diff options
author | Markus Warg <mw@it-sls.de> | 2010-03-29 09:54:06 +0200 |
---|---|---|
committer | Markus Warg <mw@it-sls.de> | 2010-03-29 09:54:06 +0200 |
commit | 9dceece06fbdc98add6f76f0b1aec05891a394c4 (patch) | |
tree | f7227c28ca5f79f30c2ec81ba1a09a4fe3972436 /www/policy/AssurancePolicy.php | |
parent | 5b68967def224a00f54eb54946ff17301bbd3cdb (diff) | |
download | cacert-devel-9dceece06fbdc98add6f76f0b1aec05891a394c4.tar.gz cacert-devel-9dceece06fbdc98add6f76f0b1aec05891a394c4.tar.xz cacert-devel-9dceece06fbdc98add6f76f0b1aec05891a394c4.zip |
remove cacert/ prefix
Diffstat (limited to 'www/policy/AssurancePolicy.php')
-rw-r--r-- | www/policy/AssurancePolicy.php | 723 |
1 files changed, 723 insertions, 0 deletions
diff --git a/www/policy/AssurancePolicy.php b/www/policy/AssurancePolicy.php new file mode 100644 index 0000000..37a0760 --- /dev/null +++ b/www/policy/AssurancePolicy.php @@ -0,0 +1,723 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> +<html><head> +<title>Assurance Policy</title> + +<meta name="CREATED" content="20080530;0"> +<meta name="CHANGEDBY" content="Teus Hagen"> +<meta name="CHANGED" content="20080709;12381800"> +<meta name="CREATEDBY" content="Ian Grigg"> +<meta name="CHANGEDBY" content="Teus Hagen"> +<meta name="CHANGEDBY" content="Robert Cruikshank"> +<meta name="CHANGEDBY" content="Teus Hagen"> +<style type="text/css"> +<!-- +P { color: #000000 } +TD P { color: #000000 } +H1 { color: #000000 } +H2 { color: #000000 } +DT { color: #000000 } +DD { color: #000000 } +H3 { color: #000000 } +TH P { color: #000000 } +--> +</style></head> +<body style="direction: ltr; color: rgb(0, 0, 0);" lang="en-GB"> +<h1>Assurance Policy for CAcert Community Members</h1> +<p><a href="PolicyOnPolicy.php"><img src="/images/cacert-policy.png" id="graphics1" alt="CAcert Policy Status == POLICY" align="bottom" border="0" height="33" width="90"></a> +<br> +Editor: Teus Hagen<br> +Creation date: 2008-05-30<br> +Last change by: Iang<br> +Last change date: 2009-01-08<br> +Status: POLICY p20090105.2 +</p> + +<h2><a name="0">0.</a> Preamble</h2> +<h3><a name="0.1">0.1.</a> Definition of Terms</h3> +<dl> +<dt><i>Member</i> </dt> +<dd> A Member is an individual who has agreed to the CAcert +Community Agreement +(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php" target="_blank">CCA</a>) +and has created successfully +a CAcert login account on the CAcert web site. </dd> +<dt> <i>Assurance</i> </dt> +<dd> Assurance is the process by which a Member of CAcert +Community (Assurer) identifies an individual (<span lang="en-US">Assuree</span>). +</dd> +<dt> <i>Prospective Member</i> </dt> +<dd> An individual who participates in the process of Assurance, +but has not yet created a CAcert login account. </dd> +<dt> <i>Name</i> </dt> +<dd> A Name is the full name of an individual. +</dd> +<dt> <i>Secondary Distinguishing Feature</i> +</dt> +<dd> An additional personal data item of the Member +that assists discrimination from Members with similar full names. +(Currently this is the Date of Birth (DoB).) +</dd> +</dl> + +<h3><a name="0.2">0.2.</a> The CAcert Web of Trust</h3> +<p> +In face-to-face meetings, +an Assurer allocates a number of Assurance Points +to the Member being Assured. +CAcert combines the Assurance Points +into a global <i>Web-of-Trust</i> (or "WoT"). +</p> +<p> +CAcert explicitly chooses to meet its various goals by +construction of a Web-of-Trust of all Members. +</p> + +<h3><a name="0.3">0.3.