CAcert Wiki

• Login

• RecentChanges
• FindPage
• HelpContents
• Organisatio...rancePolicy

• Immutable Page
• Comments
• Info
• Attachments
• More Actions: Raw Text Print View Render as Docbook Delete Cache ------------------------ Check Spelling Like Pages Local Site Map ------------------------ Rename Page Delete Page ------------------------ Subscribe User ------------------------ Remove Spam Revert to this revision Package Pages Sync Pages ------------------------ Load Save

Purpose - Organisation Assurance Policy

• Explanation / Compurgation?

General Section - Organisation Assurance Policy

• COD - CAcert.org Official Document	11
  Name of CAcert.org Policy	Organisation Assurance Policy
  Shortcut of Policy	OAP
  Author/Editor	YourName
  Date of WIP	YYYYMMDD
  Date of DRAFT	YYYYMMDD
  Date of POLICY Approval	20070918
  Author/Editor Last Change	JensPaul
  Date of Last Change	20080118
  Place of OFFICIAL VERSION	Website CAcert.org
  Status	POLICY

Text - Oragnisation Assurance Policy

• FOR INFORMATION PURPOSE ONLY - Place of Policy OFFICIAL VERSION Website CAcert.org

0. Preliminaries

• This policy describes how Organisation Assurers ("OAs") conduct Assurances on Organisations. It fits within the overall web-of-trust or Assurance process of Cacert.
• This policy is not a Controlled document, for purposes of Configuration Control Specification ("CCS").

1. Purpose

• Or ganisations with assured status can issue certificates directly with their own domains within.
• The purpose and statement of the certificate remains the same as with ordinary users (natural persons) and as described in the CPS.
  • - The organisation named within is identified.
  • - The organisation has been verified according to this policy.
  • - The organisation is within the jurisdiction and can be taken to Arbitration.

2. Roles and Structure

• 2.1 Assurance Officer

• The Assurance Officer ("AO") manages this policy and reports to the board.
• The AO manages all OAs and is responsible for process, the CAcert Organisation Assurance Programme form ("COAP"), OA training and testing, manuals, quality control. In these responsibilities, other Officers will assist.

• 2.2 Organisation Assurers

  • a. An OA must be an experienced Assurer
    • i. Have 150 assurance points.
    • ii. Be fully trained and tested on all general Assurance processes.
  • b. Must be trained as Organisation Assurer.
    • i. Global knowledge: This policy.
    • ii. Global knowledge: A OA manual covers how to do the process.
    • iii. Local knowledge: legal forms of organisations within jurisdiction.
    • iv. Basic governance.
    • v. Training may be done a variety of ways, such as on-the-job, etc.
  • c. Must be tested.
    • i. Global test: Covers this policy and the process.
    • ii. Local knowledge: Subsidiary Policy to specify.
    • iii. Tests to be created, approved, run, verified by CAcert only (not outsourced).
    • iv. Tests are conducted manually, not online/automatic.
    • v. Documentation to be retained.
    • vi. Tests may include on-the-job components.
  • d. Must be approved.
    • i. Two supervising OAs must sign-off on new OA, as trained, tested and passed.
    • ii. AO must sign-off on a new OA, as supervised, trained and tested.

• 2.3 Organisation Administrator

• The Administrator within each Organisation ("O-Admin") is the one who handles the assurance requests and the issuing of certificates.
  • a. O-Admin must be Assurer
    • i. Have 100 assurance points.
    • ii. Fully trained and tested as Assurer.
  • b. Organisation is required to appoint O-Admin, and appoint ones as required.
    • i. On COAP Request Form.
  • c. O-Admin must work with an assigned OA.
    • i. Have contact details.

3. Policies

• 3.1 Policy

• There is one policy being this present document, and several subsidiary policies.
  • a. This policy authorises the creation of subsidiary policies.
  • b. This policy is international.
  • c. Subsidiary policies are implementations of the policy.
  • d. Organisations are assured under an appropriate subsidiary policy.

• 3.2 Subsidiary Policies

• The nature of the Subsidiary Policies ("SubPols"):

  • a. SubPols are purposed to check the organisation under the rules of the jurisdiction that creates the organisation. This does not evidence an intention by CAcert to enter into the local jurisdiction, nor an intention to impose the rules of that jurisdiction over any other organisation. CAcert assurances are conducted under the jurisdiction of CAcert.

