This document is deprecated. Please Refer to the Organisation Assurance Policy.
.
.
.
This is a translation of PolicyDrafts/OrganisationAssuranceGerman
DRAFT in Progress ...
It is made by using babelfish by a non-native-english-speaker - so it is _not_ good english. Native speakers, who would like to correct it, are welcome on board.
[Hi. I'm SteveHolden, a native English speaker. I'm also a director of the Python Software Foundation, and would like to say I'm happy to see you using MoinMoin. One important decision is whether to treat European English and American English as two separate languages :-)]. The Board have asked for help, so this is my way of supporting them.
[I'm LoyeYoung, a native of Texas, USA. Although Texans are often derided for their use of the language when speaking (especially if the person in question is or has ever been a President of the USA), we generally follow American English conventions when writing. I own Isaac & Young Computer Company in Laredo, Texas. I also graduated from The University of Texas School of Law in 1988 and practiced corporate and regulatory law for 8 years before going into technology, so I have a thought or three about the ideas expressed herein.]
See PolicyDrafts/OrganisationAssuranceGerman for updates and/or finish this translation.
Concept for CAcert Organisation Assurance:
Contents
- This document is deprecated. Please Refer to the Organisation Assurance Policy.
- CAcert Organisation Assurer (COA) driven Organisation Assurance (OA)
- Trusted Third Parties (TTP) driven Organisation Assurance
- Organisation Assurance Main Features
- Consequences of the changes in the life of the assured Organisation
CAcert Organisation Assurer (COA) driven Organisation Assurance (OA)
Unfortunately this COA method is useless in the USA or Canada: It would cost less to go to a commercial CA & buy a certificate than to go to a lawyer to be certified. State governments issue valid corporations a "Letter of good standing" (something similar is done is Canada) which is the proper way to handle this in North America, besides it costs less than one tenth the cost of a paying lawyer (the lawyer would have to order the same government letter, then charge an extra $200-500 for his/her time). --Lance Haverkamp, Colorado, USA
Perhaps here (if not somewhere else) a brief note about the kind of organi{z,s}ations that might want to seek assurance, and why they might do so. SH
- An assurer of an organisation (COA) needs both :
1/ * providing a proof of final legal training/study (eg. lawyer, Rechtspfleger, Clerk, Greffier) and OR 2/ * a proof of a completed juridical degree or training (eg. fully qualified lawyer, officer of justice) and * being already a CAcert Assurer with 150 points
How about Individuals who assure organisations should normally be an accepted member of the legal profession in their country of practice. SH
LY: The standard as stated is sufficient, IMHO. It's not necessary for one to be a licensed member of the bar, and it's probably not even advisable for the Assurer to act in a lawyer capacity. In large corporate deals, each side will often ask for proof of the other's organizational status and good standing from the Secretary of State of the incorporating jurisdiction. In really big deals, each side will ask the other side's lawyer to opine. The legal opinions are expensive because the USA is the most litigious society on earth, and the lawyer will charge extra for the opinion to cover the additional perceived risk. The question also arises as to who is the lawyer's client, which presents its own vexing issues. In the instant case, all that is really needed is someone to ask the right questions, understand the plethora of types of legal entities, review the documentation, and know how to verify the documentation and information submitted. "Trained or graduated" seems like a good standard. Some will argue that a paralegal would have the requisite training, but my recommendation would be to stick to those who have graduated a recognized law school OR who have been licensed in the relevant jurisdiction. (A few jurisdictions (e.g., California) allow attorneys to be licensed without going to law school.)
* CAcert Organisation Assurer should assure organisations only from the countries, whose right system they were trained and/or whose right system they studied. OR * The Cacert organisation assurer should only be appointed if he/she is trained or graduated on the appropriate country legal system/ground and is knowledgeable for this.
How about Assurers may only practice in the countries in which they are legally qualified to do so. SH
- LY: I like the idea, but I would not use the word "practice". I would also not use "country", because in the USA (and a few other countries, too), local state law governs. A Pennsylvania lawyer would not likely have expertise with Texas corporate law. (Delaware corporate law in particular, however, is known to corporate lawyers throughout the USA.) Here's my suggestion:
At the time of application and at all subsequent times, the CAcert Organisation Assurer must have current legal expertise in the relevant jurisdiction, sufficient to review, verify, and approve the current, authoritative, and documented evidence of: (i) the applicant organisation's formation, identity, and continued legal existance, and (ii) organisational authority pursuant to which the application is made and the application signatory acts.
