This page is deprecated. Please see Organisation Assurance

Organisation Assurance







However, since the new documentation is finished you might find some useful information here. But be aware: A lot of things have changed. Maybe you would also like to have a look at the Organization Assurance Manual.

Email & Server Certificates for Organisations

Important note

If you have knowledge in law and you want to help CAcert org Support, please see HelpingCAcert

Purpose

Having your organisation assured allows you to issue certificates in the name of your organisation, have additional information added to certificates, and issuing certificate for any arbitrary email address in your domain without the need to go through verification every time. You can also delegate (and revoke) the authority to other administrators within your organisation.

Organisation feature benefits

  1. The CAcert Organisational feature is pretty interesting because you can include more details than the simple CAcert user (organisation name, localisation). After the organisation account is created, you have the same easy way to generate email or webserver certificates.

  2. Also, because you're responsible of your organisation, you can generate user certs for any of your employees (including the organisation name) without going thru the whole assurance process (TTP or CAP). Here, CAcert delegates its responsabilities to the owner/executive manager of the organisation.

  3. Because we do not provide any sub-root certificate, we assure the whole CAcert community that the root certificate trust is less likely to be compromised (see SubRoot).

How to request the organisation features ?

CAcert has a general policy for Organisation Assurance. When an Organisation Assurer is available in a country, a specific policy has been written to handle Organisation requests for the country.

Mainly, the following countries have several organisation assurers:

For all other countries, please ask first support (at) cacert.org to know if we can handle a request (and see the table below).

The "organisation Assurers" are similar to the way the Web of Trust assurers are doing their "job". Local Assurers permit to overcome the problem of reading/knowing the local languages & organisation legislations. Also, it's easier to verify the will of the owner/executive manager in case, he/she is not fond of IT and doesn't have a proper & trusted digital certificate & signature.

Also, if you need specific help or questions, you are welcome at IRC channel irc.cacert.org #cacert if you are kind enough we will try to speed-up the procedure.

Additional steps

  1. The person responsible for the organisation needs to appoint 1+ admin(s) in charge of generating/taking care of the certs for the organisation. The admin must have a certain amount of trust and knowledge, so they need to be a current CAcert assurer. The admin can be or not a member/employee of the organisation, so you can ask your usual IT service provider to do the job.

  2. From the certificate of incorporation, the CAcert support (or Organisation Assurer) can get info about the organisation and add them into the organisation account : its name, its place of incorporation (Town, state, country), then add the owner/executive manager email address for contact, add the admin list (for each admin, the department name in the organisation if applicable), add the list of the domain names of the organisation after a check of one (or more) authoritative email address(es) (like postmaster@domainname).
  3. The domain names that can be included in the account have to match the certificate of incorporation info when looking at the whois database or any accurate document linking the organisation and the domain name.

For precise requirements for different jurisdictions please contact support(at)cacert.org who will gladly put you in contact with an organisation assurer!

Organisation Assurers available

Country

Policy Available

Organisation Assurers Available

Germany

yes

yes

Austria

yes

yes

USA California

yes

yes

USA Colorado

yes

yes

USA Others

no

yes

France

no

yes

In case, there is an assurer but still no specific policy, requests have a far longer processing time and may not be completed as some cases will need a legal advise and at the end pass the CAcert Board review.

Processing the request

Following statements are general and depend heavily on the local policies, contact your local assurer for details.

Common

Also make sure that the documents are fresh (<1 month) to support (at) cacert.org
or provide the web address of an online governmental organisation register database

Large organisations

Business Name Only

Faster

Check your datas

Organisation Title   : choose one if several are registered
Contact Email        :
Registration organisation address =>
Town/Suburb          :
State/Province       : if applicable
Country              : + mention the 2 letter ISO code
Used domains are     :
                     :
                     :
                     :
Admins are           : CAcert main email address of admin + org department name if applicable
                     :
                     :
                     :

Example of letter from the executive/owner of the organisation

Required if the name of the requester does not appear on the Certificate of Incorporation. Scan and email the letter to support at cacert.org

The letter is written and signed by the person in charge of the organisation (replace company with association in your case)

Dear Sir,

I am requesting that an organisational account be created for my company, Company Name. This organisational account is associated to the following domains domain name list.

The technical contact for these Internet domains and the administrator for the CAcert organisation account is Admin Name , Admin title who is holding an assured CAcert account mail address

I have attached Company Name 's Certificate of Incorporation. Optionally The following business register will show Company Name 's active filing : web address of register

Add any extra information if needed

Sincerely, ...

Corporate use of organisational client certificates

Question

When I create a org client certificate, how does the user pick up the new certificate that is created?

Answer

The "corporate" use of org client certificates is to put them on a smartcard. So after, you just give each user its usb smartcard with its PIN code and the certificate/private key loaded.

You'll probably need to configure the mail client on the user machine. Also, there is still an "underground" project to generate certs for windows domains.

In this case, if you want to know which smartcard is easy to integrate, we can help you, so just ask support (at) cacert.org. Some people at CAcert support have tested several cards.

For example, there is a special type of card "java smartcard" but it's pretty complicated to use. Anyway, people at CAcert support frequently log-in CAcert website and we're really happy to use smartcards to quickly log-in, as the server safely gets the our id from the card.

Note : the CAcert interface permits to generate the private key directly within the card and properly load the certs after signing.

If you have no smartcard, as a last resort, you can put the client cert from your browser certificate store into a pkcs12 file and transfer it in on a usb memory key and give it to the user but it's not really seamless ;(

Miscellaneous

(to read if you have extra time to spend)

Only the designers of the org support can tell but here's my guess :
the idea is to have an admin for one department (one for IT, one for HR,
etc...)
2 options :
- deleting an admin and putting no Departement or giving the department field (OU) a more "general" sense instead of IT/Support.
- delegating cert creation to other "local" admins (only 50 points are needed for an admin AFAIR)
you can only generate certs for the domain(s) that is(are) registered for the org

FAQ - Frequently Asked Questions

Q: The technical representative in our company has been changed, and the old one used his personal CAcert account to issue our mission critical certificates. How could we change the login credentials to this site?

A: First, create a new account for yourself if not set up yet. Then do the following steps: 1) Login to the account 2) go to "Dispute" -> "Domain" 3) enter the Domain 4) choose an email address you can reach, and dispute the domain. 5) You’ll get an email you have to approve, then the Domain should be removed from the others account. 6) Afterwards you can add the domain to your own account, and issue a new certificate for it.

After all you should think about doing OrganisationAssurance, so that several people in your company can issue certificates, and it can continue without problems in case you leave the company too.

http://wiki.cacert.org/wiki/OrganisationEntities

see OrganisationRegister

Relevant Laws

Switzerland

Schweizerisches Zivilgesetzbuch

United States

Electronic Signatures in Global and National Commerce Act (PDF of the Act, Pub. L. No. 106-229, June 30, 2000)


OrganisationEntities (last edited 2010-08-19 14:40:02 by UlrichSchroeter)