CAcert.org Assurer Handbook

Meta Comments


Introduction

This handbook is intended for fresh CAcert assurers. It should give you a first guide on what to do and what to know when acting as a CAcert assurer, and serve as a starting point for more in depth research on specific topics.

Overriding Documents

Although this document can be considered to be your working "Assurer's bible", there are several other documents of importance. Especially,

A word on Policies

This Handbook is not a policy, but a working practices guide. In the case of contradictions, policies are the final authority, so this Handbook has to conform to those documents. If you find such contradictions please make them known to CAcert's policy mailing list at [ cacert-policy@lists.cacert.org ].

Other policies and documents of CAcert can be found at OfficialDocument. The work of creating policies is controlled by Policy on Policy and is conducted in the open at CAcert's policy mailing list at [ cacert-policy@lists.cacert.org ]; any Member may join and contribute. When documents are still being written they are referred to as work-in-progress or WIP, above. When approved in DRAFT, they are binding on the community, but still being finalised. When fully approved they are marked as POLICY and are officially published on the controlled website at https://www.cacert.org/policy.

All policies have an effect on assurance, although they may not address assurance explicitly. For example, the Privacy Policy also has some impact on the process.

Your obligations as an Assurer

Some easy ways to keep you informed about important changes in the policies are

Your risks and liabilities

By joining CAcert you accept the CAcert Community Agreement (CCA), which defines the risks and liabilities of CAcert members. You should be very familiar with this document so that you can understand these risks and liabilities for yourself and for any new and prospective Members that ask questions about the issues.

There is both good news and bad news: The CCA places a limit on monetary liability to you of 1.000 EUR (one thousand Euros). Each member accepts Arbitration, which is our system to keep disputes internal, rather than expose our members to courts in far away lands, expensive lawyers, and judgments that might not fully appreciate what certificates are about. The limit of liability is balanced across the Community, as it applies to you as well as to anyone who has a dispute with you, so it is both a maximum to protect you and a liability directly to you.

Therefore, you should always be careful when doing Assurances, because you can be held responsible by the Arbitrator up to this limit!

The Assurance Procedure

The assurance procedure is a crucial part of the CAcert project. If the assurances are conducted in a reliable way, members will be able to usefully rely on the CAcert certificates. If assurances are made superficially, this reliance will fail and the project will go down the drain. So we all depend on you!

The following procedure is a proposal. You may alter the process, but then you have to make sure that your process conforms to CAcert's Assurance Policy (POLICY) !!

Make yourself known as a CAcert assurer

Probably the best way to do this is to enter a location into your profile and allow your entry to be shown in the users list. Other ways, like advertising yourself among your friends and colleagues, are left at your discretion.

Assurance within web of trust is a two-way street, and you should share some minimum information such as your email address and Name. For example, on a business card. See also Mutual Assurance.

Preparing yourself for an assurance

Now let's assume that someone has contacted you and asks you to assure his or her identity for CAcert. There are other ways to do a correct assurance, but this is a good way to start with.

First of all you should check whether the applicant already has an account at CAcert. Go to https://secure.cacert.org/wot.php?id=5 and enter the applicant's mail address. If the email was correct you will be shown the interactive assurance form. Do not fill out anything at this time! Just use one of the links at the bottom to open and print out a PDF document containing the pre-filled CAP form.

If the email address is not found within the system, ask the Member to give you the primary email address for the account.

Non-Members

If the user has not yet created the account, you will not be able to find it. In this case, the user is not yet a Member, and you should ask her to create her account and become a Member before doing the Assurance.

In some circumstances, such as mass Assurance Events like CeBIT or a chance meeting, it may be reasonable to do the Assurance in advance of the user becoming a Member. However, this should be avoided where possible, as there are some security and legal risks if a person is assured first and the account is created later. For instance, the user will not have had time to read the CCA, which she could more easily do online or later on (at these events, always have copies of the CCA to hand out).

Also you should be able to give the bonafide member a quick overview about and at least the two essential topics within CCA:

Suggested Procedure: In the case where you decide to go ahead and do the Assurance with a non-Member, in advance of account creation and full acceptance of the CCA, follow this procedure in order to protect the non-Member and yourself:

In this way, you indicate that the member-to-be will have time later on to read the CCA, and on account creation, she will confirm her agreement. If the account is never created, the agreement is null and void, and your CAP can be marked so or destroyed. Meanwhile, you and she have both agreed to conduct the Assurance under CAcert's policies and dispute resolution procedures.