The Assurance (process?) must be requested by the executive committee of the organisation in by number entitled to act as substitute and/or be accordingly authorized the applicants and be proven this (note : hard to understand)
I read: The Assurance process must be requested by the executive committee (board?) of the organisation or by an enough number of its members acting as a trusted substitute properly authorized
How about Requests for assurance can only be undertaken for organisations able to prove that the request has been properly authorized by an executive decision according to applicable constitutional and legal requirements (This is also a bit long-winded. Board motions are acceptable, a telephone call from the Chief Accountant is not. Do examples help?) SH.
LY: My suggestion follows:
Each applicant organisation shall provide current, authoritative, and documented evidence of: (i) the applicant organisation's formation, identity, and continued legal existance, and (ii) the organisational authority pursuant to which the application is made and the application signatory acts.
The legal existence and main office place of the organisation must be proven with an official document, which should not be older as one week and may not be older than one month. (is it a 1 week limit or 1 month limit ?) or in the middle ???
LY:
"Current" means that the evidence is dated or authoritatively certified no earlier than 5 business days before the application is filed, or for good cause approved by the Assurer, no earlier than 30 calendar days before the application is filed.
"Authoritative" means that the evidence is of the official act of the relevant governing body or person.
"Documented" means that the evidence is in written, tangible form that bears the original seal, signature, or other official authentication of the relevant governing body or person, or is officially certified in written, tangible form satisfactory to the Assurer and consistent with local practice.
- * * If an official register exists, then a certified excerpt from the register must be provided.
- As far as possible the record document should be handed out or sent directly by the issuing place ("the register office") to the assurer.
- The assurer takes the documents to (fill?) the request. All documents are to be kept for 10 years.
This all seems to be trying to say what the assurer should accept as legal proof of corporate identity. Perhaps it would be easier to suggest that assurers must be prepared to defend their acceptance of a proof of identity in a court of law. That way the variations in jurisdiction need not affect the CPS SH
Trusted Third Parties (TTP) driven Organisation Assurance
A special form must be filled out, and be signed by the executive committee of the organisation in number entitled to act as substitute and provided with firm stamp. (see beyond)
The existence and agency authorization (legal identity?) (see beyond) of the organisation must be proven with an official document, which should be not older as one week and may not be older than one month.
As far as official registers exist a certified exerrpt from the register must be submitted. (see beyond)
- The TTP confirms the existence of the organisation and agency authorization (?) on the form.
- The forms have to be sent to an OA or at CAcert.
This is a situation where again the acceptable authority might vary from place to place, so we need to avoid local considerations somehow. SH
Organisation Assurance Main Features
- Each organisation is assigned a special Organisation Master Account (OMA). With this account the following administrative tasks can be done:
- adding a domain (with verified by email request)
We should note that all email communications should be authenticated by encryption with a CAcert or other acceptable certificate. SH
- adding a organisation unit (OU)
adding normal CAcert accounts as Organisation Branch Accounts (OBA)
- allocation of OU to OBAs
- signing of server certificates
- generating client certificates
- signing of PGP keys
- adding a domain (with verified by email request)
- The Organisation Branch Accounts (OBA) can do the following administrative tasks under use of the organisation data and domains as well as the assigned organisation units:
- signing of server certificates
- generating client certificates
- signing of PGP keys
Consequences of the changes in the life of the assured Organisation
If changes occur in the agency authorisation (existence or legal form of the organisation?), the new agency-authorised (organisation?) is justified (entitled?) to request the allocation (transfer?) of the organisation to another OMA or the deletion of the organisation in the CAcert systems and then to revoke of all the certificates issued for the organisation.
How about If the assured organisation ceases to exist CAcert may at its discretionn immediately add any certificates issued to the assured organisation to its Certificate Revocation List (CRL). Transfer of an assured organisational identity to some other individual or organisation will be made at CAcert's discretion only after the receipt of proof of legal title to the assured identity. Basically I'm trying to say that mergers and takeovers are acceptable, arbitrary changes aren't. But we also need to say who decides, a question I have not addressed as I was not a party to the discussion. SH
I suspect we should also add CategoryCertificationPracticesStatement and add this page to that category. SH