum allows CAcert Members to look after themselves
in a community, without exposing each other to potentially
disastrous results in strange courts from foreign lands.
</li>
<li>
By volunteering to resolve things "in-house" the costs
are reduced.
</li>
<li>
Even simple support issues such as password changing
can be improved by treating as a dispute. A clear
chain of request, analysis, ruling and action can be established.
</li>
<li>
CAcert Assurers can develop the understanding and the rules
for sorting out own problems far better than courts or
other external agencies.
</li>
</ul>
<h3 id="g0.5.2">4.2. The Disadvantages of this Forum </h3>
<p>
Some disadvantages exist.
</p>
<ul>
<li>
Membersmay have their rights trampled over.
In such a case, the community should strive to
re-open the case
and refer it to the board.
</li>
<li>
Members may feel overwhelmed by the formality
of the process.
It is kept formal so as to establish good and proper
authority to act; otherwise, support and other
people in power may act without thought and with
damaging consequences.
</li>
<li>
A country may not have an Arbitration Act.
In that case, the parties should enter into
spirit of the forum.
If they choose to break that spirit,
they should also depart the community.
</li>
</ul>
<h3 id="g0.5.3">4.3. Process and Flow </h3>
<p>
To the extent reasonable, the Arbitrator conducts
the arbitration as with any legal proceedings.
This means that the process and style should follow
legal tradition.
</p>
<p>
However, the Arbitrator is unlikely to be trained in
law. Hence, common sense must be applied, and the
Arbitrator has wide latitude to rule on any particular
motion, pleading, submission. The Arbitrator's ruling
is final within the arbitration.
</p>
<p>
Note also that many elements of legal proceedings are
deliberately left out of the rules.
</p>
</body>
</html>

798
www/policy/DisputeResolutionPolicy.php
View file

@ -1,794 +1,4 @@
<?='<?xml version="1.0" encoding="utf-8"?>'?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
<title>Dispute Resulution Policy</title>
<style type="text/css">
<!--
.first-does-not-work {
color : red;
}
.comment {
color : steelblue;
}
.q {
color : green;
font-weight: bold;
text-align: center;
font-style:italic;
}
.change {
color : blue;
font-weight: bold;
}
.change2 {
color : steelblue;
}
.strike {
color : blue;
text-decoration:line-through;
}
.draftadd {
color : darkblue;
font-weight: bold;
font-style: italic;
}
.draftdrop {
color : darkblue;
text-decoration:line-through;
font-style: italic;
}
-->
</style>
</head>
<body>
<div class="comment">
<table width="100%">
<tr>
<td>
Name: DRP <a style="color: steelblue" href="//svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD7</a><br />
Status: POLICY <a style="color: steelblue" href="//wiki.cacert.org/wiki/TopMinutes-20070917">m20070919.3</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span class="draftadd">DRAFT p20110108 p20121213</span> <br />
Editor: <a style="color: steelblue" href="//wiki.cacert.org/TeusHagen">Teus Hagen
</a><br />
Licence: <a style="color: steelblue" href="//wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br /></td>
<td valign="top" align="right">
<a href="//www.cacert.org/policy/PolicyOnPolicy.php"><img src="/images/cacert-policy.png" alt="TTP-Assist Status - POLICY" height="31" width="88" style="border-style: none;" /></a><br />
<a href="//www.cacert.org/policy/PolicyOnPolicy.php"><img src="/images/cacert-draft.png" alt="TTP-Assist Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>
</td>
</tr>
</table>
</div>
<h1> Dispute&nbsp;Resolution&nbsp;Policy </h1>
<h2 id="s0"> 0. Introduction</h2>
<p>
This is the Dispute Resolution Policy
<span class="draftdrop">for CAcert</span>
<span class="draftadd">for the CAcert Community, consisting of CAcert Inc and Members who agree to the CAcert Community Agreement (CCA)</span>.
Disputes arising out of
operations by CAcert
<span class="draftadd">Inc</span>
and interactions between
<span class="draftadd">
Members
</span>
may be addressed through this policy.
This document also presents the rules for
resolution of disputes.
</p>
<h3 id="s0.1"> 0.1 Nature of Disputes </h3>
<p>
Disputes include:
</p>
<ul><li>
Requests for non-routine support actions.
CAcert support team has no authority to
act outside the normal support facilities made
available to
<span class="draftadd">
Members;
</span>
</li><li>
Classical disputes where a <span class="draftadd">Member</span> or another
assert claims and demand remedies;
</li><li>
Requests by external organisations, including
legal processes from foreign courts;
</li><li>
Events initiated for training purposes.
</li></ul>
<h2 id="s1"> 1. Filing</h2>
<h3 id="s1.1"> 1.1 Filing Party</h3>
<p>
Anyone may file a dispute.
In filing, they become <i>Claimants</i>.
</p>
<h3 id="s1.2"> 1.2 Channel for Filing</h3>
<p>
Disputes are filed by being sent to the normal
support channel of CAcert,
and a fee may be payable.
</p>
<p>
Such fees as are imposed on filing will be specified
on the dispute resolution page of the website.
</p>
<h3 id="s1.3"> 1.3 Case Manager</h3>
<p>
The Case Manager (CM) takes control of the filing.
</p>
<ol><li>
CM makes an initial determination as
to whether this filing is a dispute
for resolution, or it is a request
for routine support.
</li><li>
CM logs the case and establishes such
documentation and communications support as is customary.
</li><li>
If any party acts immediately on the filing
(such as an urgent security action),
the CM names these parties to the case.
</li><li>
CM selects the Arbitrator.
</li></ol>
<p>
The personnel within the CAcert support team
are Case Managers, by default, or as directed
by the Dispute Resolution Officer <span class="change2">(DRO)</span>.
</p>
<h3 id="s1.4"> 1.4 Contents</h3>
<p>
The filing must specify:
</p>
<ul><li>
The filing party(s), being the <i>Claimant(s)</i>.
</li><li>
The party(s) to whom the complaint is addressed to,
being the <i>Respondent(s)</i>.
This will be CAcert in the
case of requests for support actions.
It may be a <span class="draftadd">Member</span> (possibly unidentified) in the
case where one <span class="draftadd">Member</span> has given rise to a complaint against another.
</li><li>
The <i>Complaint</i>.
For example, a trademark has been infringed,
privacy has been breached,
or a <span class="draftadd">Member</span> has defrauded using a certificate.
</li><li>
The action(s) requested by the filing party
(technically, called the <i>relief</i>).
For example, to delete an account,
to revoke a certificate, or to stop a
trademark infringement.
</li></ul>
<p>
If the filing is inadequate for lack of information
or for format, the Case Manager
may refile with the additional information,
attaching the original messages.
</p>
<h3 id="s1.5"> 1.5 The Arbitrator</h3>
<p>
The Case Manager selects the Arbitrator according
to the mechanism managed by the
<span class="change2">DRO</span> <!-- Dispute Resolution Officer -->
and approved from time to time.
This mechanism is to maintain a list of Arbitrators available for
dispute resolution.
Each selected Arbitrator has the right to decline the dispute,
and should decline a dispute with which there exists a conflict
of interest.
The reason for declining should be stated.
If no Arbitrator accepts the dispute, the case is
closed with status "declined."
</p>
<p>
Arbitrators are experienced Assurers <span class="draftdrop">of CAcert</span>.
They should be independent and impartial, including
of CAcert <span class="draftadd">Inc.</span> itself where it becomes a party.
</p>
<h2 id="s2"> 2. The Arbitration</h2>
<h3 id="s2.1"> 2.1 Authority</h3>
<p>
The Board of CAcert <span class="draftadd">Inc.</span> and the
<span class="draftadd">
Members of the Community
</span>
vest in Arbitrators
full authority to hear disputes and deliver rulings
which are binding on CAcert <span class="draftadd">Inc.</span> and the
<span class="draftadd">
Members.
</span>
</p>
<h3 id="s2.2"> 2.2 Preliminaries</h3>
<p>
The Arbitrator conducts some preliminaries:
</p>
<ul><li>
The Arbitrator reviews the available documentation
and affirms the rules of dispute resolution.
Jurisdiction is established, see below.
</li><li>
The Arbitrator affirms the governing law (NSW, Australia).
The Arbitrator may select local law and local
procedures where Claimants and all Respondents
agree, are under such jurisdiction, and it is deemed
more appropriate.
However, this is strictly limited to those parties,
and especially, CAcert <span class="draftadd">Inc.</span> and other parties
remain under the governing law.
</li><li>
The Arbitrator reviews the Respondents and Claimants
with a view to dismissal or joining of additional parties.
E.g., support personnel may be joined if emergency action was
taken.
</li><li>
Any parties that are not
<span class="draftadd">
Members
</span>
and are not bound by the
<span class="draftdrop">CPS</span> <span class="draftadd">CCA</span>
are given the opportunity to enter into
CAcert and be bound by the
<span class="draftdrop">CPS</span> <span class="draftadd">CCA</span>
and these rules of arbitration.
If
<!-- <span class="draftdrop">these Non-Related Persons (NRPs)</span> <span class="change">they</span> -->
these Non-Related Persons (NRPs)
remain outside,
their rights and remedies under CAcert's policies
and forum are strictly limited to
<span class="strike">that</span> <span class="change2">those</span>
specified in the
<span class="draftdrop">Non-Related Persons -- Disclaimer and Licence</span> <span class="draftadd">Root Distribution License</span>.
NRPs
may proceed with Arbitration subject to preliminary orders
of the Arbitrator.
</li><li>
Participating
<span class="draftadd">
Members
</span>
may not resign
<span class="change2">
from the Community
</span>
until the completion of the case.
</li><li>
The Arbitrator confirms that all parties accept
the forum of dispute resolution.
This is especially important where a
<span class="draftadd">
Member
</span>
might be
in a country with no Arbitration Act in law, or
where there is reason to believe that a party might
go to an external court.
</li><li>
The Arbitrator confirms that parties are representing
themselves. Parties are entitled to be legally
represented, but are not encouraged to do so,
bearing in mind the volunteer nature of the
organisation and the size of the dispute.
If they do so<span class="change2">,</span>
they must declare such, including any changes.
</li><li>
The Arbitrator may appoint experienced Assurers
to assist and represent parties, especially for NRPs.
The Case Manager must not provide such assistance.
</li><li>
The Arbitrator is bound to maintain the balance
of legal fairness.
</li><li>
The Arbitrator may make any preliminary orders,
including protection orders and orders referring
to emergency actions already taken.
</li><li>
The Arbitrator may request any written pleadings,
counterclaims, and/or statements of defence.
</li></ul>
<h3 id="s2.3"> 2.3 Jurisdiction </h3>
<p>
Jurisdiction - the right or power to hear and rule on
disputes - is initially established by clauses in the
<span class="draftadd">
CAcert Community Agreement.
</span>
The agreement must establish:
</p>
<ul><li>
That all Parties agree to binding Arbitration
in CAcert's forum of dispute resolution;
</li><li>
for all disputes relating to activities within
CAcert, issued certificates, roles and actions, etc;
</li><li>
as defined by these rules, including the selection
of a single Arbitrator;
</li><li>
under the Law of NSW, Australia; and
</li><li>
the Parties keep email accounts in good working order.
</li></ul>