Inform yourself about the documents the applicant wants to present

You should ask the applicant which ID document s/he wants to present. Remind him/her that you have to see the originals of at least one (two are preferred!) photo IDs, at least one of them has to be government issued containing the birth date. If s/he wants to present unusual or foreign documents please inform yourself in advance how these documents should look. You may use the page AcceptableDocuments as a starting point for such a research.

You may want to ask the applicant to check expiry dates of the documents, so s/he does not leave you in the difficult situation of deciding whether expired documents are valid.

Plan the meeting

You have to meet the applicant face to face and shake hands with him/her. No assuring on the phone, not even via video phones!

So you have to find a meeting place. If your employer tolerates this, your office may be a good meeting point. Of course you can meet at your home if you want to. Otherwise some not too crowded pub would be a nice place.

Take the pre-filled CAP form to the meeting, and don't forget a ballpoint pen, since the applicant has to sign the form!

The meeting

Please try to make sure that you are not in a hurry during the meeting. You should have at least five minutes to check the documents and let the applicant sign the form! Take your time.

Shake hands with the applicant, maybe give him/her a nice smile. Give the Member a business card with your Name, email address and title of CAcert Assurer, if possible. This can be handwritten as well, CAcert is a community not a corporation.

Checklist

Things you should check:

  1. The data contained in the documents (Names and date of birth) is identical to that on the CAP form.
  2. Ask if the account is already created.
  3. Ask if the email address is the primary address of the account. If unsure, copy down alternates.
  4. Verify that the applicant has checked the "I agree to the CAcert Community Agreement". If time allows explain the key points of the CCA (liability and arbitration). Maybe hand out a printed CCA.
  5. Let the applicant sign the CAP form.
  6. Verify the person against the documents.
  7. Note the kind of presented documents (like passport, ID-card, driver's license) and possible name variations (additional middle names, academic titles, birthnames...) on them. If names in the documents differ from the (pre-printed) name on the CAP form copy the name from the documents as exactly as possible to the CAP from. The CAP form is your only evidence of what you have seen!
    • For names or name parts:
      
      Allow only names or name parts (i.e. suffixes) that you can verify at least against one govermental photo ID

Some points to keep in mind:

Things to discuss

Have a little chat with the applicant, if time permits and both parties are interested. ;-) As a representative of CAcert, you the Assurer may find yourself helping the Member in wider aspects of the Community. Some general things to discuss are:

If you do get a chance to discuss anything with the Assuree, it is good to make a small note on the CAP form about what it was.

After the meeting

If you did notice anything unusual, make some notes on the backside of the CAP form. Things you should note include (but are not restricted to):

Those notes might help you to remember what happened later, just in case a dispute is filed and someone asks you about details of the meeting.

Issuing Assurance Points

Now login to the CAcert website, go to https://secure.cacert.org/wot.php?id=5 once again and enter the applicants email. Now fill out the assurance form, check the data once again and issue your points if there are no reasons against. If the situation was not ideal you should give less points, see Assurance/PracticeOnIdChecking for some guidelines about the number of points to give.

The meaning of the Assurance Points is your expression in the confidence of the Assurance Statement. If you are completely sure, issue maximum points. From AP4.3, completely sure means:

If the documents look good but are unfamilliar to you (like foreign documents), you may decide to issue partial points (although some Assurers choose to issue only maximum or none).

There are two special cases: if you have no confidence in the Assurance Statement, then issue zero points. This will most often occur if the documents are totally unfamiliar to you. For example, a Finnish driver's license presented to an Australian Assurer at an event in Chile! The documents mean nothing to you, but as you have still made a good faith attempt to do the Assurance, it is good to record that fact. It is still worth experience, and your CAP form is still a good record. Advise the Member that this may happen, and the reasons why, so as to maintain good faith.

The second special case is if you have negative confidence. That is, you think there is something wrong, such as some of the documents are false or inconsistent. In this case, do not complete the Assurance (do not sign the form and do not press the "I am sure of myself"-Button on the web application), but instead consider filing dispute.

