summaryrefslogtreecommitdiff
path: root/www/policy/OrganisationAssurancePolicy.php
diff options
context:
space:
mode:
authorMarkus Warg <mw@it-sls.de>2010-03-29 09:54:06 +0200
committerMarkus Warg <mw@it-sls.de>2010-03-29 09:54:06 +0200
commit9dceece06fbdc98add6f76f0b1aec05891a394c4 (patch)
treef7227c28ca5f79f30c2ec81ba1a09a4fe3972436 /www/policy/OrganisationAssurancePolicy.php
parent5b68967def224a00f54eb54946ff17301bbd3cdb (diff)
downloadcacert-devel-9dceece06fbdc98add6f76f0b1aec05891a394c4.tar.gz
cacert-devel-9dceece06fbdc98add6f76f0b1aec05891a394c4.tar.xz
cacert-devel-9dceece06fbdc98add6f76f0b1aec05891a394c4.zip
remove cacert/ prefix
Diffstat (limited to 'www/policy/OrganisationAssurancePolicy.php')
-rw-r--r--www/policy/OrganisationAssurancePolicy.php379
1 files changed, 379 insertions, 0 deletions
diff --git a/www/policy/OrganisationAssurancePolicy.php b/www/policy/OrganisationAssurancePolicy.php
new file mode 100644
index 0000000..7d8699c
--- /dev/null
+++ b/www/policy/OrganisationAssurancePolicy.php
@@ -0,0 +1,379 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+<head><title>Organisation Assurance Policy</title></head>
+<body>
+
+<table width="100%">
+
+<tr>
+<td> OAP </td>
+<td> </td>
+<td width="20%"> Jens </td>
+</tr>
+
+<tr>
+<td> POLICY&nbsp;<a href="http://wiki.cacert.org/wiki/TopMinutes-20070917">m20070918.x</a> </td>
+<td> </td>
+<td>
+ $Date: 2008-01-18 22:56:31 $
+ <!--
+ to get this to work, we have to do this:
+ svn propset svn:keywords "Date" file.html
+ except it does not work through the website.
+ -->
+</td>
+</tr>
+
+<tr>
+<td> COD11 </td>
+<td> </td>
+<td> </td>
+</tr>
+
+
+<tr>
+<td> </td>
+<td > <b>Organisation&nbsp;Assurance&nbsp;Policy</b> </td>
+<td> </td>
+</tr>
+
+</table>
+
+
+
+<h2> <a name="0"> 0. </a> Preliminaries </h2>
+
+<p>
+This policy describes how Organisation Assurers ("OAs")
+conduct Assurances on Organisations.
+It fits within the overall web-of-trust
+or Assurance process of Cacert.
+</p>
+
+<p>
+This policy is not a Controlled document, for purposes of
+Configuration Control Specification ("CCS").
+</p>
+
+<h2> <a name="1"> 1. </a> Purpose </h2>
+
+<p>
+Organisations with assured status can issue certificates
+directly with their own domains within.
+</p>
+
+<p>
+The purpose and statement of the certificate remains
+the same as with ordinary users (natural persons)
+and as described in the CPS.
+</p>
+
+<ul><li>
+ The organisation named within is identified.
+ </li><li>
+ The organisation has been verified according
+ to this policy.
+ </li><li>
+ The organisation is within the jurisdiction
+ and can be taken to Arbitration.
+</li></ul>
+
+
+<h2> <a name="2"> 2. </a> Roles and Structure </h2>
+
+<h3> <a name="2.1"> 2.1 </a> Assurance Officer </h3>
+
+<p>
+The Assurance Officer ("AO")
+manages this policy and reports to the board.
+</p>
+
+<p>
+The AO manages all OAs and is responsible for process,
+the CAcert Organisation Assurance Programme form ("COAP"),
+OA training and testing, manuals, quality control.
+In these responsibilities, other Officers will assist.
+</p>
+
+<h3> <a name="2.2"> 2.2 </a> Organisation Assurers </h3>
+
+<p>
+</p>
+
+<ol type="a"> <li>
+ An OA must be an experienced Assurer
+ <ol type="i">
+ <li>Have 150 assurance points.</li>
+ <li>Be fully trained and tested on all general Assurance processes.</li>
+ </ol>
+
+ </li><li>
+ Must be trained as Organisation Assurer.