<p>
An external court may have ("assert") jurisdiction to decide on
issues such as trademark, privacy, contract and fraud,
and may do so with legal remedies.
These are areas where jurisdiction may need
to be considered carefully:
</p>
<ul><li>
Where NRPs, being not Members of CAcert and not
bound by agreement, are parties to the dispute.
E.g., intellectual property disputes may involve
NRPs and their trademarks;
</li><li>
criminal actions or actions likely to result in criminal
proceedings,
e.g., fraud;
</li><li>
Contracts between
<span class="draftadd">
Members
</span>
that were formed without
a clause to seek arbitration in the forum;
</li><li>
Areas where laws fall outside the Arbitration Act,
such as privacy;
</li><li>
Legal process (subpoenas, etc) delivered by
an external court of "competent jurisdiction."
</li></ul>
<p>
The Arbitrator must consider jurisdiction and rule on a
case by case basis whether jurisdiction is asserted,
either wholly or partially, or declines to hear the case.
In the event of asserting
jurisdiction, and a NRP later decides to pursue rights in
another forum, the Arbitrator should seek the agreement
of the NRP to file the ruling as part of the new case.
</p>
<h3 id="s2.4"> 2.4 Basis in Law </h3>
<p>
Each country generally has an Arbitration Act
that elevates Arbitration as a strong dispute
resolution forum.
The Act generally defers to Arbitration
if the parties have so agreed.
That is, as
<span class="draftadd">
Members
</span>
<span class="draftdrop">users of CAcert</span>,
you agree to resolve
all disputes before CAcert's forum.
This is sometimes called <i>private law</i>
or <i>alternative dispute resolution</i>.
</p>
<p>
As a matter of public policy, courts will generally
refer any case back to Arbitration.
<span class="draftadd">
Members
</span>
should understand that they will have
strictly limited rights to ask the courts to
seek to have a case heard or to override a Ruling.
</p>
<h3 id="s2.5"> 2.5 External Courts </h3>
<p>
When an external court claims and asserts its jurisdiction,
and issues a court order, subpoena or other service to CAcert,
the CM files the order as a dispute, with the external court
as <i>Claimant</i>.
The CM and other support staff are granted no authority to
act on the basis of any court order, and ordinarily
must await the order of the Arbitrator
(which might simply be a repeat of the external court order).
</p>
<p>
The Arbitrator establishes the bona fides of the
court, and rules.
The Arbitrator may rule to reject the order,
for jurisdiction or other reasons.
By way of example, if all Parties are
<span class="draftadd">
Members,
</span>
then jurisdiction more normally falls within the forum.
If the Arbitrator rules to reject,
he should do so only after consulting with CAcert <span class="draftadd">Inc.</span> counsel.
The Arbitrator's jurisidiction is ordinarily that of
dealing with the order, and
not that which the external court has claimed to.
</p>
<h3 id="s2.6"> 2.6 Process</h3>
<p>
The Arbitrator follows the procedure:
</p>
<ol><li>
Establish the facts.
The Arbitrator collects the evidence from the parties.
The Arbitrator may order CAcert <span class="draftadd">Inc.</span> or
<span class="draftadd">
Members
</span>
under jurisdiction to provide support or information.
The Arbitrator may use email, phone or face-to-face
meetings as proceedings.
</li><li>
Apply the Rules of Dispute Resolution,
the policies of CAcert and the governing law.
The Arbitrator may request that the parties
submit their views.
The Arbitrator also works to the mission of CAcert,
the benefit of all
<span class="draftadd">
Members
</span>
, and the community as a whole.
The Arbitrator may
<span class="draftadd">
seek
</span>
any assistance.
</li><li>
Makes a considered Ruling.
</li></ol>
<h2 id="s3"> 3. The Ruling</h2>
<h3 id="s3.1"> 3.1 The Contents </h3>
<p>
The Arbitrator records:
</p>
<ol><li>
The Identification of the Parties,
</li><li>
The Facts,
</li><li>
The logic of the rules and law,
</li><li>
The directions and actions to be taken by each party
(the ruling).
</li><li>
The date and place that the ruling is rendered.
</li></ol>
<h3 id="s3.2"> 3.2 Process </h3>
<p>
Once the Ruling is delivered, the case is closed.
The Case Manager is responsible for recording the
Ruling, publishing it, and advising <span class="draftadd">Members</span>.
</p>
<p>
Proceedings are ordinarily private.
The Ruling is ordinarily published,
within the bounds of the Privacy Policy.
The Ruling is written in English.
</p>
<p>
Only under exceptional circumstances can the
Arbitrator declare the Ruling private <i>under seal</i>.
Such a declaration must be reviewed in its entirety
by the Board,
and the Board must confirm or deny that declaration.
If it confirms, the existence of any Rulings under seal
must be published to the
<span class="draftadd">
Members
</span>
in a timely manner
(within days).
</p>
<h3 id="s3.3"> 3.3 Binding and Final </h3>
<p>
The Ruling is
<!-- (DRAFT p20110108) -->
<span class="draftadd">ordinarily final and binding </span>
<span class="draftdrop">binding and final</span>
on CAcert <span class="draftadd">Inc.</span> and all
<span class="draftadd">
Members
</span>
.
Ordinarily, all
<span class="draftadd">
Members
</span>
agree to be bound by this dispute
resolution policy.
<span class="draftadd">
Members
</span>
must declare in the Preliminaries
any default in agreement or binding.
</p>
<p>
If a person who is not a
<span class="draftadd">
Member
</span>
is a party to the dispute,
then the Ruling is not binding and final on that person,
but the Ruling must be presented in filing any dispute
in another forum such as the person's local courts.
</p>
<h3 id="s3.4"> 3.4 <span class="draftadd">Review for Appeal (DRAFT p20110108)</span> &nbsp;&nbsp;&nbsp;&nbsp; <span class="draftdrop">Re-opening the Case or Appeal</span> </h3>
<p>
In the <span class="draftadd">event</span> <span class="draftdrop">case</span> of clear injustices, egregious behaviour or
unconscionable Rulings,
<span class="draftadd">
a review may be requested by filing a dispute (DRAFT p20110108).
</span>
<span class="draftdrop">
parties may seek to re-open the
case by filing a dispute.
</span>
The new Arbitrator reviews the new dispute,
re-examines and reviews the entire case, then rules on
whether the case may be re-opened or not.
</p>
<p>
<span class="draftadd">
If the Review Arbitrator rules the case be re-opened,
then the Review Arbitrator refers the case to an Appeal Panel of 3.
The Appeal Panel is led by a Senior Arbitrator,
and is formed according to procedures established
by the DRO from time to time.
The Appeal Panel hears the case and delivers a final and binding Ruling.
(DRAFT p20110108)
</span>
<span class="draftdrop">
If the new Arbitrator rules the case be re-opened,
then it is referred to the Board of CAcert Inc.
The Board hears the case and delivers a final
and binding Ruling.
</span>
</p>
<h3 id="s3.5"> 3.5 Liability </h3>
<p>
All liability of the Arbitrator for any act in
connection with deciding a dispute is excluded
by all parties, provided such act does not constitute
an intentional breach of duty.
All liability of the Arbitrators, CAcert <span class="draftadd">Inc.</span>, its officers and its
employees (including Case Manager)
for any other act or omission in connection with
arbitration proceedings is excluded, provided such acts do not
constitute an intentional or grossly negligent breach of duty.
</p>
<p>
The above provisions may only be overridden by
appeal process
(by means of a new dispute causing referral to the Board).
</p>
<h3 id="s3.6"> 3.6 Remedies </h3>
<p>
The Arbitrator generally instructs using internal remedies,
that is ones that are within the general domain of
<span class="draftdrop">CAcert</span>
<span class="draftadd">the Community</span>,
but there are some external remedies at his disposal.
He may rule and instruct any of the parties on these issues.
</p>
<ul><li>
"community service" typically including
<ul><li>
attend and assure people at trade shows / open source gatherings,
</li><li>
writing documentation
</li><li>
serve in <span class="change2">a</span> role - support, dispute arbitration
</li></ul>
or others as decided.
</li><li>
Fined by loss of assurance points, which may result
in losing Assurer or Assured status.
</li><li>
Retraining in role.
</li><li>
Revoking of any certificates.
</li><li>
Monetary fine up to the liability cap established for
each party as described in the
<span class="draftadd">
CAcert Community Agreement.
</span>
</li><li>
Exclusion from community.
</li><li>
Reporting to applicable authorities.
</li><li>
Changes to policies and procedures.
</li></ul>
<p>
The Arbitrator is not limited within the general domain
of CAcert, and may instruct novel remedies as seen fit.
Novel remedies outside the domain may be routinely
confirmed by the Board by way of appeal process,
in order to establish precedent.
</p>
<h2 id="s4"> 4. Appendix</h2>
<h3 id="s4.1"> 4.1 The Advantages of this Forum </h3>
<p>
The advantage of this process for
<span class="draftadd">
Members
</span>
is:
</p>
<ul><li>
CAcert and <span class="draftadd">Members</span> operate across many jurisdictions.
Arbitration allows us to select a single set of
rules across all jurisdictions.
</li><li>
Arbitration allows CAcert to appropriately separate
out the routine support actions from difficult dispute
actions. Support personnel have no authority to
act, the appropriately selected Arbitrator has all
authority to act.
Good governance is thus maintained.
</li><li>
This forum allows CAcert <span class="draftadd">Members</span> to look after themselves
in a community, without exposing each other to potentially
disastrous results in strange courts from foreign lands.
</li><li>
By volunteering to resolve things "in-house" the costs
are reduced.
</li><li>
Even simple support issues such as password changing
can be improved by treating as a dispute. A clear
chain of request, analysis, ruling and action can be established.
</li><li>
CAcert Assurers can develop the understanding and the rules
for sorting out own problems far better than courts or
other external agencies.
</li></ul>
<h3 id="s4.2"> 4.2 The Disadvantages of this Forum </h3>
<p>
Some disadvantages exist.
</p>
<ul><li>
<span class="draftadd">Members</span> may have their rights trampled over.
In such a case, the community should strive to
re-open the case
and refer it to the board.
</li><li>
<span class="draftadd">Members</span> may feel overwhelmed by the formality
of the process.
It is kept formal so as to establish good and proper
authority to act; otherwise, support and other
people in power may act without thought and with
damaging consequences.
</li><li>
A country may not have an Arbitration Act.
In that case, the parties should enter into
spirit of the forum.
If they choose to break that spirit,
they should also depart the community.
</li></ul>
<h3 id="s4.3"> 4.3 Process and Flow </h3>
<p>
To the extent reasonable, the Arbitrator conducts
the arbitration as with any legal proceedings.
This means that the process and style should follow
legal tradition.
</p>
<p>
However, the Arbitrator is unlikely to be trained in
law. Hence, common sense must be applied, and the
Arbitrator has wide latitude to rule on any particular
motion, pleading, submission. The Arbitrator's ruling
is final within the arbitration.
</p>
<p>
Note also that many elements of legal proceedings are
deliberately left out of the rules.
</p>
</body>
</html>
<?php
header('HTTP/1.0 301 Moved Permanently');
header('Location: DisputeResolutionPolicy.html');
exit();