Remember the following issues:

What about that CAP form?

As well as the Assurance details (Name, primary email, DoB), the CAP form (short for CAcert Assurance Programme form) must contain AP4.5:

For the old-style one-way Assurance, cross out the fields for your email address and Date of Birth, as desired. (Note that we are now preferring the mutual Assurance where possible.)

Mutual Assurance. For a mutual Assurance, fill them in (or use two CAP forms). If the other Member is not an Assurer as yet, then

  1. if the other Member is unsure, you may keep the CAP form(s) on her behalf (and take responsibility for both Assurances) which is why the form itself has both sets of details on it.
  2. if the other Member is about to become an Assurer, or you otherwise judge the Member is capable of meeting the storage requirements, then she may keep her CAP form recording her Assurance over you.

Storage. The Assurer has to securely keep the paper CAP form for at least seven years. You are personally responsible for this (and in the mutual assurance with a non-Assurer, you remain responsible!) ! It is your evidence that you have followed CAcert's Assurance Policy and that you met the applicant in person (face to face).

For data protection and privacy reasons no-one else should have access to the CAP forms, once completed. Do not scan the CAP form and keep it electronically. CAcert's Assurance is deliberately designed to create a paper foundation on which digital certificates are issued; by maintaining a base of paper, the digital framework is strongly constructed with a classical legal foundation. Not only does scanning weaken that foundation, you may also violate data protection laws on electronic data storage.

In the case of a dispute you may be requested to send the original paper form to a CAcert Arbitrator. See below for more details.

If you find yourself unable to keep the CAP forms for whatever reason, file a dispute at support@cacert.org, explain the circumstances, and request the Arbitrator to provide instructions.

Sending CAP forms to CAcert by request

An Arbitrator may request you to send him the CAP forms, maybe because there was a complaint about a certificate or just as part of a quality assurance process. CAP forms contain personal data, so the requester has to be authorized to see them and you have to make sure that no-one else can read that data.

Fees

Assurance Events

You may be asked to be an Assurer at an Event. Have a look at EventOrganisation. This is a great opportunity to build up experience as an Assurer because you will be working with other experienced people, and you can discuss all sorts of issues and difficulties. This should also be reflected in your Experience Points!

The Standard of Assurance

IMHO this paragraph still needs some work to be less confusing for newbie (and experienced) assurers. The CAP links to this handbook for a definition of the "Standard of Assurance", so it has to be done. I'm still thinking about it, if you have an idea feel free to propose it. BernhardFröhlich

Also, see Assurance Policy (POLICY) ... which should nail down the Standard of Assurance ... once and for all :) iang.

AP5 puts the responsibility of the standard of assurance on the Assurance Officer, stating that this role includes:

Maintaining a sufficient strength in the Assurance process (web-of-trust) to meet the agreed needs of the Community.

The customary standard includes these points:

  1. For a full-points Assurance, at least one government-issued photo ID containing the name and date of birth must be verified by the Assurer.
    • Acceptable forms include Passports, Drivers Licenses and National Identity Cards.
  2. For a Name to appear in a certificate, the Member should have been verified by at least two Assurers.
    • Exceptions see below in "Major Variations".

Your Assurance is a CAcert Assurer Reliable Statement, or CARS. This means that anyone in the community may rely on your statement.

Minor Variations

An Assurer may control minor variation, such as poor quality ID or missing ID, by reducing Assurance points.

It would be extremely unusual to issue full points if the Member does not have a good government-issued photo ID. On the other, such an ID does not mean full points; look at the additional documents to confirm.

Major Variations

Four Major Variations exist to the above

Frequently encountered situations

Name Matching

The relevant policy text for name matching is Chapter 2.1 and 2.2 of the Assurance Policy. More specific information as well as many examples can be found at PracticeOnNames.

Transliterations

Usual transliterations, missing accents and similar things are accepted. So if the ID doc says "André Müller" but the name in the account is "Andre Mueller" that's OK.

Note that the reason for accepting plain ASCII representations of non-ASCII characters are usual restrictions of computer environments. Therefore it is not accepted to assure someone as "Müller" if the ID documents contain "Mueller".