</a> Related Documentation</h3> +<p> +Documentation on Assurance is split between this +Assurance Policy (AP) and the +<a href="http://wiki.cacert.org/wiki/AssuranceHandbook2" target="_blank">Assurance +Handbook</a>. The policy is controlled by Configuration Control +Specification +(<a href="http://wiki.cacert.org/wiki/PolicyDrafts/ConfigurationControlSpecification" target="_blank">CCS</a>) +under Policy on Policy +(<a href="http://www.cacert.org/policy/PolicyOnPolicy.php" target="_blank">PoP</a>) +policy document regime. Because Assurance is an active area, much +of the practice is handed over to the Assurance Handbook, which is +not a controlled policy document, and can more easily respond to +experience and circumstances. It is also more readable. +</p> +<p> +See also Organisation Assurance Policy (<a href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php" target="_blank">OAP</a>) +and CAcert Policy Statement (<a href="http://svn.cacert.org/CAcert/policy.htm" target="_blank">CPS</a>). +</p> + +<h2><a name="1">1.</a> Assurance Purpose</h2> +<p>The purpose of Assurance is to add confidence +in the Assurance Statement made by the CAcert Community of a Member. </p> +<p>With sufficient assurances, a Member may: (a) issue certificates +with their assured Name included, (b) participate in assuring others, +and (c) other related activities. The strength of these activities is +based on the strength of the assurance. </p> + +<h3><a name="1.1">1.1.</a>The Assurance Statement</h3> +<p> +The Assurance Statement makes the following claims +about a person: +</p> +<ol> +<li> +<p>The person is a bona fide Member. In other words, the +person is a member of the CAcert Community as defined by the CAcert +Community Agreement (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php" target="_blank">CCA</a>); </p> +</li> +<li> +<p>The Member has a (login) account with CAcert's on-line +registration and service system; </p> +</li> +<li> +<p>The Member can be determined from any CAcert certificate +issued by the Account; </p> +</li> +<li> +<p>The Member is bound into CAcert's Arbitration as defined +by the CAcert Community Agreement; </p> +</li> +<li> +<p>Some personal details of the Member are known to CAcert: +the individual Name(s), primary and other listed individual email +address(es), secondary distinguishing feature (e.g. DoB). </p> +</li> +</ol> +<p>The confidence level of the Assurance Statement is expressed by +the Assurance Points. </p> +<h3><a name="1.2">1.2.</a>Relying Party Statement</h3> +<p>The primary goal of the Assurance Statement is for the express +purpose of certificates to meet the needs of the <i>Relying Party +Statement</i>, which latter is found in the Certification Practice +Statement (<a href="http://svn.cacert.org/CAcert/policy.htm" target="_blank">CPS</a>). +</p> +<p>When a certificate is issued, some of the Assurance Statement may +be incorporated, e.g. Name. Other parts may be implied, e.g. +Membership, exact account and status. They all are part of the +<i>Relying Party Statement</i>. In short, this means that other +Members of the Community may rely on the information verified by +Assurance and found in the certificate.</p> +<p>In particular, certificates are sometimes considered to provide +reliable indications of e.g. the Member's Name and email address. The +nature of Assurance, the number of Assurance Points, and other +policies and processes should be understood as limitations on any +reliance. </p> +<h2><a name="2">2.</a> The Member</h2> +<h3><a name="2.1">2.1.</a> The Member's Name </h3> +<p> +At least one individual Name is recorded in the Member's +CAcert login account. The general standard of a Name is: +</p> +<ul> +<li> +<p> +The Name should be recorded as written in a +government-issued photo identity document (ID). +</p> +</li> +<li> +<p> +The Name should be recorded as completely as possible. +That is, including all middle names, any titles and extensions, +without abbreviations, and without transliteration of characters. +</p> +</li> +<li> +<p>The Name is recorded as a string of characters, +encoded in <span lang="en-US">unicode</span> +transformation format.</p> +</li> +</ul> +<h3><a name="2.2">2.2.