Audit Results Session 2015.1

Audit Type

Compliance Review

Report Status

Final Report

Audit initiated by

Requested by Assurance Officer

Audit Subject

Compliance of Software with Assurance Policy

Follow up status

2015-04-10 informed board, management review expected till 2015-05-30

2015-08-11 Approved by board in m20150803.4

Executive Summary

This audit report covers the finding of session 2015.1 over CAP form and WebDB.

There are three findings whereof two are non-conformities.

Purpose, Scope and Methodology

This audit session is about the compliance of the assurance process against CAcert's Assurance Policy (AP). The CAP form and the WebDB is evaluated against the matching sections of the AP. The walk-through is done with a fictive Assuree in the test system.

Audit Results and Recommendations

The auditor identified two non-conformities and one recommendation.

Non-Conformities

Member's Name

AP 2.1 describes the handling of member's name as:

 1. The Name should be recorded as written in a government-issued photo identity document (ID).
 2. The Name should be recorded as completely as possible. That is, including all middle names, any titles and extensions, without abbreviations, and without transliteration of characters.
 3. The Name is recorded as a string of characters, encoded in unicode transformation format.

The while trying to catch all parts of the second point in the WebDB, the third point is not valued. All data fields are stored as individual fields and not as "a [as in 'one'] string of characters".

Beside, this implementation is not following the AP 2.1's rule, it gives additional trouble for people with names not fitting in this standard (e.g. single word names).

Multiple Names and variations

AP 2.2 allows members to record additional names or variations of names to her online account. Examples are given.

This is requirement is not implemented at all in current software.

Recommendation

AP 4.5 requests optional information for reciprocal assurances in Assurer's part of the CAP form. Using the same CAP form for reciprocal assurance is not recommended and not state of the art by education. It is recommended to remove the following sentence from AP:

Optional: If the Assurance is reciprocal, then the Assurer's email address and Secondary Distinguishing Feature are required as well;

Auditor

-- BenediktHeintel 2015-04-06 21:40:21