Still it's not well defined how names of other character sets (like for example Chinese or Hebrew) should be handled. The Assurance Policy encourages using exact representations in unicode, but allows transliterations. Transliteration rules can be found at http://en.wikipedia.org/wiki/Transliteration

Case Sensitive - Case Insensitive

  [[http://en.wikipedia.org/wiki/Transliteration|Transliteration]] of characters as defined in the transliteration character table ([[http://svn.cacert.org/CAcert/Policies/transtab.utf|UTF Transtab]]) for names is permitted, but the result must be 7-bit ASCII for the full name. Transliteration is one way and is towards 7-bit ASCII. Transliteration is a way to compare two names. However transliteration of a Name makes the Name less discriminative.

  In general names are handled case insensitively.

  Abbreviation of second given name(s), middle name(s), titles and name extensions in the name of an individual to one character and the dot indicating the abbreviation, is permitted. If the first given name in the ID document is abbreviated, the first given name in the web account Name may be abbreviated. Abbreviation of a name makes the name less discriminative, so it is deprecated.

  A Name on an ID which has initials (abbreviations) for titles, name extensions and given names, and/or transliterations as defined in the transliteration table can be taken into account for assurance for a Name in the account which is not abbreviated or transliterated.

  Titles and name extensions in the name of an individual may be omitted.

  The assurance ambition is to pursue a highly discriminative assured Name in the account. The ambition is to have only a Name in the account which has no abbreviation(s), no transliteration and is case sensitive.

End of insert from WiP-AP.

Arbitration case a20090618.13 Opinion

Naming and the writing of names is a complicated subject that follows different rules in different cultures. Even within a culture there is a multitude of difference in how names may be spelled.
Capitalization is the subset of name spelling at issue here. There are a multitude of countries in which the script used differs wildly from western letters. In such scripts capitalization may not even exists. Names that are transliterated from such scripts would then have an arbitrary capitalization, since who is to say which parts of such a transliterated name are capitalized.
The claimant has himself stated that often times names in official documents are spelled in all capital letters although the name would generally be spelled with an initial capital letter followed by letters in lower case. So it is evident that even within the culture of the claimant capitalization rules for names (especially when taken outside the context of sentences) are unsettled.
However there are instances where capitalization of names does make a difference. As an example one can think of McCain or DeHaviland. Both names are properly spelled with a capital letter at the beginning and the interior of the name. Capitalizing correctly here may alter the name significantly at least within the culture of origin.
As a result naming and name capitalization is not something that can easily be prescribed.
However at question here is really whether an assurance of a name spelled with unusual capitalization is permissible. In order to answer that question one only needs to look at the Assurance Policy, which states:

1. Assurance Purpose

The purpose of Assurance is to add confidence in the Assurance Statement made by the CAcert Community of a Member.

With sufficient assurances, a Member may: (a) issue certificates with their assured Name included, (b) participate in assuring others, and (c) other related activities. The strength of these activities is based on the strength of the assurance.
1.1.The Assurance Statement

The Assurance Statement makes the following claims about a person:

   1. The person is a bona fide Member. In other words, the person is a member of the CAcert Community as defined by the CAcert Community Agreement (CCA);
   2. The Member has a (login) account with CAcert's on-line registration and service system;
   3. The Member can be determined from any CAcert certificate issued by the Account;
   4. The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement;
   5. Some personal details of the Member are known to CAcert: the individual Name(s), primary and other listed individual email address(es), secondary distinguishing feature (e.g. DoB).

The confidence level of the Assurance Statement is expressed by the Assurance Points. 

Specifically at issue is item 5 of the Assurance Statement, because the question is whether a name "is known" to CAcert if the capitalization is arbitrary and potentially different from the presented Identification Documents. In other words:

If I tell you that my name is "philipp dunkel" do you then know my name?

In this specific case I would answer that question with yes. However that is a judgment call that will depend highly on the name and culture at issue. Throughout the Assurance Process the Assurer should be guided by their own sound judgment. In fact the entire system of the CAcert Web of Trust is based on us trusting an Assurers judgment. Since none of the items mentioned in point 3.1 of the Assurance Policy as guidelines resolve the issue of capitalization the Assurer is allowed, or in fact required, to use his own judgment.
So on the question of whether the claimant may complete this Assurance as requested in the original claim:

Middle names and Initials

According to the AP it is preferred that all given names which can be verified in one of the ID documents are recorded in the account.