14
www/policy/NRPDisclaimerAndLicence.php
View file

@ -1,14 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>NRP-DAL was replaced by the Root Distribution License</title></head>
<body>
<table border="1" bgcolor="#EEEEEE"><tr><td>
The document "Non Related Persons - Disclaimer And Licence" was replaced by the Root Distribution Licence, which can be found <a href="/policy/RootDistributionLicense.php">here</a>.
</td>
</tr>
</table>
</body>
</html>

408
www/policy/OrganisationAssurancePolicy.html Normal file
View file

@ -0,0 +1,408 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
<title> Organisation Assurance Policy </title>
<style type="text/css">
<!--
.comment {
color : steelblue;
}
-->
</style>
</head>
<body>
<div class="comment">
<table width="100%">
<tbody>
<tr>
<td>
Name: OAP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11</a>
<br>
Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
<br>
Editor: Jens Paul
<br>
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy"> CC-by-sa+DRP </a>
<br>
</td>
<td align="right" valign="top">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
<img src="images/cacert-policy.png" alt="OAP Status - POLICY" style="border-style: none;" height="31" width="88">
</a>
</td>
</tr>
</tbody>
</table>
</div>
<h1> Organisation&nbsp;Assurance&nbsp;Policy </h1>
<h2 id="s0"> 0. Preliminaries </h2>
<p>
This policy describes how Organisation Assurers ("OAs")
conduct Assurances on Organisations.
It fits within the overall web-of-trust
or Assurance process of CAcert.
</p>
<p>
This policy is not a Controlled document, for purposes of
Configuration Control Specification ("CCS").
</p>
<h2 id="s1"> 1. Purpose </h2>
<p>
Organisations with assured status can issue certificates
directly with their own domains within.
</p>
<p>
The purpose and statement of the certificate remains
the same as with ordinary users (natural persons)
and as described in the CPS.
</p>
<ul><li>
The organisation named within is identified.
</li><li>
The organisation has been verified according
to this policy.
</li><li>
The organisation is within the jurisdiction
and can be taken to CAcert Arbitration.
</li></ul>
<h2 id="s2"> 2. Roles and Structure </h2>
<h3 id="s2.1"> 2.1 Assurance Officer </h3>
<p>
The Assurance Officer ("AO")
manages this policy and reports to the CAcert Inc. Committee ("Board").
</p>
<p>
The AO manages all OAs and is responsible for process,
the CAcert Organisation Assurance Programme ("COAP") form,
OA training and testing, manuals, quality control.
In these responsibilities, other Officers will assist.
</p>
<p>
The OA is appointed by the Board.
Where the OA is failing the Board decides.
</p>
<h3 id="s2.2"> 2.2 Organisation Assurers </h3>
<p>
</p>
<ol type="a"> <li>
An OA must be an experienced Assurer
<ol type="i">
<li>Have 150 assurance points.</li>
<li>Be fully trained and tested on all general Assurance processes.</li>
</ol>
</li><li>
Must be trained as Organisation Assurer.
<ol type="i">
<li> Global knowledge: This policy. </li>
<li> Global knowledge: A OA manual covers how to do the process.</li>
<li> Local knowledge: legal forms of organisations within jurisdiction.</li>
<li> Basic governance. </li>
<li> Training may be done a variety of ways,
such as on-the-job, etc. </li>
</ol>
</li><li>
Must be tested.
<ol type="i">
<li> Global test: Covers this policy and the process. </li>
<li> Local knowledge: Subsidiary Policy to specify. </li>
<li> Tests to be created, approved, run, verified
by CAcert only (not outsourced). </li>
<li> Tests are conducted manually, not online/automatic. </li>
<li> Documentation to be retained. </li>
<li> Tests may include on-the-job components. </li>
</ol>
</li><li>
Must be approved.
<ol type="i">
<li> Two supervising OAs must sign-off on new OA,
as trained, tested and passed.
</li>
<li> AO must sign-off on a new OA,
as supervised, trained and tested.
</li>
</ol>
</li>
<li>The OA can decide when a CAcert
(individual) Assurer
has done several OA Application Advises to appoint this
person to OA Assurer.
</li>
</ol>
<h3 id="s2.3"> 2.3 Organisation Assurance Advisor ("OAA") </h3>
<p>
In countries/states/provinces where no OA Assurers are
operating for an OA Application (COAP) the OA
can be advised by an experienced local CAcert
(individual) Assurer to take the decision
to accept the OA Application (COAP) of the organisation.
</p>
<p>
The local Assurer must have at least 150 Points,
should know the language, and know
the organisation trade office registry culture and quality.
</p>
<h3 id="s2.4"> 2.4 Organisation Administrator </h3>
<p>
The Administrator within each Organisation ("O-Admin")
is the one who handles the assurance requests
and the issuing of certificates.
</p>
<ol type="a"> <li>
O-Admin must be Assurer
<ol type="i">
<li>Have 100 assurance points.</li>
<li>Fully trained and tested as Assurer.</li>
</ol>
</li><li>
Organisation is required to appoint O-Admin,
and appoint ones as required.
<ol type="i">
<li> On COAP Request Form.</li>
</ol>
</li><li>
O-Admin must work with an assigned OA.
<ol type="i">
<li> Have contact details.</li>
</ol>
</ol>
<h2 id="s3"> 3. Policies </h2>
<h3 id="s3.1"> 3.1 Policy </h3>
<p>
There is one policy being this present document,
and several subsidiary policies.
</p>
<ol type="a">
<li> This policy authorises the creation of subsidiary policies. </li>
<li> This policy is international. </li>
<li> Subsidiary policies are implementations of the policy. </li>
<li> Organisations are assured under an appropriate subsidiary policy. </li>
</ol>
<h3 id="s3.2"> 3.2 Subsidiary Policies </h3>
<p>
The nature of the Subsidiary Policies ("SubPols"):
</p>
<ol type="a"><li>
SubPols are purposed to check the organisation
under the rules of the jurisdiction that creates the
organisation. This does not evidence an intention
by CAcert to
enter into the local jurisdiction, nor an intention
to impose the rules of that jurisdiction over any other
organisation.
CAcert assurances are conducted under the jurisdiction
of CAcert.
</li><li>
For OAs,
SubPol specifies the <i>tests of local knowledge</i>
including the local organisation assurance COAP forms.
</li><li>
For assurances,
SubPol specifies the <i>local documentation forms</i>
which are acceptable under this SubPol to meet the
standard.
</li><li>
SubPols are subjected to the normal
policy approval process.
</li></ol>
<h3 id="s3.3"> 3.3 Freedom to Assemble </h3>
<p>
Subsidiary Policies are open, accessible and free to enter.
</p>
<ol type="a"><li>
SubPols compete but are compatible.
</li><li>
No SubPol is a franchise.
</li><li>
Many will be on State or National lines,
reflecting the legal
tradition of organisations created
("incorporated") by states.
</li><li>
However, there is no need for strict national lines;
it is possible to have 2 SubPols in one country, or one
covering several countries with the same language
(e.g., Austria with Germany, England with Wales but not Scotland).
</li><li>
There could also be SubPols for special
organisations, one person organisations,
UN agencies, churches, etc.
</li><li>
Where it is appropriate to use the SubPol
in another situation (another country?), it
can be so approved.
(e.g., Austrian SubPol might be approved for Germany.)
The SubPol must record this approval.
</li></ol>
<h2 id="s4"> 4. Process </h2>
<h3 id="s4.1"> 4.1 Standard of Organisation Assurance </h3>
<p>
The essential standard of Organisation Assurance is:
</p>
<ol type="a"><li>
the organisation exists
</li><li>
the organisation name is correct and consistent:
<ol type="i">
<li>in official documents specified in SubPol.</li>
<li>on COAP form.</li>
<li>in CAcert database.</li>
<li>form or type of legal entity is consistent</li>
</ol>
</li><li>
signing rights:
requestor can sign on behalf of the organisation.
</li><li>
the organisation has agreed to the terms of the
CAcert Community Agreement
and is therefore subject to Arbitration.
</li></ol>
<p>
Acceptable documents to meet above standard
are stated in the SubPol.
</p>
<h3 id="s4.2"> 4.2 COAP </h3>
<p>
The COAP form documents the checks and the resultant
assurance results to meet the standard.
Additional information to be provided on form:
</p>
<ol type="a"><li>
CAcert account of O-Admin (email address?)
</li><li>
location:
<ol type="i">
<li>country (MUST).</li>
<li>city (MUST).</li>
<li>additional contact information (as required by SubPol).</li>
</ol>
</li><li>
administrator account name(s) (1 or more)
</li><li>
domain name(s)
</li><li>
Agreement with
CAcert Community Agreement.
Statement and initials box for organisation
and also for OA.
</li><li>
Date of completion of Assurance.
Records should be maintained for 7 years from
this date.
</li></ol>
<p>
The COAP should be in English. Where translations
are provided, they should be matched to the English,
and indication provided that the English is the
ruling language (due to Arbitration requirements).
</p>
<h3 id="s4.3"> 4.3 Jurisdiction </h3>
<p>
Organisation Assurances are carried out by
CAcert Inc. under its Arbitration jurisdiction.
Actions carried out by OAs are under this regime.
</p>
<ol type="a"><li>
The organisation has agreed to the terms of the
CAcert Community Agreement.
</li><li>
The organisation, the Organisation Assurers, CAcert and
other related parties are bound into CAcert's jurisdiction
and dispute resolution.
</li><li>
The OA is responsible for ensuring that the
organisation reads, understands, intends and
agrees to the
CAcert Community Agreement.
This OA responsibility should be recorded on COAP
(statement and initials box).
</li></ol>
<h2 id="s5"> 5. Exceptions </h2>
<ol type="a"><li>
<b> Conflicts of Interest.</b>
An OA must not assure an organisation in which
there is a close or direct relationship by, e.g.,
employment, family, financial interests.
Other conflicts of interest must be disclosed.
</li><li>
<b> Trusted Third Parties.</b>
TTPs are not generally approved to be part of
organisation assurance,
but may be approved by subsidiary policies according
to local needs.
</li><li>
<b>Exceptional Organisations.</b>
(e.g., Vatican, International Space Station, United Nations)
can be dealt with as a single-organisation
SubPol.
The OA creates the checks, documents them,
and subjects them to to normal policy approval.
</li><li>
<b>DBA.</b>
Alternative names for organisations
(DBA, "doing business as")
can be added as long as they are proven independently.
E.g., registration as DBA or holding of registered trade mark.
This means that the anglo law tradition of unregistered DBAs
is not accepted without further proof.
</li>
</ol>
</body>
</html>