</a> Multiple Names and variations</h3> +<p> +In order to handle the contradictions in the above general standard, +a Member may record multiple Names or multiple variations of a Name +in her CAcert online Account. +Examples of variations include married names, +variations of initials of first or middle names, +abbreviations of a first name, +different language or country variations, +and transliterations of characters in a name. +</p> + +<h3><a name="2.3">2.3.</a> Status and Capabilities</h3> +<p> +A Name which has reached +the level of 50 Assurance Points is defined as an Assured +Name. An Assured Name can be used in a certificate issued by CAcert. +A Member with at least one Assured Name has reached the Assured +Member status. +Additional capabilities are described in Table 1. +</p> + +<blockquote> +<p align="left"><font size="2"><i>Table 1: +Assurance Capability</i></font></p> +<table border="1" cellpadding="5" cellspacing="0"> +<tbody> +<tr> +<td width="10%"> +<p align="left"><i>Minimum Assurance Points</i></p> +</td> +<td width="15%"> +<p align="left"><i>Capability</i></p> +</td> +<td width="15%"> +<p align="left"><i>Status</i></p> +</td> +<td width="60%"> +<p align="left"><i>Comment</i></p> +</td> +</tr> +<tr valign="top"> +<td> +<p align="center">0</p> +</td> +<td> +<p align="left">Request Assurance</p> +</td> +<td> +<p align="left">Prospective Member</p> +</td> +<td> +<p align="left">Individual taking part of an +Assurance, who does not have created a CAcert login account (yet). The +allocation of Assurance Points is awaiting login account creation.</p> +</td> +</tr> +<tr valign="top"> +<td> +<p align="center">0</p> +</td> +<td> +<p align="left">Request unnamed certificates</p> +</td> +<td> +<p align="left">Member</p> +</td> +<td> +<p align="left">Although the Member's details are +recorded in the account, they are not highly assured.</p> +</td> +</tr> +<tr valign="top"> +<td> +<p align="center">50</p> +</td> +<td> +<p align="left">Request named certificates</p> +</td> +<td> +<p align="left">Assured Member</p> +</td> +<td> +<p align="left">Statements of Assurance: the Name is +assured to 50 Assurance Points or more</p> +</td> +</tr> +<tr valign="top"> +<td> +<p align="center">100</p> +</td> +<td> +<p align="left">Become an Assurer</p> +</td> +<td> +<p align="left">Prospective Assurer</p> +</td> +<td> +<p align="left">Assured to 100 Assurance Points (or +more) on at least one Name, and passing the Assurer Challenge.</p> +</td> +</tr> +</tbody> +</table> +</blockquote> + + +<p> +A Member may check the status of another Member, especially +for an assurance process. +Status may be implied from information in a certificate. +The number of Assurance Points for each Member is not published. +</p> + +<p> +The CAcert Policy Statement +(<a href="http://svn.cacert.org/CAcert/policy.htm" target="_blank">CPS</a>) +and other policies may list other capabilities that rely on Assurance +Points. +</p> + +<h2><a name="3">3.</a> The Assurer</h2> +<p>An Assurer is a Member with the following: </p> +<ul> +<li> +<p>Is assured to a minimum of 100 Assurance Points; </p> +</li> +<li> +<p>Has passed the CAcert Assurer Challenge. </p> +</li> +</ul> +<p>The Assurer Challenge is administered by the Education Team on +behalf of the Assurance Officer. </p> +<h3><a name="3.1">3.1.</a> The Obligations of the Assurer</h3> +<p>The Assurer is obliged to: </p> +<ul> +<li> +<p>Follow this Assurance Policy; </p> +</li> +<li> +<p>Follow any additional rules of detail laid out by the +CAcert Assurance Officer; </p> +</li> +<li> +<p>Be guided by the CAcert <a href="http://wiki.cacert.org/wiki/AssuranceHandbook2" target="_blank">Assurance Handbook</a> in their +judgement; </p> +</li> +<li> +<p>Make a good faith effort at identifying and verifying +Members; </p> +</li> +<li> +<p>Maintain the documentation on each Assurance; </p> +</li> +<li> +<p>Deliver documentation to Arbitration, or as otherwise +directed by the Arbitrator; </p> +</li> +<li> +<p>Keep up-to-date with developments within the CAcert +Community. </p> +</li> +</ul> +<h2><a name="4">4.</a> The Assurance</h2> +<h3><a name="4.1">4.1.