If a person has multiple given names (or middle names) at least one given name must be used in the account unabbreviated. Additional names may be omitted or abbreviated, usually to the first character with or without a dot to indicate the abbreviation.

So someone called "Bernhard Andreas Fröhlich" may create his account as "Bernhard Fröhlich", "Andreas Fröhlich" or "Bernhard Andreas Fröhlich". Initials are deprecated, but are currently tolerated, so if the said person would use the name "Bernhard A. Fröhlich" this would currently be OK.

But remember, you may not assure an Account with a name you did not see on at least one ID document! If all ID docs state "Bernhard Fröhlich", assuring him as "Bernhard Andreas Fröhlich" is prohibited!

If the name on the presented ID documents is not identical to that on the CAP form it is the best to note the name as exactly as possible somewhere on the paper, including all given/middle names. If the account is disputed later then you can remember the exact name you've seen.

Multiple Names, Pseudonyms

According to the Assurance Policy (POLICY), multiple names are accepted, if matching ID documents can be presented.

Currently the CAcert software cannot handle them, but if you note them on the CAP form you can assure them later once the feature is implemented.

Junior Members

In principle, children or minors or juniors can also be assured. There is no minimum age set by CAcert.

Policy on Junior Assurers / Members moves to DRAFT and is therefor binding since Jan 31, 2010

There are, however, some difficulties that need to be taken into account.

Questions

Policy On Junior Assurers Members 2

1. The Junior Member asks an Assurer to assure him.
2. The Assurer checks that the age of the Junior Member
   is in reliance to the local countries law
   (i.e. Germany its age is under 18 years,
    for other countries this may vary)
3. The Assurer starts a regular assurance
4. The first Assurer hands out to the Junior Member a
   ParentsKit that includes a ParentsForm and an info package.
5. The Parents of the Junior Member signs the ParentsForm
6a. The Parents returns the ParentsForm to the Assurer
    by a second face-to-face meeting, by snail-mail or
    by a scan of the signed ParentsForm sent by email
6b. The Junior Member returns the ParentForm to the Assurer
    by a second face-to-face meeting, by snail-mail or
    by a scan of the signed ParentsForm sent by email
7. The Assurer makes a note onto the Junior Members CAP form
   that he has seen the signed ParentsForm or makes a copy of
   the ParentsForm and adds it to the Junior Members CAP form
8. The Assurer now can transfer the assurance points he gave
   to the account with the additional (not yet existing)
   checkbox that he got confirmation from the parents. x1)
9. The Assurer returns the original ParentForm to the Junior
   Member for future assurances. A scanned ParentForm is not
   sent back by email.

x1)

ParentsKit

Mutual Assurance

Mutual assurance should be done where practical (AP4.2). Note that an assurance is always at the request of the Assuree and the agreement of the Assurer, so mutual assurance remains a voluntary process for both sides.

Mutual assurance has these advantages:

There are some disadvantages:

With an Assurer

Conducting a Mutual Assurance with another Assurer is easy, and the process is mostly left open to you and your partner-Assurer. Here are some tips.

The benefit is maximal when we help the other person to see better ways. This means that:

With a Non-Assurer

Conducting a Mutual Assurance with a Member who is not yet an Assurer is harder than an ordinary Assurance. But it is more valuable, because it is a really good way to train the Member towards becoming an Assurer!

To do this,

  1. Take an extra CAP form, or use a CAP form that is designed to be mutual (includes the same detail for both parties).
  2. After doing the process on the Member, ask her to take the forms and repeat the process it on yourself.
  3. Coach the Member as she does the steps.
    • Explain why we do it that way.
    • Allow her to make mistakes, and then explain gently the nature of the mistake.

    • Ask questions to make sure she understood what she has done.
    • Do not go too deep, do not get into detail. Concentrate on the essentials, and be prepared to compromise on detail. The essence is the overall feeling of the Assurance, not on getting every detail correct. Details and perfection come later with the Assurer Challenge.

    • Make it a fun experience, not a reminder of primary school nightmares. The goal is to make her want to take your job away :-) Encourage her (we have many other jobs for experienced Assurers!)