406
www/policy/OrganisationAssurancePolicy.php
View file

@ -1,402 +1,4 @@
<?='<?xml version="1.0" encoding="utf-8"?>'?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Organisation Assurance Policy </title>
<style type="text/css">
<!--
.comment {
color : steelblue;
}
-->
</style>
</head>
<body>
<div class="comment">
<table width="100%">
<tr>
<td>
Name: OAP <a style="color: steelblue" href="//svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11</a><br />
Status: POLICY/DRAFT <a style="color: steelblue" href="//wiki.cacert.org/wiki/TopMinutes-20070917">m20070918.x </a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span class="draftadd">DRAFT p20080401.1 </span> <br />
Editor: Jens Paul <br />
Licence: <a style="color: steelblue" href="//wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br /></td>
<td valign="top" align="right">
<a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="/images/cacert-policy.png" alt="OAP Status - POLICY" height="31" width="88" style="border-style: none;" /></a><br />
<a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="/images/cacert-draft.png" alt="OAP Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>
</td>
</tr>
</table>
</div>
<h1> Organisation&nbsp;Assurance&nbsp;Policy </h1>
<h2 id="s0">0. Preliminaries </h2>
<p>
This policy describes how Organisation Assurers ("OAs")
conduct Assurances on Organisations.
It fits within the overall web-of-trust
or Assurance process of CAcert.
</p>
<p>
This policy is not a Controlled document, for purposes of
Configuration Control Specification ("CCS").
</p>
<h2 id="s1"> 1. Purpose </h2>
<p>
Organisations with assured status can issue certificates
directly with their own domains within.
</p>
<p>
The purpose and statement of the certificate remains
the same as with ordinary users (natural persons)
and as described in the CPS.
</p>
<ul><li>
The organisation named within is identified.
</li><li>
The organisation has been verified according
to this policy.
</li><li>
The organisation is within the jurisdiction
and can be taken to CAcert Arbitration.
</li></ul>
<h2 id="s2"> 2. Roles and Structure </h2>
<h3 id="s2.1"> 2.1 Assurance Officer </h3>
<p>
The Assurance Officer ("AO")
manages this policy and reports to the CAcert Inc. Committee ("Board").
</p>
<p>
The AO manages all OAs and is responsible for process,
the CAcert Organisation Assurance Programme ("COAP") form,
OA training and testing, manuals, quality control.
In these responsibilities, other Officers will assist.
</p>
<p>
The OA is appointed by the Board.
Where the OA is failing the Board decides.
</p>
<h3 id="s2.2"> 2.2 Organisation Assurers </h3>
<p>
</p>
<ol type="a"> <li>
An OA must be an experienced Assurer
<ol type="i">
<li>Have 150 assurance points.</li>
<li>Be fully trained and tested on all general Assurance processes.</li>
</ol>
</li><li>
Must be trained as Organisation Assurer.
<ol type="i">
<li> Global knowledge: This policy. </li>
<li> Global knowledge: A OA manual covers how to do the process.</li>
<li> Local knowledge: legal forms of organisations within jurisdiction.</li>
<li> Basic governance. </li>
<li> Training may be done a variety of ways,
such as on-the-job, etc. </li>
</ol>
</li><li>
Must be tested.
<ol type="i">
<li> Global test: Covers this policy and the process. </li>
<li> Local knowledge: Subsidiary Policy to specify.</li>
<li> Tests to be created, approved, run, verified
by CAcert only (not outsourced). </li>
<li> Tests are conducted manually, not online/automatic. </li>
<li> Documentation to be retained. </li>
<li> Tests may include on-the-job components. </li>
</ol>
</li><li>
Must be approved.
<ol type="i">
<li> Two supervising OAs must sign-off on new OA,
as trained, tested and passed.
</li>
<li> AO must sign-off on a new OA,
as supervised, trained and tested.
</li>
</ol>
</li>
<li>The OA can decide when a CAcert
(individual) Assurer
has done several OA Application Advises to appoint this
person to OA Assurer.
</li>
</ol>
<h3 id="s2.3"> 2.3 Organisation Assurance Advisor ("OAA") </h3>
<p>In countries/states/provinces where no OA Assurers are
operating for an OA Application (COAP) the OA
can be advised by an experienced local CAcert
(individual) Assurer to take the decision
to accept the OA Application (COAP) of the organisation.
</p>
<p>
The local Assurer must have at least 150 Points,
should know the language, and know
the organisation trade office registry culture and quality.
</p>
<h3 id="s2.4"> 2.4 Organisation Administrator </h3>
<p>
The Administrator within each Organisation ("O-Admin")
is the one who handles the assurance requests
and the issuing of certificates.
</p>
<ol type="a"> <li>
O-Admin must be Assurer
<ol type="i">
<li>Have 100 assurance points.</li>
<li>Fully trained and tested as Assurer.</li>
</ol>
</li><li>
Organisation is required to appoint O-Admin,
and appoint ones as required.
<ol type="i">
<li> On COAP Request Form.</li>
</ol>
</li><li>
O-Admin must work with an assigned OA.
<ol type="i">
<li> Have contact details.</li>
</ol>
</ol>
<h2 id="s3"> 3. Policies </h2>
<h3 id="s3.1"> 3.1 Policy </h3>
<p>
There is one policy being this present document,
and several subsidiary policies.
</p>
<ol type="a">
<li> This policy authorises the creation of subsidiary policies. </li>
<li> This policy is international. </li>
<li> Subsidiary policies are implementations of the policy. </li>
<li> Organisations are assured under an appropriate subsidiary policy. </li>
</ol>
<h3 id="s3.2"> 3.2 Subsidiary Policies </h3>
<p>
The nature of the Subsidiary Policies ("SubPols"):
</p>
<ol type="a"><li>
SubPols are purposed to check the organisation
under the rules of the jurisdiction that creates the
organisation. This does not evidence an intention
by CAcert to
enter into the local jurisdiction, nor an intention
to impose the rules of that jurisdiction over any other
organisation.
CAcert assurances are conducted under the jurisdiction
of CAcert.
</li><li>
For OAs,
SubPol specifies the <i>tests of local knowledge</i>
including the local organisation assurance COAP forms.
</li><li>
For assurances,
SubPol specifies the <i>local documentation forms</i>
which are acceptable under this SubPol to meet the
standard.
</li><li>
SubPols are subjected to the normal
policy approval process.
</li></ol>
<h3 id="s3.3"> 3.3 Freedom to Assemble </h3>
<p>
Subsidiary Policies are open, accessible and free to enter.
</p>
<ol type="a"><li>
SubPols compete but are compatible.
</li><li>
No SubPol is a franchise.
</li><li>
Many will be on State or National lines,
reflecting the legal
tradition of organisations created
("incorporated") by states.
</li><li>
However, there is no need for strict national lines;
it is possible to have 2 SubPols in one country, or one
covering several countries with the same language
(e.g., Austria with Germany, England with Wales but not Scotland).
</li><li>
There could also be SubPols for special
organisations, one person organisations,
UN agencies, churches, etc.
</li><li>
Where it is appropriate to use the SubPol
in another situation (another country?), it
can be so approved.
(e.g., Austrian SubPol might be approved for Germany.)
The SubPol must record this approval.
</li></ol>
<h2 id="s4"> 4. Process </h2>
<h3 id="s4.1"> 4.1 Standard of Organisation Assurance </h3>
<p>
The essential standard of Organisation Assurance is:
</p>
<ol type="a"><li>
the organisation exists
</li><li>
the organisation name is correct and consistent:
<ol type="i">
<li>in official documents specified in SubPol.</li>
<li>on COAP form.</li>
<li>in CAcert database.</li>
<li>form or type of legal entity is consistent</li>
</ol>
</li><li>
signing rights:
requestor can sign on behalf of the organisation.
</li><li>
the organisation has agreed to the terms of the
CAcert Community Agreement
and is therefore subject to Arbitration.
</li></ol>
<p>
Acceptable documents to meet above standard
are stated in the SubPol.
</p>
<h3 id="s4.2"> 4.2 COAP </h3>
<p>
The COAP form documents the checks and the resultant
assurance results to meet the standard.
Additional information to be provided on form:
</p>
<ol type="a"><li>
CAcert account of O-Admin (email address?)
</li><li>
location:
<ol type="i">
<li>country (MUST).</li>
<li>city (MUST).</li>
<li>additional contact information (as required by SubPol).</li>
</ol>
</li><li>
administrator account name(s) (1 or more)
</li><li>
domain name(s)
</li><li>
Agreement with
CAcert Community Agreement.
Statement and initials box for organisation
and also for OA.
</li><li>
Date of completion of Assurance.
Records should be maintained for 7 years from
this date.
</li></ol>
<p>
The COAP should be in English. Where translations
are provided, they should be matched to the English,
and indication provided that the English is the
ruling language (due to Arbitration requirements).
</p>
<h3 id="s4.3"> 4.3 Jurisdiction </h3>
<p>
Organisation Assurances are carried out by
CAcert Inc. under its Arbitration jurisdiction.
Actions carried out by OAs are under this regime.
</p>
<ol type="a"><li>
The organisation has agreed to the terms of the
CAcert Community Agreement.
</li><li>
The organisation, the Organisation Assurers, CAcert and
other related parties are bound into CAcert's jurisdiction
and dispute resolution.
</li><li>
The OA is responsible for ensuring that the
organisation reads, understands, intends and
agrees to the
CAcert Community Agreement.
This OA responsibility should be recorded on COAP
(statement and initials box).
</li></ol>
<h2 id="s5"> 5. Exceptions </h2>
<ol type="a"><li>
<b> Conflicts of Interest.</b>
An OA must not assure an organisation in which
there is a close or direct relationship by, e.g.,
employment, family, financial interests.
Other conflicts of interest must be disclosed.
</li><li>
<b> Trusted Third Parties.</b>
TTPs are not generally approved to be part of
organisation assurance,
but may be approved by subsidiary policies according
to local needs.
</li><li>
<b>Exceptional Organisations.</b>
(e.g., Vatican, International Space Station, United Nations)
can be dealt with as a single-organisation
SubPol.
The OA creates the checks, documents them,
and subjects them to to normal policy approval.
</li><li>
<b>DBA.</b>
Alternative names for organisations
(DBA, "doing business as")
can be added as long as they are proven independently.
E.g., registration as DBA or holding of registered trade mark.
This means that the anglo law tradition of unregistered DBAs
is not accepted without further proof.
</li></ol>
</body>
</html>
<?php
header('HTTP/1.0 301 Moved Permanently');
header('Location: OrganisationAssurancePolicy.html');
exit;

309
www/policy/OrganisationAssurancePolicy_Australia.html Normal file
View file

@ -0,0 +1,309 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
<title>CACert Organisation Assurance Program sub-policy for Australia</title>
<style type="text/css">
<!--
.comment {
color : steelblue;
}
-->
</style>
</head>
<body>
<h1>
CAcert Organisation Assurance Program sub-policy for Australia
</h1>
<div class="comment">
<table width="100%">
<tbody>
<tr>
<td rowspan="2">
Name: CAcert Organisation Assurance Program sub-policy Australia<a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11.AU</a>
<br>
Creation Date : 2008-04-02
<br>
Editor: Sam Johnston
<br>
Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
<br>
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy">CC-by-sa+DRP</a>
</td>
<td align="right" valign="top">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
<img src="images/cacert-policy.png" alt="OAP AU Status - POLICY" style="border-style: none;" height="31" width="88">
</a>
</td>
</tr>
</tbody>
</table>
</div>
<h2 id="g0.1">0. Preliminaries </h2>
<p>
This CAcert sub-policy extends the Organisation Assurance Policy
("OAP") by specifying how the CAcert Organisation Assurance Program
("COAP") is to be conducted by the assigned Organisation Assurer ("OA")
under the supervision of the Assurance Officer ("AO") for entities
within the defined scope.
</p>
<h2 id="g0.2">1. Scope</h2>
<p>
This sub-policy is applicable to:
<br>
</p>
<ol style="list-style-type: lower-alpha;">
<li>Australian legal entities:
<br>
<ol style="list-style-type: lower-roman;">
<li>Sole Traders</li>
<li>Partnerships</li>
<li>Companies</li>
<li>Trusts</li>
<li>Government Bodies &amp; Intrumentalities</li>
<li>Clubs &amp; Associations</li>
</ol>
</li>
</ol>
<h2 id="g0.3">2. Requirements </h2>
<p>
This section describes any scope specific requirements that are not otherwise defined in the OAP.
</p>
<h3 id="g0.3.1">2.1. Organisation </h3>
<ol style="list-style-type: lower-alpha;">
<li>For sole traders operating under their own name business name registration is OPTIONAL.</li>
<li>Applicants MUST be a valid legal entity but MAY have an arbitrary number of registered trading names.</li>
</ol>
<h3 id="g0.3.2">2.2. Records </h3>
<ol style="list-style-type: lower-alpha;">
<li>Digital Signatures MAY be accepted in Australia under the Electronic Transactions Act 2000.
</li>
<li>Historic documents MAY be accepted where it can be proven that
material changes have not been made (eg via absence of subsequent
submissions in official document listings).</li>
</ol>
<h3 id="g0.3.3">2.3. Application Form </h3>
<ol style="list-style-type: lower-alpha;">
<li>The licensing authority MUST be specified as 'Australian
Securities and Investments Commission (ASIC)' (for companies, trusts
etc) or a state office of fair trading (for sole traders, partnerships
and trading names).</li>
<li>Any applicable organisation identifiers (ACN/ABN/ARBN) MUST be
specified where applicable (not required for sole traders operating
under their own name).</li>
</ol>
<h2 id="g0.4">3. Registration </h2>
<h3 id="g0.4.1">3.1. Registries </h3>
<ol style="list-style-type: lower-alpha;">
<li>AusRegistry [<a title="AusRegistry" href="http://www.ausregistry.com.au/">http://www.ausregistry.com.au/</a>]
<br>
<ol>
<li>.au ccTLD WHOIS [<a title="AusRegistry WHOIS" href="http://whois.ausregistry.net.au/">http://whois.ausregistry.net.au/</a>]
<br>
</li>
</ol>
</li>
<li>Australian Securities and Investments Commission ("ASIC") [<a title="Australian Securities and Investments Commission" href="http://www.asic.gov.au/">http://www.asic.gov.au/</a>]
<br>
<ol style="list-style-type: lower-roman;">
<li>National Names Index [<a title="National Names Index" href="http://www.search.asic.gov.au/gns001.html">http://www.search.asic.gov.au/gns001.html</a>]
<br>
</li>
</ol>
</li>
<li>Australian state offices of fair trading [<a title="ACCC Contacts: State offices of fair trading" href="http://www.accc.gov.au/content/index.phtml/itemId/325459">http://www.accc.gov.au/content/index.phtml/itemId/325459</a>]
<br>
<ol style="list-style-type: lower-roman;">
<li>ACT Office of Fair Trading (OFT) [<a title="ACT Office of Fair Trading (OFT)" href="http://www.fairtrading.act.gov.au/">http://www.fairtrading.act.gov.au/</a>]</li>
<li>NT Consumer Affairs [<a title="NT Consumer Affairs" href="http://www.nt.gov.au/justice/consaffairs/">http://www.nt.gov.au/justice/consaffairs/</a>]</li>
<li>NSW Office of Fair Trading (OFT) [<a title="NSW Office of Fair Trading (OFT)" href="http://www.fairtrading.nsw.gov.au/">http://www.fairtrading.nsw.gov.au</a>]</li>
<li>QLD Office of Fair Trading (OFT) [<a title="QLD Office of Fair Trading (OFT)" href="http://www.fairtrading.qld.gov.au/">http://www.fairtrading.qld.gov.au</a>]</li>
<li>SA Office of Fair Trading (OFT) [<a title="SA Office of Fair Trading (OFT)" href="http://www.ocba.sa.gov.au/">http://www.ocba.sa.gov.au</a>]</li>
<li>TAS Office of Fair Trading (OFT) [<a title="TAS Office of Fair Trading (OFT)" href="http://www.consumer.tas.gov.au/">http://www.consumer.tas.gov.au/</a>]</li>
<li>VIC Office of Fair Trading (OFT) [<a title="TAS Office of Fair Trading (OFT)" href="http://www.consumer.vic.gov.au/">http://www.consumer.vic.gov.au</a>]</li>
<li>WA Department of Consumer and Employment Protection (DOCEP) [<a title="Department of Consumer and Employment Protection, WA (DOCEP)" href="http://www.docep.wa.gov.au/">http://www.docep.wa.gov.au</a>]</li>
</ol>
</li>
<li>Australian Taxation Office ("ATO") [<a title="Australian Taxation Office" href="http://www.ato.gov.au/">http://www.ato.gov.au/</a>]
<br>
<ol style="list-style-type: lower-roman;">
<li>Australian Business Register ("ABR") [<a title="Australian Business Register" href="http://www.abr.business.gov.au/">http://www.abr.business.gov.au/</a>]
<br>
</li>
</ol>
</li>
<li>Credit Reporting Agencies
<br>
<ol style="list-style-type: lower-roman;">
<li>Dun &amp; Bradstreet (Australia) [<a title="Dun &amp; Bradstreet (Australia)" href="http://www.dnb.com.au/">http://www.dnb.com.au/</a>]
<br></li>
<li>Veda Advantage [<a title="Veda Advantage" href="http://www.vedaadvantage.com/">http://www.vedaadvantage.com/</a>]
<br></li>
</ol>
</li>
</ol>
<h3 id="g0.4.2">3.2. Agents </h3>
<ol style="list-style-type: lower-alpha;">
<li>ASIC
<br>
<ol style="list-style-type: lower-roman;">
<li>ASIC Information Brokers [<a title="ASIC Information Brokers" href="http://www.asic.gov.au/asic/asic.nsf/byheadline/Information+brokers?openDocument">http://www.asic.gov.au/asic/asic.nsf/byheadline/Information+brokers?openDocument</a>]</li>
<li>ASIC Service Centers [<a title="ASIC Service Centers" href="http://www.asic.gov.au/asic/asic.nsf/byheadline/ASIC+Service+Centre+Addresses?openDocument">http://www.asic.gov.au/asic/asic.nsf/byheadline/ASIC+Service+Centre+Addresses?openDocument</a>]</li>
</ol>
</li>
</ol>
<h3 id="g0.4.3">3.3. Identifiers </h3>
<ol style="list-style-type: lower-alpha;">
<li>Australian Company Number ("ACN") is a unique 9 digit identifying
number assigned by ASIC when a body becomes registered as a company
under corporations law.</li>
<li>Australian Registered Body Number ("ARBN") is a unique 9 digit
identifying number assigned by ASIC when a body is registered with them
other than as a company, for example registrable Australian bodies.
<br></li>
<li>Australian Business Number ("ABN") is a unique 11 digit
identifying number issued to all entities registered in the Australian
Business Register (ABR).</li>
</ol>
<h3 id="g0.4.4">3.4. Documents </h3>
<ol style="list-style-type: lower-alpha;">
<li>ASIC Company Extract</li>
<li>Credit File</li>
</ol>
<h2 id="g0.5">4. Processes </h2>
<h3 id="g0.5.1">4.1. Assurance </h3>
<ol style="list-style-type: lower-alpha;">
<li>Each person listed in an application MUST be individually assured and referenced by a confirmed email.</li>
<li>Sole traders operating under their own name MAY be automatically approved without further checks.</li>
<li>All other trading names (including companies) MUST be verified
against the National Names Index and/or Australian Business Register,
where the status MUST be 'Registered' or 'Active' respectively.</li>
<li>Partnership applicants MUST additionally be verified in the
register as a current individual member and SHOULD be a managing
partner.</li>
<li>Company applications MUST be made by an individual who is duly authorised to sign on behalf of the company:
<ol style="list-style-type: lower-roman;">
<li>Officeholder applicants (directors or preferably secretary)
MUST be verified in an "ASIC Company Extract" (obtained for a fee
reclaimable from the applicant by the OA from an ASIC Service Center or
ASIC Information Broker) or "Credit File" from a "Credit Reporting
Agency".</li>
<li>Any other applicant MUST prove that they are duly authorised to
sign on behalf of the entity (for example via delegation and/or under
replacible rules) to the satisfaction of the OA, for approval by the AO.</li>
</ol>
</li>
<li>Trust applications MUST be made by the trustee.</li>
<li>Government Body &amp; Intrumentality applications MUST be made by
a duly authorised person and the relevant authorisation must accompany
the application.</li>
<li>Club &amp; Association applications MUST be made by the secretary of the club or association.</li>
</ol>
</body>
</html>