+ <ol type="i">
+ <li> Global knowledge: This policy. </li>
+ <li> Global knowledge: A OA manual covers how to do the process.</li>
+ <li> Local knowledge: legal forms of organisations within jurisdiction.</li>
+ <li> Basic governance. </li>
+ <li> Training may be done a variety of ways,
+ such as on-the-job, etc. </li>
+ </ol>
+
+ </li><li>
+ Must be tested.
+ <ol type="i">
+ <li> Global test: Covers this policy and the process. </li>
+ <li> Local knowledge: Subsidiary Policy to specify.</li>
+ <li> Tests to be created, approved, run, verified
+ by CAcert only (not outsourced). </li>
+ <li> Tests are conducted manually, not online/automatic. </li>
+ <li> Documentation to be retained. </li>
+ <li> Tests may include on-the-job components. </li>
+ </ol>
+
+ </li><li>
+ Must be approved.
+ <ol type="i">
+ <li> Two supervising OAs must sign-off on new OA,
+ as trained, tested and passed.
+ </li>
+ <li> AO must sign-off on a new OA,
+ as supervised, trained and tested.
+ </li>
+ </ol>
+</ol>
+
+
+
+<h3> <a name="2.3"> 2.3 </a> Organisation Administrator </h3>
+
+<p>
+The Administrator within each Organisation ("O-Admin")
+is the one who handles the assurance requests
+and the issuing of certificates.
+</p>
+
+<ol type="a"> <li>
+ O-Admin must be Assurer
+ <ol type="i">
+ <li>Have 100 assurance points.</li>
+ <li>Fully trained and tested as Assurer.</li>
+ </ol>
+
+ </li><li>
+ Organisation is required to appoint O-Admin,
+ and appoint ones as required.
+ <ol type="i">
+ <li> On COAP Request Form.</li>
+ </ol>
+
+ </li><li>
+ O-Admin must work with an assigned OA.
+ <ol type="i">
+ <li> Have contact details.</li>
+ </ol>
+</ol>
+
+
+<h2> <a name="3"> 3. </a> Policies </h2>
+
+<h3> <a name="3.1"> 3.1 </a> Policy </h3>
+
+<p>
+There is one policy being this present document,
+and several subsidiary policies.
+</p>
+
+<ol type="a">
+ <li> This policy authorises the creation of subsidiary policies. </li>
+ <li> This policy is international. </li>
+ <li> Subsidiary policies are implementations of the policy. </li>
+ <li> Organisations are assured under an appropriate subsidiary policy. </li>
+</ol>
+
+<h3> <a name="3.2"> 3.2 </a> Subsidiary Policies </h3>
+
+<p>
+The nature of the Subsidiary Policies ("SubPols"):
+</p>
+
+<ol type="a"><li>
+ SubPols are purposed to check the organisation
+ under the rules of the jurisdiction that creates the
+ organisation. This does not evidence an intention
+ by CAcert to
+ enter into the local jurisdiction, nor an intention
+ to impose the rules of that jurisdiction over any other
+ organisation.
+ CAcert assurances are conducted under the jurisdiction
+ of CAcert.
+ </li><li>
+ For OAs,
+ SubPol specifies the <i>tests of local knowledge</i>
+ including the local organisational forms.
+ </li><li>
+ For assurances,
+ SubPol specifies the <i>local documentation forms</i>
+ which are acceptable under this SubPol to meet the
+ standard.
+ </li><li>
+ SubPols are subjected to the normal
+ policy approval process.
+</li></ol>
+
+<h3> <a name=""> </a> 3.3 Freedom to Assemble </h3>
+
+<p>
+Subsidiary Policies are open, accessible and free to enter.
+</p>
+
+<ol type="a"><li>
+ SubPols compete but are compatible.
+ </li><li>
+ No SubPol is a franchise.
+ </li><li>
+ Many will be on State or National lines,
+ reflecting the legal
+ tradition of organisations created
+ ("incorporated") by states.
+ </li><li>
+ However, there is no need for strict national lines;
+ it is possible to have 2 SubPols in one country, or one
+ covering several countries with the same language
+ (e.g., Austria with Germany, England with Wales but not Scotland).