  4. Once the checks over the Assurance Statement are done by her over you, she is now ready to allocate Assurance Points to you.
    • She can allocate 0, 1 or 2 Assurance Points to you.
    • Coach her in what the points mean.
    • It is entirely up to her judgment as to how many points.
    • Indeed, encourage her to be critical, and if it is her first time, issue 0 points to you. For example, if she is unfamiliar with the process, how can she be familiar with the meaning of the points?
    • In this process, you yourself are not collecting more Assurance Points, but instead training a future generation of Assurer. Your mission is to teach her the best ways and understandings.
  5. Once she has allocated the points, have her write them onto the CAP form(s).
  6. Because you are the Assurer, you are totally responsible for the results.

    • She is not responsible because she is not an Assurer.
    • You should keep the primary forms.
    • If she is taking copies away, that is OK too. But advise her of the Assurer's 7 year responsibility, and write that on the form. She now holds your privacy data.
  7. At the moment, there is no way to enter these points into the system.
    • These points will have to wait for a future system enhancement. So for the moment, the result is lost.
    • But the real benefit of training remains.
    • This above procedure can and will change as we get more experience.

Who keeps the CAP form?

Optional

Mutual Assurances, like all Assurances, are currently optional at the discretion of both. You may not want to do a mutual Assurance, but consider:

Likely these things will become standard in the future (see 20090517-MiniTOP on Assurance), once Assurance Team figures out all the details. Let us know your experiences.

CAcert Assurer Reliable Statement

An Assurance is a CAcert Assurer Reliable Statement, CARS for short. It is the primary one you make to the community, as part of our overall Assurance process, or web-of-trust.

If you get involved in other, deeper parts of CAcert, you may be asked to make other reliable statements to help our processes. Here are some examples:

In order to signal a statement of reliance, you can add the term CARS to the end of your name. This is useful if it is not totally obvious that your statement might be relied upon.

Sample of CAcert Assurer Reliable Statement

 I make a statement

 My Givenname LastName
 CARS

Verification and Measurement in the Web Of Trust

To construct its global web of trust, CAcert uses a metrics system called Assurance Points to measure how well we know you.

Assurance Points

The number of Assurance Points measure how much you have been verified in Assurance processes and other approved processes, as per Assurance Policy (POLICY). They go from 0 (new Member) to 100 (fully assured Member).

Currently points acquired do not "expire" or "decay", but this might be changed in the future.

Experience Points

Old Points

Your Experience Points

Issuable Assurance Points

100

0

10

110

10

15

120

20

20

130

30

25

140

40

30

150

50

35

For every assurance, an Assurer generally gets 2 points, up to the maximum of 50 points.

Note that this system is currently unimplemented, and the experience is collected as points in the Assurance Points scheme, being points above 100. See below.

Old Points

Note: The meaning of the points has changed since the new [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (POLICY)]].  The change split the old points into Assurance Points and Experience Points.

Before, they were the same points system with different meanings, below and above 100 points. Below 100 the number of old points showed the amount of trust CAcert had in your identity. The points above 100 made a statement about your experience as an Assurer.

Now, there are two points systems, one for each meaning.  Assurance Points ONLY show how well you have been assured.  Experience Points indicate how well an Assurer can do their job.

The separation of Experience Points has not as yet been implemented in the online system.

What is an Experienced Assurer?

For each assurance done, an Assurer is given 2 Experience Points ("EPs"). There are also some exceptions such as 5 EPs for attending an ATE.

When an Assurer has gained the full 50 EPs, probably by conducting 25 assurances, the Assurer is often termed an Experienced Assurer.

What is a Senior Assurer?

This is an Assurer:

  1. Experienced, as described above,
  2. has been co-audited,
  3. has attended an ATE,
  4. knows CARS.

This definition was reached at the Brussels MiniTOP on Assurance.

What is a co-auditor?

A co-auditor is a very experienced Assurer who helps the Assurance Officer collect results suitable for verifying the entire system of Assurance. These results are collated for audit over CAcert.

What is a co-audited Assurance?

A co-audit or a co-audited assurance is an assurance that you the Assurer conduct over the co-auditor, see above. During the assurance, the co-auditor checks lots of things and records the results. There is no fail for this. At the end, you should get some helpful feedback.

Co-audits are generally conducted at ATEs, so you should try and attend.


<<include(AssuranceHandbook2/SomeMoreInformation)>>

Inputs & Thoughts