1021
www/policy/OrganisationAssurancePolicy_Europe.html Normal file
View file

File diff suppressed because it is too large Load diff

138
www/policy/OrganisationAssurancePolicy_Germany.html Normal file
View file

@ -0,0 +1,138 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
<title>CACert Organisation Assurance Program sub-policy for Germany</title>
<style type="text/css">
<!--
.comment {
color : steelblue;
}
-->
</style>
</head>
<body>
<h1> Organisation Assurance - sub-policy for German organisations</h1>
<div class="comment">
<table width="100%">
<tbody>
<tr>
<td rowspan="2">
Name: Organisation Assurance - sub-policy Germany <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11.DE</a>
<br>
Creation Date : 2007-10-22
<br>
Editor: Jens Paul
<br>
Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
<br>
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy">CC-by-sa+DRP</a>
</td>
<td align="right" valign="top">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
<img src="images/cacert-policy.png" alt="OAP DE Status - POLICY" style="border-style: none;" height="31" width="88">
</a>
</td>
</tr>
</tbody>
</table>
</div>
<h2 id="g0.1">0. Preliminaries</h2>
This sub-policy describes how Organisation Assurers ("OAs") conduct assurances on German organisations.
It fits within the overall web-of-trust or assurance process and the Organisation Assurance Policy (OAP) of CAcert.
<br>
<br>
<br>
<h2 id="g0.2">1. Purpose</h2>
This is a subsidiary policy to the OAP.
<br>
<br>
a. This sub-policy is applicable for the assurance of German organisations only.
<br>
b. This sub-policy is an implementation of the OAP.
<br>
c. In the below, where the Assurance Officer (AO) is referred to, this includes his local delegate.
<br>
<br>
<br>
<h2 id="g0.3">2. Organisation Assurers</h2>
<h2 id="g0.4">3. Requirements for the Organisation Assurer</h2>
In addition to the requirements defined in the OAP, an OA must meet the
following requirements for assuring German organisations:
<br>
a. Knowledge on common legal forms of organisations in Germany.
<br>
b. Must pass an additional test on local knowledge even if he is already an OA.
<br>
c. Should help the AO to define local requirements.
<br>
<br>
<br>
<h2 id="g0.5">4. Process</h2>
<h2 id="g0.6">5. Organisations</h2>
Acceptable organisations under this sub-policy must be:
<br>
<br>
a. Organisations created under the rules of the German jurisdiction.
<br>
b. Organisations must not be revoked by a competent authority with direct oversight over the organisation.
<br>
<br>
<h2 id="g0.7">6. Documents</h2>
The organisation has to provide documents to prove the essential standard of Organisation Assurance as defined in the policy:
<br>
a. The primary mechanism to prove existence is to get an official
extract from the official register, either via an online interface
or via physical means (organisation is asked to carry the costs)
<br>
b. Where not available, an official document will be required from the company, subject to such checks as defined by the AO.
<br>
c. If copies of official extracts from the official register are provided, they must be officially certified
<br>
d. Extracts from the official register should not be older than 4 weeks.
<br>
e. The AO maintains a list of which specific documents and tests can be acceptable for the certain types
of organisations.
<br>
f. The OA can ask for additional documents if needed to validate required information for the assurance action.
<br>
<br>
<h2 id="g0.8">7. COAP</h2>
<p>
In addition to the checks defined in the policy, the COAP form for German organisations requires:
<br>
a. The OA must keep all documentation for 10 years.
<br>
b. Signatures from organisation officials must meet the following requirements
<br>
&nbsp;&nbsp;&nbsp; i.&nbsp;&nbsp; as legally specified for the type of organisation
<br>
&nbsp;&nbsp;&nbsp; ii.&nbsp; as specified in the official documents (f.e. the excerpt from the register)
<br>
&nbsp;&nbsp;&nbsp; iii. as delegated within the organisation (proof of delegation needed)
</p>
</body>
</html>

202
www/policy/PolicyOnJuniorAssurersMembers.html Normal file
View file

@ -0,0 +1,202 @@
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" lang="en">
<title> CACert -- Policy On Junior Assurers / Members </title>
<style type="text/css">
.q {
color : green;
text-indent : 2em;
font-weight: bold;
font-style:italic;
}
.error {
color : red;
font-weight: bold;
text-align: center;
font-style:italic;
}
.change {
color : blue;
font-weight: bold;
}
.padding5 td{
padding: 5px;
}
.r {
text-align : right;
}
</style>
</head>
<body>
<h1> Policy On Junior Assurers / Members </h1>
<table style="width: 100%;">
<tr>
<td>
Editor: Iang<br />
Creation Date : <a href="https://svn.cacert.org/CAcert/Assurance/Minutes/20091215HamburgMiniTOP.html">20091215</a><br />
Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20130222">p20130222</a><br />
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br />
</td><td class="r">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.html"><img src="images/cacert-policy.png" alt="PoJAM Status - POLICY" height="31" width="88" style="border-style: none;" /></a>
</td>
</tr>
</table>
<h2 id="s0"> 0. Preliminaries </h2>
<h3 id="s0.1"> 0.1 Authority.</h3>
<p>This sub-policy extends the
<a href="https://www.cacert.org/policy/AssurancePolicy.html">
Assurance Policy</a> ("AP" =&gt; COD13)
by specifying how Juniors can be brought into the
CAcert Community.
</p>
<h3 id="s0.2"> 0.2 Terms.</h3>
<ul>
<li> <b>Minor</b> is a person who is not empowered to enter contracts as self under local laws.</li>
<li> <b>Junior</b> is a person under 18. A Junior is probably a Minor.</li>
<li> <b>Parent</b>. A competent adult that is legally responsible under local law for the Minor. E.g., a natural or adopted parent, or a legal guardian. Unless otherwise stated, the singular term Parent is used herein, and is used to cover all forms of persons that are legally responsible for the Minor. </li>
</ul>
<h2 id="s1"> 1. Scope </h2>
<p id="s1.1"><b> 1.1 </b>
This policy applies to all Members of the CAcert Community.
</p>
<p id="s1.2"><b> 1.2 </b>
Although variations exist in different countries, CAcert works to a principle of no discrimination (Principles) and therefore imposes the same view across all countries.
</p>
<h2 id="s2"> 2. Entering the Community </h2>
<p id="s2.1"><b> 2.1 </b>
There is no limit on age for membership of CAcert.
</p>
<p id="s2.2"><b> 2.2 </b>
Membership requires a legal contract to be formed. This can be formed one of two ways:
</p>
<ol>
<li>the member has capacity to enter the contract themselves, or</li>
<li>the member is a Minor and requires the consent of the Parent.</li>
</ol>
<p id="s2.3"><b> 2.3 </b>
The Assurer is responsible in all cases for confirming that the entry into the CAcert Community Agreement is founded. This means in practice that the Assurer has to confirm the above.
</p>
<p id="s2.4"><b> 2.4 </b>
A general situation in each country is that a Minor can only enter with Parental consent. In this case, the Assurer should confirm the consent of the Parent.
</p>
<p id="s2.5"><b> 2.5 </b>
The mechanism for confirming the Parent's consent is something that varies and is not covered by policy. The simple requirement here is that the Assurer makes a reliable statement (CARS) that consent is established, following these two declarations:
</p>
<blockquote>
<p>
The Assurer's declaration
(specifically referring to Assurance Policy 1.1 part 4
<a href="https://www.cacert.org/policy/AssurancePolicy.html#s1.1">AP1.1</a>):
</p>
<blockquote>
<table class="padding5" border="1"><tr><td>
This Assurance conducted according to Assurance Policy
</td></tr></table>
</blockquote>
</blockquote>
<blockquote>
<p>
The member's declaration:
</p>
<blockquote>
<table class="padding5" border="1"><tr><td>
I agree to the CCA
</td></tr></table>
</blockquote>
</blockquote>
<p id="s2.6"><b> 2.6 </b>
The Assurance Handbook (<a href="https://wiki.cacert.org/AssuranceHandbook2">AH</a>) should expand on common methods to establish and record consent. Such as, on a separate form, a modification to CAP form, etc.
</p>
<h2 id="s3"> 3. System Block </h2>
<p id="s3.1"><b> 3.1 </b>
Although there is no age limit in this policy, it is reasonable that the Assurer should check this issue closely below 18.
</p>
<p id="s3.2"><b> 3.2 </b>
For persons over 18, the Assurer may presume that the person has capacity to enter into a contract, in absence of any alternate suggestion. This is regardless of the legal circumstances of the country.
</p>
<p id="s3.3"><b> 3.3 </b>
Therefore, a change should be put into the system:
</p>
<blockquote>
<p>
If the member is under 18 years of age,<br />
the system shall require the Assurer to confirm<br />
that consent was established during the Assurance,<br />
or otherwise as considered by the Assurer,<br />
before additional higher reliance products are available.
</p>
</blockquote>
<p>
The system therefore will block all "reliance" products
as defined by policy
(issuance of named certificates under CPS, Assurer under AP),
until consent is established as appropriate.
</p>
<p>
The absence of this feature does not remove the duty of the Assurer (for example, because of delays in implementation).
</p>
<p id="s3.4"><b> 3.4 </b>
The first Assurers of a Member may then have the greater technical burden of explaining and confirming the consent, but the confirmation is required of all Assurers as part of the CAP.
</p>
<p id="s3.5"><b> 3.5 </b>
The Assurance Handbook (<a href="https://wiki.cacert.org/AssuranceHandbook2">AH</a>) should document more efficient methods, such as a single form carried by the Junior Member for showing to the Assurer, rather than the Parent's signature over each individual CAP form.
</p>
<h2 id="s4"> 4. The Junior Assurer </h2>
<p id="s4.1"><b> 4.1 </b>
Assurer status may only be granted if the user is at least 14 years old. Other preliminaries for the Assurer status set up by other policies are untouched. Combining AP and this policy, a Junior Assurer is a CAcert member with 100 Assurance Points, has passed the CAcert Assurer Challenge, and is between the ages of 14 and 18 years.
</p>
<p id="s4.2"><b> 4.2 </b>
A Junior Assurer can issue a maximum of 10 Assurance Points to an assuree, independent of how many Experience Points the Junior already has. The Experience Points awarded to the Junior Assurer are untouched.
</p>
<p id="s4.3"><b> 4.3 </b>
The Assurance Handbook (<a href="https://wiki.cacert.org/AssuranceHandbook2">AH</a>)
should stipulate the convention as to how the Junior Assurer establishes bona fides.
</p>
<h2 id="s5"> 5. Arbitration </h2>
<p>
Arbitration with Juniors needs to take into account that a local court may find the CCA to be improperly imposed. Some understanding of this risk should be taken, but Arbitrators should be careful not to weaken the web of trust on this basis. Therefore, more care should be taken in explaining and ensuring the spirit of the CCA is maintained.
</p>
<ul>
<li>
The Parent may be concerned about the impact of an Arbitration. Technically, the consenting Parent is the one appearing in the Arbitration. The Arbitrator should recognise both the technical (legal) meaning, but strive to maintain the spirit of the Junior member's appearance. For example, Arbitration documentation may name the Parent primarily, and refer to the Junior in text.
</li>
<li>
The Arbitrator may appoint a senior Assurer to advise the Parent on the nature of the Community.
</li>
<li>
A ruling should be tested by comparing it to an adult scenario.
</li>
</ul>
<p>
The counter-situation to a weak CCA agreement is that if a person (of any age) feels the CCA to be inappropriate, then they have not entered into the Community. The Arbitrator is at liberty to terminate the CCA with a Member, if there is a sustainable view that it is inappropriate. Such termination should include measures needed to repair the web of trust.
</p>
<p><a href="http://validator.w3.org/check?uri=referer"><img src="images/valid-html50-blue.png" alt="Valid HTML 5" height="31" width="88"></a></p>
</body>
</html>