+ </li><li>
+ There could also be SubPols for special
+ organisations, one person organisations,
+ UN agencies, churches, etc.
+ </li><li>
+ Where it is appropriate to use the SubPol
+ in another situation (another country?), it
+ can be so approved.
+ (e.g., Austrian SubPol might be approved for Germany.)
+ The SubPol must record this approval.
+</li></ol>
+
+
+<h2> <a name="4"> 4. </a> Process </h2>
+
+<h3> <a name="4.1"> 4.1 </a> Standard of Organisation Assurance </h3>
+<p>
+The essential standard of Organisation Assurance is:
+</p>
+
+<ol type="a"><li>
+ the organisation exists
+ </li><li>
+ the organisation name is correct and consistent:
+ <ol type="i">
+ <li>in official documents specified in SubPol.</li>
+ <li>on COAP form.</li>
+ <li>in CAcert database.</li>
+ <li>form or type of legal entity is consistent</li>
+ </ol>
+ </li><li>
+ signing rights:
+ requestor can sign on behalf of the organisation.
+ </li><li>
+ the organisation has agreed to the terms of the
+ Registered User Agreement,
+ and is therefore subject to Arbitration.
+</li></ol>
+
+<p>
+ Acceptable documents to meet above standard
+ are stated in the SubPol.
+</p>
+
+<h3> <a name="4.2"> 4.2 </a> COAP </h3>
+<p>
+The COAP form documents the checks and the resultant
+assurance results to meet the standard.
+Additional information to be provided on form:
+</p>
+
+<ol type="a"><li>
+ CAcert account of O-Admin (email address?)
+ </li><li>
+ location:
+ <ol type="i">
+ <li>country (MUST).</li>
+ <li>city (MUST).</li>
+ <li>additional contact information (as required by SubPol).</li>
+ </ol>
+ </li><li>
+ administrator account names (1 or more)
+ </li><li>
+ domain name(s)
+ </li><li>
+ Agreement with registered user agreement.
+ Statement and initials box for organsation
+ and also for OA.
+ </li><li>
+ Date of completion of Assurance.
+ Records should be maintained for 7 years from
+ this date.
+</li></ol>
+
+<p>
+The COAP should be in English. Where translations
+are provided, they should be matched to the English,
+and indication provided that the English is the
+ruling language (due to Arbitration requirements).
+</p>
+
+<h3> <a name="4.3"> 4.3 </a> Jurisdiction </h3>
+
+<p>
+Organisation Assurances are carried out by
+CAcert Inc under its Arbitration jurisdiction.
+Actions carried out by OAs are under this regime.
+</p>
+
+<ol type="a"><li>
+ The organisation has agreed to the terms of the
+ Registered User Agreement,
+ </li><li>
+ The organisation, the Organisation Assurers, CAcert and
+ other related parties are bound into CAcert's jurisdiction
+ and dispute resolution.
+ </li><li>
+ The OA is responsible for ensuring that the
+ organisation reads, understands, intends and
+ agrees to the registered user agreement.
+ This OA responsibility should be recorded on COAP
+ (statement and initials box).
+</li></ol>
+
+<h2> <a name="5"> 5. </a> Exceptions </h2>
+
+
+<ol type="a"><li>
+ <b> Conflicts of Interest.</b>
+ An OA must not assure an organisation in which
+ there is a close or direct relationship by, e.g.,
+ employment, family, financial interests.
+ Other conflicts of interest must be disclosed.
+ </li><li>
+ <b> Trusted Third Parties.</b>
+ TTPs are not generally approved to be part of
+ organisation assurance,
+ but may be approved by subsidiary policies according
+ to local needs.
+ </li><li>
+ <b>Exceptional Organisations.</b>
+ (e.g., Vatican, International Space Station, United Nations)
+ can be dealt with as a single-organisation
+ SubPol.
+ The OA creates the checks, documents them,
+ and subjects them to to normal policy approval.
+ </li><li>
+ <b>DBA.</b>
+ Alternative names for organisations
+ (DBA, "doing business as")
+ can be added as long as they are proven independently.
+ E.g., registration as DBA or holding of registered trade mark.
+ This means that the anglo law tradition of unregistered DBAs
+ is not accepted without further proof.
+</li></ol>
+