</a> The Assurance Process</h3> +<p>The Assurer conducts the process of Assurance with each +Member. </p> +<p>The process consists of: </p> +<ol> +<li> +<p>Voluntary agreement by both Assurer and Member or +Prospective Member to conduct the Assurance; </p> +</li> +<li> +<p>Personal meeting of Assurer and Member or Prospective +Member; </p> +</li> +<li> +<p>Recording of essential details on CAcert Assurance +Programme form; </p> +</li> +<li> +<p>Examination of Identity documents by Assurer and +verification of recorded details (the Name(s) and Secondary +Distinguishing Feature, e.g., DoB); </p> +</li> +<li> +<p>Allocation of Assurance Points by Assurer; </p> +</li> +<li> +<p>Optional: supervision of reciprocal Assurance made by +Assuree (Mutual Assurance); </p> +</li> +<li> +<p>Safekeeping of the CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>) +forms by Assurer. </p> +</li> +</ol> +<h3><a name="4.2">4.2.</a> Mutual Assurance</h3> +<p>Mutual Assurance follows the principle of reciprocity. This +means +that the Assurance may be two-way, and that each member participating +in the Assurance procedure should be able to show evidence of their +identity to the other. </p> +<p>In the event that an Assurer is assured by a Member who is not +certified as an Assurer, the Assurer supervises the Assurance +procedure and process, and is responsible for the results. </p> +<p>Reciprocity maintains a balance between the (new) member and +the +Assurer, and reduces any sense of power. It is also an important aid +to the assurance training for future Assurers. </p> + +<h3><a name="4.3">4.3.</a> Assurance Points</h3> +<p>The Assurance applies Assurance Points to each Member which +measure the increase of confidence in the Statement (above). +Assurance Points should not be interpreted for any other purpose. +Note that, even though they are sometimes referred to as <i>Web-of-Trust</i> +(Assurance) Points, or <i>Trust</i> Points, the meaning +of the word +'Trust' is not well defined. </p> +<p><i>Assurance Points Allocation</i><br> +An Assurer can allocate a +number of Assurance Points to the Member according to the Assurer's +experience (Experience Point system, see below). The allocation of +the maximum means that the Assurer is 100% confident in the +information presented: </p> +<ul> +<li> +<p>Detail on form, system, documents, person in accordance; </p> +</li> +<li> +<p>Sufficient quality identity documents have been checked; </p> +</li> +<li> +<p>Assurer's familiarity with identity documents; </p> +</li> +<li> +<p>The Assurance Statement is confirmed. </p> +</li> +</ul> +<p> +Any lesser confidence should result in less Assurance Points for a +Name. If the Assurer has no confidence in the information presented, +then <i>zero</i> Assurance Points may be allocated by the Assurer. +For example, this may happen if the identity documents are totally +unfamiliar to the Assurer. The number of Assurance Points from <i>zero</i> +to <i>maximum</i> is guided by the Assurance Handbook +and the judgement of the Assurer. +If there is negative confidence the Assurer should consider +filing a dispute. +</p> +<p>Multiple Names should be allocated Assurance Points +independently within a single Assurance. </p> +<p> +A Member who is not an Assurer may award an Assurer in a +reciprocal process a maximum of 2 Assurance Points, according to +her judgement. The Assurer should strive to have the Member allocate +according to the Member's judgement, and stay on the cautious side; +the Member new to the assurance process +should allocate <i>zero</i> Assurance Points +until she gains some confidence in what is happening. +</p> +<p> +In general, for a Member to reach 50 Assurance Points, the Member must +have participated in at least two assurances, and +at least one Name will have been assured to that level. +</p> +<p> +To reach 100 Assurance +Points, at least one Name of the Assured Member must have been +assured at least three times. +</p> +<p> +The maximum number of Assurance +Points which can be allocated for an Assurance under this policy +and under any act under any +Subsidiary Policy (below) is 50 Assurance Points. +</p> + +<h3><a name="4.4">4.4.