356
www/policy/PolicyOnPolicy.html Normal file
View file

@ -0,0 +1,356 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
<title>Policy on Policy</title>
<style type="text/css">
<!--
body {
font-family : verdana, helvetica, arial, sans-serif;
}
th {
text-align : left;
}
.comment {
color : steelblue;
}
.q {
color : green;
font-weight: bold;
text-align: center;
font-style:italic;
}
-->
</style>
</head>
<body>
<div class="comment">
<table width="100%">
<tbody>
<tr>
<td rowspan="2">
Name: PoP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD1</a>
<br>
Status: POLICY&nbsp;<a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
<br>
Editor: Iang 20080309
<br>
Changes: 20100507, 20130223, 20140731
<br>
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy">CC-by-sa+DRP</a>
<br>
</td>
<td align="right" valign="top">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
<img src="images/cacert-policy.png" alt="PoP Status - POLICY" style="border-style: none;" height="31" width="88">
</a>
</td>
</tr>
</tbody>
</table>
</div>
<p>
<br>
</p>
<h1> Policy&nbsp;on&nbsp;Policy </h1>
<h2 id="g0.1">0. Preliminaries </h2>
<p>
Policy on Policy adopts the IETF model of
'rough consensus' to create CAcert documents
within the open CAcert Policy Group <a href="https://lists.cacert.org/wws/info/cacert-policy"> mail list forum</a>.
</p>
<h2 id="g0.2">1. Scope and Purpose </h2>
<p id="s1.1">
1.1
This policy documents and controls the process by which
CAcert creates and promulgates policies.
</p>
<p id="s1.2">
1.2
The policy covers itself.
The policy replaces prior ones.
For Audit purposes,
the policy is part of the Configuration-Control Specification
("CCS", <a href="http://rossde.com/CA_review/CA_review_A.html#A1">DRC_A.1</a>)
and also documents part of the CCS.
</p>
<p id="s1.3">
1.3
The policies so created are generally binding on
CAcert Inc., members under CAcert Community Agreement
(CCA =&gt; COD9) and other related parties under other agreements.
</p>
<p id="s1.4">
1.4
The Policy Officer manages all policies
and the policy group.
The policy group is formed on the open mailing list
known as CAcert Policy Group, and is to be open to all
Community Members of CAcert.
</p>
<h2 id="g0.3">2. Basic Model </h2>
<p id="s2.1">
2.1
The basic concept was drawn from the IETF model.
</p>
<p id="s2.2">
2.2
Policies are documented.
Documents start as <i>Work-In-Progress</i>, move through to
<i>DRAFT</i> and finalise in <i>POLICY</i> status.
</p>
<p id="s2.3">
2.3
Decisions are taken by "Rough Consensus."
A vote may be called to clarify.
</p>
<p id="s2.4">
2.4
Documents should include a minimum of information
in a standardised format managed by the Documentation Officer:
the Title,
short name,
Document Status,
date the Status was reached,
Editor,
date / time of the last edit,
Abstract.
</p>
<p id="s2.5">
2.5
Editors may make the following changes, where
it is clear that the change does not change the policy:</p>
<ul>
<li>
fixes to errors in grammar and spelling,
</li>
<li>
anchors, HTML errors, URLs &amp; formatting,
</li>
<li>
COD numbers and other references, and
</li>
<li>
other minutiae, as agreed under 2.3.
</li>
</ul>
<p>
Such changes to be notified to the policy group, and to be folded into effect, etc, without further ado.
</p>
<p id="s2.6">
2.6
Documents of lower status (work-in-progress or DRAFT)
must not be confusable with documents of higher status
(DRAFT or POLICY).
Copies should be eliminated where not being worked on.
</p>
<h2 id="g0.4">3. Work-In-Progress </h2>
<p id="s3.1">
3.1
An Editor is identified.
This person is responsible for
drafting the document, following the consensus of the policy group.
</p>
<p id="s3.2">
3.2
The Policy Officer resolves minor disputes and keeps order.
</p>
<p id="s3.3">
3.3
The mail list of the policy group
is used as the primary debating
forum. A sub-group may be formed,
but decision-taking
should be visible on the main group.
</p>
<p id="s3.4">
3.4
Documents start with the status of
"Work-In-Progress" or WIP for short.
</p>
<h2 id="g0.5">4. DRAFT status </h2>
<p id="s4.1">
4.1
On completion, a document moves to DRAFT status.
</p>
<p id="s4.2">
4.2
A DRAFT is a policy-in-effect for the Community and is
to be distributed and treated as such.
</p>
<p id="s4.3">
4.3
As far as the Community is concerned, the DRAFT is policy.
Challenges and concerns can be addressed to the policy group,
and policy group discussions on a DRAFT
may be presented in Dispute Resolution.
</p>
<p id="s4.4">
4.4
Revisions of DRAFTs
must be treated as decisions on the policy group.
</p>
<p id="s4.5">
4.5
The period of the DRAFT status is announced widely,
which should be at least a month and no longer than a year.
</p>
<p id="s4.6">
4.6
During the period of DRAFT,
CAcert Inc. retains a veto over
policies that effect the running of CAcert Inc.
</p>
<h2 id="g0.6">5. POLICY status </h2>
<p id="s5.1">
5.1
After DRAFT period has elapsed with no revision beyond
minor and editorial changes,
there should be a decision
to move the document from
DRAFT to POLICY status.
</p>
<p id="s5.2">
5.2
Once POLICY, the Community may only challenge the document
in Dispute Resolution.
</p>
<p id="s5.3">
5.3
Policy group may propose changes to a POLICY document
in order to update it. When changes move to DRAFT status,
they may be included in the POLICY document,
but must be clearly indicated within as DRAFT not POLICY.
</p>
<p id="s5.4">
5.4
POLICY documents are published on the CAcert website in plain HTML. Change control must be in place.
</p>
<h2 id="g0.7">6. Open Process </h2>
<p id="s6.1">
6.1
All policy discussions and documents should be open
processes. There should be a fair chance for
the Community
to have their views heard.
Rough Consensus is the working metric.
</p>
<p id="s6.2">
6.2
Contributions to
formally controlled documents such as Policies
are transferred fully to CAcert Inc.
Copyrights
and similar intellectual property rights
required to incorporate the Contribution
are either transferred to CAcert Inc, or,
are issued and contributed under free,
open, non-restrictive,
irrevocable, exclusive,
and clear licence to CAcert Inc.
In all cases, CAcert Inc licenses the
contributions back to the community
under an open licence.
</p>
<p id="s6.3">
6.3
Contributors declare any conflicts of interest.
</p>
<p id="s6.4">
6.4
Policies should be issued under free, open,
non-restrictive,
irrevocable, non-exclusive,
and clear licence by CAcert, Inc.
</p>
<p id="s6.5">
6.5
Mailing lists should be archived,
and important meetings should be minuted.
A record of decisions is to be maintained.
</p>
<h2 id="g0.8">7. Disputes. </h2>
<p id="s7.1">
7.1
Any questions not resolved by these rules
may be voted on in the policy group, or
may be dealt with in Dispute Resolution.
</p>
<p id="s7.2">
7.2
The Policy Officer may decide a tight vote in a minor matter only.
Failure of Rough Consensus may be declared by
dissenting members.
</p>
<p id="s7.3">
7.3
Matters unresolved refer back
to further group discussion.
</p>
<p id="s7.4">
7.4
The external avenue for disputes is to file a dispute
according to CAcert's
<a href="https://www.cacert.org/policy/DisputeResolutionPolicy.php">
Dispute Resolution Policy</a>
DRP =&gt; COD7.
</p>
</body>
</html>