  • b. For OAs, SubPol specifies the tests of local knowledge including the local organisational forms.

  • c. For assurances, SubPol specifies the local documentation forms which are acceptable under this SubPol to meet the standard.

  • c. SubPols are subjected to the normal policy approval process.

• 3.3 Freedom to Assemble

• Subsidiary Policies are open, accessible and free to enter.

  • a. SubPols compete but are compatible.

  • b. No SubPol is a franchise.

  • c. Many will be on State or National lines, reflecting the legal tradition of organisations created ("incorporated") by states.

  • d. However, there is no need for strict national lines; it is possible to have 2 SubPols in one country, or one covering several countries with the same language (e.g., Austria with Germany, England with Wales but not Scotland).

  • e. There could also be SubPols for special organisations, one person organisations, UN agencies, churches, etc.

  • f. Where it is appropriate to use the SubPol in another situation (another country?), it can be so approved. (e.g., Austrian SubPol might be approved for Germany.) The SubPol must record this approval.

4. Process

• 4.1 Standard of Organisation Assurance

• The essential standard of Organisation Assurance is:
  • a. the organisation exists
  • b. the organisation name is correct and consistent:

    • i. in official documents specified in SubPol.

    • ii. on COAP form.
    • iii. in CAcert database.
    • iv. form or type of legal entity is consistent
  • c. signing rights: requestor can sign on behalf of the organisation.
  • d. the organisation has agreed to the terms of the Registered User Agreement, and is therefore subject to Arbitration.

• Acceptable documents to meet above standard are stated in the SubPol.

• 4.2 COAP

• The COAP form documents the checks and the resultant assurance results to meet the standard. Additional information to be provided on form:
  • a. CAcert account of O-Admin (email address?)
  • b. location:
    • i. country (MUST).
    • ii. city (MUST).

    • iii. additional contact information (as required by SubPol).

  • c. administrator account names (1 or more)
  • d. domain name(s)
  • e. Agreement with registered user agreement. Statement and initials box for organsation and also for OA.
  • f. Date of completion of Assurance. Records should be maintained for 7 years from this date.
• The COAP should be in English. Where translations are provided, they should be matched to the English, and indication provided that the English is the ruling language (due to Arbitration requirements).

• 4.3 Jurisdiction

• Organisation Assurances are carried out by CAcert Inc under its Arbitration jurisdiction. Actions carried out by OAs are under this regime.
  • a. The organisation has agreed to the terms of the Registered User Agreement,
  • b. The organisation, the Organisation Assurers, CAcert and other related parties are bound into CAcert's jurisdiction and dispute resolution.
  • c. The OA is responsible for ensuring that the organisation reads, understands, intends and agrees to the registered user agreement. This OA responsibility should be recorded on COAP (statement and initials box).

5. Exceptions

• a. Conflicts of Interest. An OA must not assure an organisation in which there is a close or direct relationship by, e.g., employment, family, financial interests. Other conflicts of interest must be disclosed.

• b. Trusted Third Parties. TTPs are not generally approved to be part of organisation assurance, but may be approved by subsidiary policies according to local needs.

• c. Exceptional Organisations. (e.g., Vatican, International Space Station, United Nations) can be dealt with as a single-organisation SubPol. The OA creates the checks, documents them, and subjects them to to normal policy approval.

• d. DBA. Alternative names for organisations (DBA, "doing business as") can be added as long as they are proven independently. E.g., registration as DBA or holding of registered trade mark. This means that the anglo law tradition of unregistered DBAs is not accepted without further proof.

End of Organization Assurance Policy

Inputs & Thoughts

• YYYYMMDD-YourName

• Text / Your Statements, thoughts and e-mail snippets, Please

• YYYYMMDD-YourName

• Text / Your Statements, thoughts and e-mail snippets, Please

Category or Categories

CategoryPolicy

• Immutable Page
• Comments
• Info
• Attachments
• More Actions: Raw Text Print View Render as Docbook Delete Cache ------------------------ Check Spelling Like Pages Local Site Map ------------------------ Rename Page Delete Page ------------------------ Subscribe User ------------------------ Remove Spam Revert to this revision Package Pages Sync Pages ------------------------ Load Save

• MoinMoin Powered
• Python Powered
• GPL licensed
• Valid HTML 4.01