Ĩesky | english
TTPs (Trusted Third Party)
All you need to know to assure someone under the CAcert TTP-Assisted-Assurance program
This page is intended for the Trusted Third Parties to get any informations about CAcert's TTP-program
Table of Contents
Questions that needs to be answered on this page
I'm an accepted TTP by CACert? (related on Which TTPs you can contact? Where to find a TTP?)
{+}
What I have to know about the TTP-program by CACert? (relates on How the TTP-Assisted-Assurance program works?)
{+}
Are you living in a country where the TTP-Assisted-Assurance program is applicable ?
{+}
What does the applicant has to consider before contacting a TTP?
{g}
What I have to check?
{+}
What I have to confirm?
{+}
What is the TTP procedure?
{+}
Do I have to contact a TTP-Admin?
{g}
Where to send the TTP CAP form?
{g}
What if the TTPuser has no TTP CAP form ? Where to find CAP forms?
{+}
What, if the applicant is below age of 18 years?
{+}
What is the TOPUP program?
{+}
(to be continue)
How the TTP-Assisted-Assurance program works?
The TTPAssurance is a program of CAcert to establish assurances in areas, where you do not find a CAcert assurer around the corner, to get as many members in these areas.
A user should try to find a CAcert assurer before he uses the TTPAssurance. It might be possible to combine a business or vacation trip with the possibility to get assured at your trip destination.
As CAcert is based on a Web of Trust (WoT) there is the need to establish this trust with a face to face meeting (F2F) normally with another CAcert member. If there is no CAcert member available one part of the F2F meeting can be conducted by a Trusted Third Party (TTP) which is approved for the users area.
Basically the process is the following.
If a user wants to get assured he is a TTPUser. First he needs to inform himself about CAcert and also about the TTPprocess.
Then he needs to fill out the first part TTPCAP form (Trusted Third Party CAcert Assurance Program) but he do not yet sign the form at this stage of the process.
With this TTPCAP form he meets with the TTP. The TTP checks his identity with at least one official government issued ID document with a photo. This check is recorded on the TTPCAP form. Then the TTPUser has to sign in presence of the TTP a few statements on the TTPCAP form to make sure he knows about the main aspects of CAcert. The TTP confirms that he witnessed the TTPUsers signing on the TTPCAP form. The TTPCAP form is now send via postal mail to CAcert.
After arrival of the TTPCAP form, a TTPAdmin takes it, checks if all requirements for the next steps are fulfilled, especially checks the TTPs validity. If the test is passed, the TTPAdmin enters the assurance in to the system and grants up to 35 points.
If a TTPUser wants to be able to get personalized certificates, he needs at least two assurances of different persons. In the case of TTPAssurance he need to go to two different TTP.
As the main aim of the TTPAssurance program is not only to get people to be able to get personalized certificates but also to get new assurers, there is a further step available: the TTPTopup.
Normally the track to become a CAcert assurer is the following:
A user needs at least 3 assurances with a F2F meeting and he has to pass the CAcert Assurer Challenge. As the assurer candidate sees in a normal assurance the steps how an assurance works, this is not given in the case of TTPAssurances. Therefore the TTPTopup steps in where a TTPAdmin acts as a tutor for the process of TTPUser on becoming an assurer.
The TTPAdmin trains the TTPUser in one or more online sessions in the assurance process (educated assurance). The TTP-admin instructs the TTP-user to start the CATS test.
If passed, the 3rd TTP-admin reviews the 2 previous TTP assurances, and collects additional evidence about the Community part of the assurance process from within the online sessions with the TTP-user and grants up to 35 TOPUP points, that qualifies the TTPUser to become an assurer.
The whole TTP process to become an CAcert assurer is given here
.................................................................. : : TTP (A) ----:--> TTP-Admin (1) --> 35 points max : / : \ : Assuree = - - - -: - > =-----------------> TTP-Admin (3) --> 35 points max : \ : / (Topup) : TTP (B) ----:--> TTP-Admin (2) --> 35 points max : : : :........ CAcert internal .......................................: | | | max points 0 ------------------------> 70 --------------------> 100 | + CATS + Topup +--> become an Assurer qualifies for | ------------------------> | --------------------> | Certs expires after 1/2 year Certs expires after 2 years + Code Signing + Assurer candidate
There have to be 2 different TTPs and there also have to be 3 different TTPAdmins in the process.