291
www/policy/PolicyOnPolicy.php
View file

@ -1,287 +1,4 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>Policy on Policy</title></head>
<body>
<table width="100%">
<tr>
<td> PoP </td>
<td> </td>
<td width="20%"> Iang </td>
</tr>
<tr>
<td> POLICY&nbsp;<a href="http://wiki.cacert.org/wiki/PolicyDecisions">p200800204.1</a> </td>
<td> </td>
<td>
20080309
</td>
</tr>
<tr>
<td> COD1 </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td > <b>Policy&nbsp;on&nbsp;Policy</b> </td>
<td> </td>
</tr>
</table>
<h2> 0. Preliminaries </h2>
<p>
Policy on Policy adopts the IETF model of
'rough consensus' to create CAcert documents
within the open [policy] mail list forum.
</p>
<h2> 1. Scope and Purpose </h2>
<p>
1.1
This policy documents and controls the process by which
CAcert creates and promulgates policies.
</p>
<p>
1.2
The policy covers itself.
The policy replaces prior ones.
For Audit purposes,
the policy is part of the Configuration-Control Specification
("CCS", <a href="http://rossde.com/CA_review/CA_review_A.html#A1">DRC_A.1</a>)
and also documents part of the CCS.
</p>
<p>
1.3
The policies so created are generally binding on
CAcert, registered users and related parties.
</p>
<p>
1.4
The Policy Officer manages all policies
and the policy group.
The policy group is formed on the open mailing list
known as [policy], and is to be open to all
Community Members of CAcert.
</p>
<h2> 2. Basic Model </h2>
<p>
2.1
The basic concept was drawn from the IETF model.
</p>
<p>
2.2
Policies are documented.
Documents start as <i>Work-In-Progress</i>, move through to
<i>DRAFT</i> and finalise in <i>POLICY</i> status.
</p>
<p>
2.3
Decisions are taken by "Rough Consensus."
A vote may be called to clarify.
</p>
<p>
2.4
Documents should include a minimum of information
in a standardised format managed by the Documentation Officer:
the Title,
short name,
Document Status,
date the Status was reached,
Editor,
date / time of the last edit,
Abstract.
</p>
<h2> 3. Work-In-Progress </h2>
<p>
3.1
An Editor is identified.
This person is responsible for
drafting the document, following the consensus of the policy group.
</p>
<p>
3.2
The Policy Officer resolves minor disputes and keeps order.
</p>
<p>
3.3
The mail list of the policy group
is used as the primary debating
forum. A sub-group may be formed,
but decision-taking
should be visible on the main group.
</p>
<p>
3.4
Documents start with the status of
"Work-In-Progress" or WIP for short.
</p>
<h2> 4. DRAFT status </h2>
<p>
4.1
On completion, a document moves to DRAFT status.
</p>
<p>
4.2
A DRAFT is a policy-in-effect for the Community and is
to be distributed and treated as such.
</p>
<p>
4.3
As far as the Community is concerned, the DRAFT is policy.
Challenges and concerns can be addressed to the policy group,
and policy group discussions on a DRAFT
may be presented in Dispute Resolution.
</p>
<p>
4.4
Revisions of DRAFTs
must be treated as decisions on the policy group.
</p>
<p>
4.5
The period of the DRAFT status is announced widely,
which should be at least a month and no longer than a year.
</p>
<p>
4.6
During the period of DRAFT,
CAcert Inc. retains a veto over
policies that effect the running of CAcert Inc.
</p>
<h2> 5. POLICY status </h2>
<p>
5.1
After DRAFT period has elapsed with no revision beyond
minor and editorial changes,
there should be a decision
to move the document from
DRAFT to POLICY status.
</p>
<p>
5.2
Once POLICY, the Community may only challenge the document
in Dispute Resolution.
</p>
<p>
5.3
Policy group may propose changes to a POLICY document
in order to update it. When changes move to DRAFT status,
they may be included in the POLICY document,
but must be clearly indicated within as DRAFT not POLICY.
</p>
<h2> 6. Open Process </h2>
<p>
6.1
All policy discussions and documents should be open
processes. There should be a fair chance for
the Community
to have their views heard.
Rough Consensus is the working metric.
</p>
<p>
6.2
Contributions to
formally controlled documents such as Policies
are transferred fully to CAcert Inc.
Copyrights
and similar intellectual property rights
required to incorporate the Contribution
are either transferred to CAcert Inc, or,
are issued and contributed under free,
open, non-restrictive,
irrevocable, exclusive,
and clear licence to CAcert Inc.
In all cases, CAcert Inc licenses the
contributions back to the community
under an open licence.
</p>
<p>
6.3
Contributors declare any conflicts of interest.
</p>
<p>
6.4
Policies should be issued under free, open,
non-restrictive,
irrevocable, non-exclusive,
and clear licence by CAcert, Inc.
</p>
<p>
6.5
Mailing lists should be archived,
and important meetings should be minuted.
</p>
<h2> 7. Disputes. </h2>
<p>
7.1
Any questions not resolved by these rules
may be voted on in the policy group, or
may be dealt with in Dispute Resolution.
</p>
<p>
7.2
The Policy Officer may decide a tight vote in a minor matter only.
Failure of Rough Consensus may be declared by
dissenting members.
</p>
<p>
7.3
Matters unresolved refer back
to further group discussion.
</p>
<p>
7.4
The external avenue for disputes is to file a dispute
according to CAcert's
<a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">
Dispute Resolution Policy</a>
DRP => COD7.
</p>
</body>
</html>
<?php
header('HTTP/1.0 301 Moved Permanently');
header('Location: PolicyOnPolicy.html');
exit();

82
www/policy/PrivacyPolicy.html
View file

@ -1,53 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!DOCTYPE html>
<html>
<head><title>Privacy Policy</title></head>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" lang="en">
<style>
.r {
text-align : right;
}
</style>
<title>Privacy Policy</title>
</head>
<body>
<table width="100%">
<table style="width: 100%;">
<tr>
<td> PP </td>
<td>&nbsp;</td>
<td width="20%"> &nbsp; </td>
</tr>
<tr>
<td> POLICY&nbsp;<a href="http://wiki.cacert.org/wiki/PolicyDecisions">m20060629</a> </td>
<td> &nbsp; </td>
<td>
20060629
Name: PP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD5</a><br />
Status: POLICY <a style="color: steelblue" href="https://wiki.cacert.org/PolicyDecisions#m20060629">m20060629</a> <br />
Changes: 20060629<br />
Editor: <br />
</td>
<td class="r">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.html"><img src="images/cacert-policy.png" alt="PP Status - POLICY" height="31" width="88" style="border-style: none;" /></a>
</td>
</tr>
<tr>
<td> COD5 </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>&nbsp;</td>
<td > <b>Privacy&nbsp;Policy</b> </td>
<td>&nbsp;</td>
</tr>
</table>
<h2> 0. Preliminaries </h2>
<p><br /><br /></p>
<h1>Privacy&nbsp;Policy</h1>
<h2 id="s0"> 0. Preliminaries </h2>
<p>
This policy discloses what information we gather about you when you visit any of our Web site, and when you issue or use our certificates. It describes how we use that information and how you can control it.
</p>
<h2>1. Website information</h2>
<h2 id="s1">1. Website information</h2>
<p>
We collect two kinds of information about website users: 1) data that users volunteer by signing up to our website or when you send us an email via our contact form; and 2) aggregated tracking data we collect when users interact with our site.
</p>
<h2>2. Personal information</h2>
<h2 id="s2">2. Personal information</h2>
<p>
When you post to the contact form, you must provide your name and email address. When you sign up to the website, you must provide your name, email address, date of birth and some lost pass phrase question and answers.
</p>
@ -55,12 +53,12 @@ When you post to the contact form, you must provide your name and email address.
We only share your information with any other organisation when so instructed by a CAcert arbitrator.
</p>
<h2>3. Aggregated tracking information</h2>
<h2 id="s3">3. Aggregated tracking information</h2>
<p>
We analyse visitors' use of our sites by tracking information such as page views, traffic flow, search terms, and click through. We use this information to improve our sites. We also share this anonymous traffic and demographic information in aggregate form with advertisers and other business partners. We do not share any information with advertisers that can identify an individual user.
</p>
<h2>4. Cookies</h2>
<h2 id="s4">4. Cookies</h2>
<p>
Some of our advertisers use a third-party ad server to display ads. These ads may contain cookies. The ad server receives these cookies, and we don't have access to them.
</p>
@ -68,33 +66,33 @@ Some of our advertisers use a third-party ad server to display ads. These ads ma
We don't use cookies to store personal information, we do use sessions, and if cookies are enabled, the session will be stored in a cookie, and we do not look for cookies, apart from the session id. However if cookies are disabled then no information will be stored on or looked for on your computer.
</p>
<h2>5. Notification of changes</h2>
<h2 id="s5">5. Notification of changes</h2>
<p>
If we change our Privacy Policy, we will post those changes on www.CAcert.org. If we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users via email. Users will be able to opt out of any new use of their personal information.
</p>
<h2>6. How to update, correct, or delete your information</h2>
<h2 id="s6">6. How to update, correct, or delete your information</h2>
<p>
You are able to update, add and remove your information at any time via our web interface, log into the 'My Account' and then click on the 'My Details' section, and then click the relevant link
</p>
<h2>7. Privacy of certificates</h2>
<h2 id="s7">7. Privacy of certificates</h2>
<p>
CAcert does not automatically publish the certificates through a directory service or the website to other people than the user who requested the certificate. In the future, the user might be able to opt-in for publication of the certificates through a directory server by CAcert.
</p>
<h2>8. Privacy of user data</h2>
<h2 id="s8">8. Privacy of user data</h2>
<p>
CAcert Assurers can see the name, birthday and the number of points by looking up the correct email address. No other person related data is published by CAcert.
</p>
<h2>9. Exceptions</h2>
<h2 id="s9">9. Exceptions</h2>
<p>
A CAcert arbitrator may override this policy in a dispute.
To obtain access to confidential data, a dispute has to be filed.
</p>
<h2>10. Legal mandates</h2>
<h2 id="s10">10. Legal mandates</h2>
<p>
CAcert adopts the Australian privacy regulations.
Please see <a href='http://www.privacy.gov.au/'>http://www.privacy.gov.au/</a> for further details.
@ -104,11 +102,11 @@ Governmental warrants and civil supoenas will be processed through the dispute r
<p>If you need to contact us in writing, address your mail to:</p>
<p>
CAcert Inc.<br>
PO Box 66 <br>
Oatley NSW 2223<br>
CAcert Inc.<br />
PO Box 66 <br />
Oatley NSW 2223<br />
Australia
</p>
<p><a href="http://validator.w3.org/check?uri=referer"><img src="images/valid-html50-blue.png" alt="Valid HTML 5" height="31" width="88"></a></p>
</body>
</html>

4
www/policy/PrivacyPolicy.php Normal file
View file

@ -0,0 +1,4 @@
<?php
header('HTTP/1.0 301 Moved Permanently');
header('Location: PrivacyPolicy.html');
exit();

177
www/policy/RootDistributionLicense.html Normal file
View file

@ -0,0 +1,177 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
<title> CAcert - Root Distribution License </title>
<style type="text/css">
<!--
.comment {
color : steelblue;
}
-->
</style>
</head>
<body>
<div class="comment">
<table width="100%">
<tbody>
<tr rowspan="2">
<td>
Name: RDL <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD14</a>
<br>
Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
<br>
Editor: Mark Lipscombe
<br>
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy">CC-by-sa+DRP</a>
</td>
<td align="right" valign="top">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
<img src="images/cacert-policy.png" alt="RDL Status - POLICY" style="border-style: none;" height="31" width="88">
</a>
</td>
</tr>
</tbody>
</table>
</div>
<p>
<br>
<br>
</p>
<table border="1">
<tbody>
<tr>
<td>
<h1> Root Distribution License </h1>
<h2 id="g0.1">1. Terms </h2>
<p>
"CAcert Inc" means CAcert Incorporated, a non-profit association incorporated in New South Wales, Australia.
<br>
"CAcert Community Agreement" means the agreement entered into by each person wishing to RELY.
<br>
"Member" means a natural or legal person who has agreed to the CAcert Community Agreement.
<br>
"Certificate" means any certificate or like device to which CAcert Inc's digital signature has been affixed.
<br>
"CAcert Root Certificates" means any certificate issued by CAcert Inc to
itself for the purposes of signing further CAcert Roots or for signing
certificates of Members.
<br>
"RELY" means the human act in taking on a risk or liability on the basis
of the claim(s) bound within a certificate issued by CAcert.
<br>
"Embedded" means a certificate that is contained within a software
application or hardware system, when and only when, that software
application or system is distributed in binary form only.
<br>
</p>
<h2 id="g0.2">2. Copyright </h2>
<p>
CAcert Root Certificates are Copyright CAcert Incorporated. All rights reserved.
</p>
<h2 id="g0.3">3. License </h2>
<p>
You may copy and distribute CAcert Root Certificates only in accordance with this license.
</p>
<p>
CAcert Inc grants you a free, non-exclusive license to copy and
distribute CAcert Root Certificates in any medium, with or without
modification, provided that the following conditions are met:
</p>
<ul>
<li>
Redistributions of Embedded CAcert Root Certificates must take
reasonable steps to inform the recipient of the disclaimer in section 4
or reproduce this license and copyright notice in full in the
documentation provided with the distribution.
</li>
<li>
Redistributions in all other forms must reproduce this license and copyright notice in full.
</li>
</ul>
<h2 id="g0.4">4. Disclaimer </h2>
<p>
THE CACERT ROOT CERTIFICATES ARE PROVIDED "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY LAW. IN NO EVENT SHALL
CACERT INC, ITS MEMBERS, AGENTS, SUBSIDIARIES OR RELATED PARTIES BE
LIABLE TO THE LICENSEE OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THESE CERTIFICATES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
IN ANY EVENT, CACERT'S LIABILITY SHALL NOT EXCEED $1,000.00 AUSTRALIAN
DOLLARS.
</p>
<p>
THIS LICENSE SPECIFICALLY DOES NOT PERMIT YOU TO RELY UPON ANY
CERTIFICATES ISSUED BY CACERT INC. IF YOU WISH TO RELY ON CERTIFICATES
ISSUED BY CACERT INC, YOU MUST ENTER INTO A SEPARATE AGREEMENT WITH
CACERT INC.
</p>
<h2 id="g0.5">5. Statutory Rights </h2>
<p>
Nothing in this license affects any statutory rights that cannot be
waived or limited by contract. In the event that any provision of this
license is held to be invalid or unenforceable, the remaining provisions
of this license remain in full force and effect.
</p>
</td>
</tr>
</tbody>
</table>
<div class="comment">
<h2 id="g0.6">Alternatives </h2>
<p>
If you find the terms of the above
Root Distribution License
difficult or inadequate for your purposes, you may wish to:
</p>
<ul>
<li>
Enter into the CAcert Community Agreement by
<a href="https://www.cacert.org/index.php?id=1">
registering as a Member</a>.
This is free.
</li>
<li>
Delete CAcert Root Certificates from your software.
Your software documentation should give
directions and assistance for this.
</li>
</ul>
<p>
These alternatives are outside the above
Root Distribution License
and do not incorporate.
</p>
</div>
</body>
</html>