</a> Experience Points</h3> +<p>The maximum number of Assurance Points that may be awarded by +an +Assurer is determined by the Experience Points of the Assurer. </p> +<blockquote> +<p align="left"><font size="2"><i>Table 2: +Maximum of Assurance Points </i></font> +</p> +<table border="1" cellpadding="2" cellspacing="0" width="15%"> +<tbody> +<tr> +<td> +<p><i>Assurer's Experience Points</i></p> +</td> +<td> +<p><i>Allocatable Assurance Points</i></p> +</td> +</tr> +<tr> +<td> +<p align="center">0</p> +</td> +<td> +<p align="center">10</p> +</td> +</tr> +<tr> +<td> +<p align="center">10</p> +</td> +<td> +<p align="center">15</p> +</td> +</tr> +<tr> +<td> +<p align="center">20</p> +</td> +<td> +<p align="center">20</p> +</td> +</tr> +<tr> +<td> +<p align="center">30</p> +</td> +<td> +<p align="center">25</p> +</td> +</tr> +<tr> +<td> +<p align="center">40</p> +</td> +<td> +<p align="center">30</p> +</td> +</tr> +<tr> +<td> +<p align="center">>=50</p> +</td> +<td> +<p align="center">35</p> +</td> +</tr> +</tbody> +</table> +</blockquote> +<p>An Assurer is given a maximum of 2 Experience Points for every +completed Assurance. On reaching Assurer status, the Experience +Points start at 0 (zero). </p> +<p>Less Experience Points (1) may be given for mass Assurance +events, +where each Assurance is quicker. </p> +<p>Additional Experience Points may be granted temporarily or +permanently to an Assurer by CAcert Inc.'s Committee (board), on +recommendation from the Assurance Officer. </p> +<p>Experience Points are not to be confused with Assurance +Points. </p> +<h3><a name="4.5">4.5.</a> CAcert Assurance Programme (CAP) form</h3> +<p>The CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>) +form requests the following details of each Member or Prospective +Member: </p> +<ul> +<li> +<p>Name(s), as recorded in the on-line account; </p> +</li> +<li> +<p>Primary email address, as recorded in the on-line account; +</p> +</li> +<li> +<p>Secondary Distinguishing Feature, as recorded in the +on-line account (normally, date of birth); </p> +</li> +<li> +<p>Statement of agreement with the CAcert Community +Agreement; </p> +</li> +<li> +<p>Permission to the Assurer to conduct the Assurance +(required for privacy reasons); </p> +</li> +<li> +<p>Date and signature of the Assuree. </p> +</li> +</ul> +<p>The CAP form requests the following details of the Assurer: </p> +<ul> +<li> +<p>At least one Name as recorded in the on-line account of +the Assurer; </p> +</li> +<li> +<p>Assurance Points for each Name in the identity +document(s); </p> +</li> +<li> +<p>Statement of Assurance; </p> +</li> +<li> +<p>Optional: If the Assurance is reciprocal, then the +Assurer's email address and Secondary Distinguishing Feature are +required as well; </p> +</li> +<li> +<p>Date, location of Assurance and signature of Assurer. </p> +</li> +</ul> +<p>The CAP forms are to be kept at least for 7 years by the +Assurer. </p> +<h2><a name="5">5.</a> The Assurance Officer</h2> +<p>The Committee (board) of CAcert Inc. appoints an Assurance +Officer +with the following responsibilities: </p> +<ul> +<li> +<p>Reporting to the Committee and advising on all matters to +do with Assurance; </p> +</li> +<li> +<p>Training and testing of Assurers, in association with the +Education Team; </p> +</li> +<li> +<p>Updating this Assurance Policy, under the process +established by Policy on Policy (<a href="https://www.cacert.org/policy/PolicyOnPolicy.php" target="_blank">PoP</a>); </p> +</li> +<li> +<p>Management of all Subsidiary Policies (see below) for +Assurances, under Policy on Policy; </p> +</li> +<li> +<p>Managing and creating rules of detail or procedure where +inappropriate for policies; </p> +</li> +<li> +<p>Incorporating rulings from Arbitration into policies, +procedures or guidelines; </p> +</li> +<li> +<p>Assisting the Arbitrator in any requests; </p> +</li> +<li> +<p>Managing the Assurer Handbook; </p> +</li> +<li> +<p>Maintaining a sufficient strength in the Assurance process +(web-of-trust) to meet the agreed needs of the Community. </p> +</li> +</ul> +<h2><a name="6">6.