Is this program applicable to you?
Am I an accepted TTP by CACert?
Have a look if there is a TTP programm for your country in the list of approved TTP and if you match the requirements to act as TTP.
What are my duties?
The duty of the TTP is to assist the verification of a person and to witness the signing of the TTP CAP form as there is no CAcert assurer available to verify a person.
To verify a person you need to check at least one governmental issued photo identity documents according to CAcert's Assurance Policy if they match the person in front of you.
Within the TTP meeting you need to witness the signing of the following statements:
- The applicant agrees with the CCA and accept the CCA.
- The applicant agrees that he is aware of the R/L/O resulting from CCA 2.1./2.2./2.3
- The applicant agrees that he is aware of the CAcert internal arbitration and accepts the internal arbitration from CCA 3.1.
- The applicant confirms that the email address placed in the CAP-form is used as primary mail address for the account as long as the TTP assurance process is running and that he knows that he needs to have a working email address as primary address in his CAcert account.
Checklist for the TTPprocess
Get familiar with CAcert and read CCA http://www.cacert.org/policy/CAcertCommunityAgreement.php
- During the meeting
- Check the personality of a person with two government issued identity documents.
- Witness the signing of the TTP CAP
- Send TTP CAP to CAcert/TTPAdmin
- Await response from a TTP admin
Questions and Answers
Where to find CAP forms?
Do I have to contact a TTP-Admin?
What, if the applicant is below the age of 18 years?
to be continued
Question relates to TTPuser and is no question by a TTP itself, so "no other TTP" is wrong anyway
What, to do if there is no TTP available?
Where to find CAP forms?
CAP forms for TTP-Assisted-Assurances (WIP) There should be a sample TTP-CAP-form available for download so that you get familiar with the TTP-CAP-from.
What does the applicant has to consider before contacting a TTP?
- The TTP-users obligation is, to print out the customized TTP-CAP form, that he received by email from a TTP-assurer.
- Also to prepare a sufficiently stamped envelope with the postal adress of the TTP-assurer. The postal adress of the TTP-assurer is located on page 1 of the received printout of the customized TTP-CAP form.
- To check for validity of his Id documents (not expired, not tampered)
Has read the CAcert Community Agreement before going to the TTP
Do I have to contact a TTP-Admin?
No. - Usually there is no need for a TTP to get in contact to the TTPAdmin. If the TTPAdmin needs information he will get in contact with the TTPUser or the TTP.
Where to send the TTP CAP form?
The TTP-user will receive a pre-filled TTP-CAP form. This customized TTP-CAP form the TTP-user will bring to the Face-2-Face meeting with the TTP. Once the TTP-CAP form is filled by the TTP with his addtl. informations (Name of TTP, register, a.o.), the TTP puts the TTP-CAP forms into a prepared envelope, that he get from the TTP-user and sends this envelope with the postal address of a TTP-assurer to that address. The postal adress of the TTP-assurer is also located on page 1 of the multiple pages TTP-CAP form.
What, if the applicant is below the age of 18 years?
Currently TTP-assisted-assurance program is under deployment. Assurance of Junior members follows another special assurance program. So therefore the deployment of U18 program under TTP-assisted-assurance is delayed and therefore currently not applicable.
What to do if there is no TTP available in a country?
Probably there is no deployment for the TTP program yet for this country. To start a deployment for your country, you can write an email to support. They will forward your request to the appropriate mailing lists.
How you could assist in deployment ?
- Do you have useful information about possible TTP in your country?
- Do you have assurer contacts within your country or from other countries?
- Think about becoming an CAcert assurer yourself.
Question relates to TTPuser and is no question by a TTP itself, so "other TTP" is wrong anyway
- Do you have contact to possible TTP e.g. Notary Public who is willing in answering questions regarding TTP deployment for your country ?
WIP
TTPs Approved List
A list of TTP's that are accepted by CAcert.
The old Assurers TTP Matrix is only a suggestion, from the old days program that needs to be get approved. Needs the TTP to be registered in a register that can be checked by a TTP-Admin ?
Where to find a TTP ?