130
www/policy/RootDistributionLicense.php
View file

@ -1,126 +1,4 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
<title> CAcert - Root Distribution License - DRAFT </title>
<style type="text/css"> <!-- only for WIP -->
<!--
.change {
color : blue;
font-weight: bold;
}
.comment {
color : steelblue;
}
-->
</style>
</head>
<body>
<div class="comment">
<table width="100%">
<tr>
<td>
Name: RDL <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD14</a><br />
Status: DRAFT <a style="color: steelblue" href="https://wiki.cacert.org/PolicyDecisions#p20100710">p20100710</a> <br />
Editor: Mark Lipscombe<br />
</td>
<td align="right">
<a href="//www.cacert.org/policy/PolicyOnPolicy.php"><img src="/images/cacert-draft.png" alt="RDL Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>
</td>
</tr>
</table>
</div>
<p><br /><br /></p>
<table border="1"><tr><td>
<h1> Root Distribution License </h1>
<h2 id="s1"> 1. Terms </h2>
<p>
"CAcert Inc" means CAcert Incorporated, a non-profit association incorporated in New South Wales, Australia.<br />
"CAcert Community Agreement" means the agreement entered into by each person wishing to RELY. <br />
"Member" means a natural or legal person who has agreed to the CAcert Community Agreement.<br />
"Certificate" means any certificate or like device to which CAcert Inc's digital signature has been affixed.<br />
"CAcert Root Certificates" means any certificate issued by CAcert Inc to itself for the purposes of signing further CAcert Roots or for signing certificates of Members.<br />
"RELY" means the human act in taking on a risk or liability on the basis of the claim(s) bound within a certificate issued by CAcert.<br />
"Embedded" means a certificate that is contained within a software application or hardware system, when and only when, that software application or system is distributed in binary form only.<br />
</p>
<h2 id="s2"> 2. Copyright </h2>
<p>
CAcert Root Certificates are Copyright CAcert Incorporated. All rights reserved.
</p>
<h2 id="s3"> 3. License </h2>
<p>
You may copy and distribute CAcert Root Certificates only in accordance with this license.
</p>
<p>
CAcert Inc grants you a free, non-exclusive license to copy and distribute CAcert Root Certificates in any medium, with or without modification, provided that the following conditions are met:
</p>
<ul><li>
Redistributions of Embedded CAcert Root Certificates must take reasonable steps to inform the recipient of the disclaimer in section 4 or reproduce this license and copyright notice in full in the documentation provided with the distribution.
</li><li>
Redistributions in all other forms must reproduce this license and copyright notice in full.
</li></ul>
<h2 id="s4"> 4. Disclaimer </h2>
<p>
THE CACERT ROOT CERTIFICATES ARE PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY LAW. IN NO EVENT SHALL CACERT INC, ITS MEMBERS, AGENTS, SUBSIDIARIES OR RELATED PARTIES BE LIABLE TO THE LICENSEE OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THESE CERTIFICATES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. IN ANY EVENT, CACERT'S LIABILITY SHALL NOT EXCEED $1,000.00 AUSTRALIAN DOLLARS.
</p>
<p>
THIS LICENSE SPECIFICALLY DOES NOT PERMIT YOU TO RELY UPON ANY CERTIFICATES ISSUED BY CACERT INC. IF YOU WISH TO RELY ON CERTIFICATES ISSUED BY CACERT INC, YOU MUST ENTER INTO A SEPARATE AGREEMENT WITH CACERT INC.
</p>
<h2 id="s5"> 5. Statutory Rights </h2>
<p>
Nothing in this license affects any statutory rights that cannot be waived or limited by contract. In the event that any provision of this license is held to be invalid or unenforceable, the remaining provisions of this license remain in full force and effect.
</p>
</td></tr></table>
<div class="comment">
<h2> Alternatives </h2>
<p>
If you find the terms of the above
Root Distribution License
difficult or inadequate for your purposes, you may wish to:
</p>
<ul><li>
Enter into the CAcert Community Agreement by
<a href="https://www.cacert.org/index.php?id=1">
registering as a Member</a>.
This is free.
</li><li>
Delete CAcert Root Certificates from your software.
Your software documentation should give
directions and assistance for this.
</li></ul>
<p>
These alternatives are outside the above
Root Distribution License
and do not incorporate.
</p>
</div>
</body>
</html>
<?php
header('HTTP/1.0 301 Moved Permanently');
header('Location: RootDistributionLicense.html');
exit();

1308
www/policy/SecurityPolicy.html Normal file
View file

File diff suppressed because it is too large Load diff

271
www/policy/TTPAssistedAssurancePolicy.html Normal file
View file

@ -0,0 +1,271 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
<title> CAcert -- TTP-Assisted Assurance Policy </title>
<style type="text/css">
<!--
.comment {
color : steelblue;
}
-->
</style>
</head>
<body>
<div class="comment">
<table width="100%">
<tbody>
<tr>
<td rowspan="2">
Name: TTP-Assist <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD13.2</a>
<br>
Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
<br>
Editor: <a style="color: steelblue" href="https://wiki.cacert.org/UlrichSchroeter">Ulrich Schroeter</a>
<br>
Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy"> CC-by-sa+DRP </a>
<br>
</td>
<td align="right" valign="top">
<a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
<img src="images/cacert-policy.png" alt="TTP-Assist Status - POLICY" style="border-style: none;" height="31" width="88">
</a>
</td>
</tr>
</tbody>
</table>
</div>
<h1> TTP-Assisted Assurance Policy </h1>
<h2 id="g0.1">0. Preliminaries </h2>
<p>
This sub-policy extends the
<a href="https://www.cacert.org/policy/AssurancePolicy.php">
Assurance Policy</a> ("AP" =&gt; COD13)
by specifying how Assurers can be assisted by
outsourcing the identity documents verification
component of assurance to trusted third parties (TTPs).
Other definitions and terms can be found in AP or in
<a href="https://wiki.cacert.org/AssuranceHandbook">Assurance Handbook</a>
("AH").
</p>
<h2 id="g0.2">1. Scope </h2>
<p>
This sub-policy is restricted to members located
in areas not well-served with Assurers.
It serves a goal of promoting both Assurers and Members in those areas.
</p>
<h2 id="g0.3">2. Roles </h2>
<h3 id="g0.3.1">2.1 Trusted Third Party </h3>
<p>
A Trusted Third Party ("TTP") is a person who is traditionally respected
for making reliable statements to others, especially over identification
documents. Typically, notaries public (anglo),
Notaries (European), bank managers, accountants
and lawyers.
</p>
<h3 id="g0.3.2">2.2 The Assurer (aka TTP-admin) </h3>
<p>
To employ a TTP in an assurance,
the Assurer must be a <a href="https://wiki.cacert.org/SeniorAssurer">Senior Assurer</a>.
The Assurer must be familiar with the local
language and customs.
</p>
<h3 id="g0.3.3">2.3 Member </h3>
<p>
A Member ("assuree") who is located in a place not well-served
by Assurers may use the TTP-assisted assurance.
</p>
<h2 id="g0.4">3. The Assurance </h2>
<p>
Assurance assisted by TTP must meet these requirements:
</p>
<ol style="list-style-type: lower-alpha;">
<li id="s3.a">
The Assurer must positively confirm the identity and
suitability of the TTP.
</li>
<li id="s3.b">
The TTP and the Member must meet face-to-face.
</li>
<li id="s3.c">
The TTP confirms the details supporting the Assurance Statement.
</li>
<li id="s3.d">
The Assurer makes a reliable statement to confirm the
Assurance Statement.
</li>
<li id="s3.e">
Assurance must be marked as TTP-Assisted
(e.g., by use of TTPAdmin flag).
</li>
</ol>
<h2 id="g0.5">4. Assurance Officer ("AO") </h2>
<p>
The Board routinely delegates its responsibilities to the
Assurance Officer (and this section assumes that, but does
not require it).
</p>
<p>
A report is requested annually from the Assurance Officer
on performance of this policy for the association's
annual report.
</p>
<h3 id="g0.5.1">4.1 Practice </h3>
<p>
Assurance Officer should prepare a
<a href="https://wiki.cacert.org/TTP">detailed documentation</a>
under
<a href="https://wiki.cacert.org/AssuranceHandbook">AH</a>
that meets the needs of this policy, including:
</p>
<ul>
<li>
Form for TTPs
</li>
<li>
Guide for TTPs.
</li>
<li>
Form for TTP-assisted assurance (used by Assurer)
</li>
<li>
Guide and protocol for Assurers.
</li>
<li>
Mechanisms for contacting Assurers available for
TTP-assisted assurances.
</li>
<li>
Definition of
<a href="https://wiki.cacert.org/SeniorAssurer">
Senior Assurer</a>.
</li>
</ul>
<h3 id="g0.5.2">4.2 Deserts </h3>
<p>
The Assurance Officer maintains a
<a href="https://wiki.cacert.org/deserts">list of regions</a>
that are designated as '<i>deserts,</i>' being areas that are so short
of Assurers as to render face-to-face Assurance impractical.
In each region, approved types of TTP are listed (e.g., Notary).
The list is expected to vary according to the
different juridical traditions of different regions.
Changes to the regional lists are prepared by
either an Organisation Assurer for that region
(as described by OAP)
or by two Assurers familiar with the traditions
in that region.
Changes are then submitted to the Board for approval.
</p>
<p>
Use of a type of TTP not on the list must be approved by
AO and notified to Board.
It is an explicit goal to reduce the usage of
TTP-assisted assurances in favour of face-to-face Assurance.
</p>
<p>
In coordination with internal and external auditors,
the Assurance Officer shall design and implement a
suitable programme to meet the needs of audit.
Where approved by auditors or Board, the Assurance
Officer may document and implement minor variations to this policy.
</p>
<h2 id="g0.6">5. Topup Assurance </h2>
<p>
AO is to operate a <cite>Topup Assurance Programme</cite>
to help seed deserts with Assurers.
A topup assurance will add additional Assurance Points
to those gained from two previously conducted TTP-assisted assurances,
in order for a Member to reach 100 Assurance Points
for the express purpose of becoming an Assurer.
</p>
<p>
A topup assurance is conducted by a third Senior Assurer
according to the following requirements:
</p>
<ol>
<li id="s5.1">
Assurer Challenge must be completed as passed by Member.
</li>
<li id="s5.2">
The topup must be requested by Member for
purpose of enabling the Member to reach Assurer level.
</li>
<li id="s5.3">
Topup Assurer must be a Senior Assurer,
and must be independent of the TTP-assist Assurers.
</li>
<li id="s5.4">
The Topup Assurer reviews the two TTP-assisted assurances,
and conducts other checks as set by the Assurance Officer.
The normal face-to-face meeting is not conducted.
</li>
<li id="s5.5">
Topup Assurer may award up to 35 points.
</li>
<li id="s5.6">
Assurance must be marked as Topup
(e.g., by use of new feature with TTPAdmin flag).
</li>
</ol>
<p>
Each topup is to be reported to AO.
Topup is only available in designated deserts.
</p>
</body>
</html>

BIN
www/policy/cacert-draft.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 4.7 KiB

10
www/policy/index.php
View file

@ -25,14 +25,8 @@ showheader(_("CAcert - Policies"));
foreach (glob("*.html") as $filename)
{
echo "<li><a href='$filename'>$filename</a></li>\n";
}
foreach (glob("*.php") as $filename)
{
if($filename != "index.php" && $filename != "NRPDisclaimerAndLicence.php")
{
echo "<li><a href='$filename'>$filename</a></li>\n";
if($filename != "NRPDisclaimerAndLicence.html"){
echo "<li><a href='".htmlspecialchars($filename)."'>".htmlspecialchars($filename)."</a></li>\n";
}
}