</a> Subsidiary Policies</h2> +<p>The Assurance Officer manages various exceptions and additional +processes. Each must be covered by an approved Subsidiary Policy +(refer to Policy on Policy => CAcert Official Document COD1). +Subsidiary Policies specify any additional tests of knowledge +required and variations to process and documentation, within the +general standard stated here. </p> +<h3><a name="6.1">6.1.</a> Standard</h3> +<p>Each Subsidiary Policy must augment and improve the general +standards in this Assurance Policy. It is the responsibility of each +Subsidiary Policy to describe how it maintains and improves the +specific and overall goals. It must describe exceptions and potential +areas of risk. </p> + +<h3><a name="6.2">6.2.</a> High Risk Applications</h3> +<p>In addition to the Assurance or Experience Points ratings set +here and in other subsidiary policies, the Assurance Officer or policies can +designate certain applications as high risk. If so, additional +measures may be added to the Assurance process that specifically +address the risks.</p> +<p>Additional measures may include: +</p> +<ul> +<li> +<p>Additional information can be required in process of assurance: </p> +<ul> +<li>unique numbers of identity documents,</li> +<li>photocopy of identity documents,</li> +<li>photo of User,</li> +<li>address of User.</li> +</ul> +<p>Additional Information is to be kept by Assurer, attached to +CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>) +form. Assurance Points allocation by this assurance is unchanged. +User's CAcert login account should be annotated to record type of +additional information;</p> +</li> +<li> +<p>Arbitration: </p> +<ul> +<li> Member to participate in Arbitration. This confirms +their acceptance of the forum as well as trains in the process and +import, +</li> +<li> Member to file Arbitration to present case. This +allows Arbitrator as final authority; +</li> +</ul> +</li> +<li> +<p>Additional training; </p> +</li> +<li> +<p>Member to be Assurer (at least 100 Assurance Points and +passed Assurer Challenge); </p> +</li> +<li> +<p>Member agrees to additional specific agreement(s); </p> +</li> +<li> +<p>Additional checking/auditing of systems data by CAcert +support administrators. </p> +</li> +</ul> +<p>Applications that might attract additional measures include +code-signing certificates and administration roles. </p> +<h2><a name="7">7.</a> Privacy</h2> +<p>CAcert is a "privacy" organisation, and takes the +privacy of its Members seriously. The process maintains the security +and privacy of both parties. </p> +<p>Information is collected primarily to make claims within the +certificates requested by users and to contact the Members. It is +used secondarily for training, testing, administration and other +internal purposes. </p> +<p>The Member's information can be accessed under these +circumstances: </p> +<ul> +<li> +<p>Under Arbitrator ruling, in a duly filed dispute (<a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php" target="_blank">Dispute Resolution Policy</a> +=> COD7); </p> +</li> +<li> +<p>An Assurer in the process of an Assurance, as permitted on +the CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>) +form; </p> +</li> +<li> +<p>CAcert support administration and CAcert systems +administration when operating under the authority of Arbitrator or +under CAcert policy. </p> +</li> +</ul> +<p><a href="http://validator.w3.org/check?uri=referer"><img src="/images/valid-xhtml11-blue" id="graphics2" alt="Valid XHTML 1.1" align="bottom" border="0" height="33" width="90"></a> +</p> +</body></html> + |