NOTA BENE - WORK IN PROGRESS - Your Inputs & Thoughts
To Brain Study - To Brain Study - Overview Projects - To Brain Study - Overview Projects Audit Next Steps
CAcert.org Audit Next Steps - Subpolicys: Tverify / Thawte Notary
- From the Audit Business Area - Assurance, the Tverify / Thawte Notary program is frozen
Status of Assurance Specials: TTP, Tverify, PoJAM, CodeSigning, SuperA, OA Motion on AP only
CAcert's audit response
Due to the lack of policy for thawte notary transfer program, and due to the requirements of Assurance Policy which rules over this area, the Tverify programme was legally not possible after mid-2008. It as suspended because it was an audit requirement (or instruction) because the current process is unauditable (or, "audit fail" if you prefer).
Thawte response
Apparently, Thawte's auditor may have agreed because they declined to address it in their audit report. In late 2009 Thawte suspended their entire WoT, thus putting the need for a policy and system into the background.
Basic requirements for Points Transfer from Other CAs
Please try to answer questions / provide documents about your certificate provider (named "A") :
Who is A ?
Which country is A from?
- Where can we get information about them?
What personal details did "A" verify, before issuing you the certificate?
- Was there a face-to-face meeting?
- What documents did they check?
- Can their certificates be used for client-certificate authentication to websites?
- Is there a CPS in english available? Is there an RPA in English available?
Has "A" been audited by an independent auditor? According to which criteria?
(from Sourcerer)
Example : Spanish Public C.A.
For example, we may consider the Spanish government certification process
Q. I would like to know if it's possible becoming an assurer through the the spanish public C.A. (http://www.cert.fnmt.es/ ) that is used to access to the online administration in order to register work contracts, pay taxes etc. This certificate is given after a public worker certifies your identity comparing to the national ID card ?
A. What you would have to do is write a subsidiary policy under Assurance Policy to create the Tverify system. Don't wait around for others to do it, you'll have to pitch in and do most of it yourself. People will provide pointers, but if you want it...
Notes
The main assurance process is described here more details
process :
you've got to :
- download the CA root cert,
pre-register via Internet with first and last names / full address in Spain, phone numbers (no Date of Birth but they mention an id code "NIF" ?) => you get an ID code
- you go the the closest office near you for a face-to-face meeting with an employee of a spanish public service with the id code from the web site and an id paper, you complete the registration.
- after you can download the certificate from home.
You can have access to many public service web sites with this certificate.
It could be valuable but we would need to get the scanned copy of the id paper to check the Date of Birth.
Inputs & Thoughts
20090915-Iang
This is the starter document that Guillaume and I wrote in the train station back in May. It hasn't really been reviewed since. https://svn.cacert.org/CAcert/Policies/TVerifyAssurancePolicy.html So probably it needs to be heavily edited for understanding. There are also some notes references in http://wiki.cacert.org/wiki/PolicyDrafts/ . One point which I recall from the discussion with Guillaume is the question of reliance. When an Assurer assures someone and puts the points into the system, we the community are relying on the Assurer. The Assurer makes a reliable statement. However when the TVerify Assurer enters the points into the system about the Thawte situation, who are we relying on? Are we relying on the Assurer? Or are we relying on Thawte? We can't rely on Thawte without entering into an agreement with Thawte. And there is no particular likelihood that such an agreement is possible or easy or negotiable between CAcert and Thawte. Can we rely on the Assurer fully? This depends... if the Assurer simply says "I am relying on Thawte" then that can be checked, because there is reliance doco over at Thawte. But, probably this (when checked) will reveal that although the Tverify people have permission to "rely" there is backing for that reliance: no remedy, no dispute resolution, no liability, no nothing. It's all based on "trust" whatever that means. So, that puts the onus back on the Assurer. Can we write the policy such that the Tverify Assurer takes on all the risk and liability of the assurance? And this is clear to the person? This point is very important to the audit, and was the inspiration of most of the CCA/AP/NRP/DRP policy work ... so it isn't easily ignored. Those are my thoughts today ....
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please