diff options
Diffstat (limited to 'www/policy/OrganisationAssurancePolicy.php')
| -rw-r--r-- | www/policy/OrganisationAssurancePolicy.php | 379 |
1 files changed, 379 insertions, 0 deletions
diff --git a/www/policy/OrganisationAssurancePolicy.php b/www/policy/OrganisationAssurancePolicy.php new file mode 100644 index 0000000..7d8699c --- /dev/null +++ b/www/policy/OrganisationAssurancePolicy.php @@ -0,0 +1,379 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> + +<html> +<head><title>Organisation Assurance Policy</title></head> +<body> + +<table width="100%"> + +<tr> +<td> OAP </td> +<td> </td> +<td width="20%"> Jens </td> +</tr> + +<tr> +<td> POLICY <a href="http://wiki.cacert.org/wiki/TopMinutes-20070917">m20070918.x</a> </td> +<td> </td> +<td> + $Date: 2008-01-18 22:56:31 $ + <!-- + to get this to work, we have to do this: + svn propset svn:keywords "Date" file.html + except it does not work through the website. + --> +</td> +</tr> + +<tr> +<td> COD11 </td> +<td> </td> +<td> </td> +</tr> + + +<tr> +<td> </td> +<td > <b>Organisation Assurance Policy</b> </td> +<td> </td> +</tr> + +</table> + + + +<h2> <a name="0"> 0. </a> Preliminaries </h2> + +<p> +This policy describes how Organisation Assurers ("OAs") +conduct Assurances on Organisations. +It fits within the overall web-of-trust +or Assurance process of Cacert. +</p> + +<p> +This policy is not a Controlled document, for purposes of +Configuration Control Specification ("CCS"). +</p> + +<h2> <a name="1"> 1. </a> Purpose </h2> + +<p> +Organisations with assured status can issue certificates +directly with their own domains within. +</p> + +<p> +The purpose and statement of the certificate remains +the same as with ordinary users (natural persons) +and as described in the CPS. +</p> + +<ul><li> + The organisation named within is identified. + </li><li> + The organisation has been verified according + to this policy. + </li><li> + The organisation is within the jurisdiction + and can be taken to Arbitration. +</li></ul> + + +<h2> <a name="2"> 2. </a> Roles and Structure </h2> + +<h3> <a name="2.1"> 2.1 </a> Assurance Officer </h3> + +<p> +The Assurance Officer ("AO") +manages this policy and reports to the board. +</p> + +<p> +The AO manages all OAs and is responsible for process, +the CAcert Organisation Assurance Programme form ("COAP"), +OA training and testing, manuals, quality control. +In these responsibilities, other Officers will assist. +</p> + +<h3> <a name="2.2"> 2.2 </a> Organisation Assurers </h3> + +<p> +</p> + +<ol type="a"> <li> + An OA must be an experienced Assurer + <ol type="i"> + <li>Have 150 assurance points.</li> + <li>Be fully trained and tested on all general Assurance processes.</li> + </ol> + + </li><li> + Must be trained as Organisation Assurer. + <ol type="i"> + <li> Global knowledge: This policy. </li> + <li> Global knowledge: A OA manual covers how to do the process.</li> + <li> Local knowledge: legal forms of organisations within jurisdiction.</li> + <li> Basic governance. </li> + <li> Training may be done a variety of ways, + such as on-the-job, etc. </li> + </ol> + + </li><li> + Must be tested. + <ol type="i"> + <li> Global test: Covers this policy and the process. </li> + <li> Local knowledge: Subsidiary Policy to specify.</li> + <li> Tests to be created, approved, run, verified + by CAcert only (not outsourced). </li> + <li> Tests are conducted manually, not online/automatic. </li> + <li> Documentation to be retained. </li> + <li> Tests may include on-the-job components. </li> + </ol> + + </li><li> + Must be approved. + <ol type="i"> + <li> Two supervising OAs must sign-off on new OA, + as trained, tested and passed. + </li> + <li> AO must sign-off on a new OA, + as supervised, trained and tested. + </li> + </ol> +</ol> + + + +<h3> <a name="2.3"> 2.3 </a> Organisation Administrator </h3> + +<p> +The Administrator within each Organisation ("O-Admin") +is the one who handles the assurance requests +and the issuing of certificates. +</p> + +<ol type="a"> <li> + O-Admin must be Assurer + <ol type="i"> + <li>Have 100 assurance points.</li> + <li>Fully trained and tested as Assurer.</li> + </ol> + + </li><li> + Organisation is required to appoint O-Admin, + and appoint ones as required. + <ol type="i"> + <li> On COAP Request Form.</li> + </ol> + + </li><li> + O-Admin must work with an assigned OA. + <ol type="i"> + <li> Have contact details.</li> + </ol> +</ol> + + +<h2> <a name="3"> 3. </a> Policies </h2> + +<h3> <a name="3.1"> 3.1 </a> Policy </h3> + +<p> +There is one policy being this present document, +and several subsidiary policies. +</p> + +<ol type="a"> + <li> This policy authorises the creation of subsidiary policies. </li> + <li> This policy is international. </li> + <li> Subsidiary policies are implementations of the policy. </li> + <li> Organisations are assured under an appropriate subsidiary policy. </li> +</ol> + +<h3> <a name="3.2"> 3.2 </a> Subsidiary Policies </h3> + +<p> +The nature of the Subsidiary Policies ("SubPols"): +</p> + +<ol type="a"><li> + SubPols are purposed to check the organisation + under the rules of the jurisdiction that creates the + organisation. This does not evidence an intention + by CAcert to + enter into the local jurisdiction, nor an intention + to impose the rules of that jurisdiction over any other + organisation. + CAcert assurances are conducted under the jurisdiction + of CAcert. + </li><li> + For OAs, + SubPol specifies the <i>tests of local knowledge</i> + including the local organisational forms. + </li><li> + For assurances, + SubPol specifies the <i>local documentation forms</i> + which are acceptable under this SubPol to meet the + standard. + </li><li> + SubPols are subjected to the normal + policy approval process. +</li></ol> + +<h3> <a name=""> </a> 3.3 Freedom to Assemble </h3> + +<p> +Subsidiary Policies are open, accessible and free to enter. +</p> + +<ol type="a"><li> + SubPols compete but are compatible. + </li><li> + No SubPol is a franchise. + </li><li> + Many will be on State or National lines, + reflecting the legal + tradition of organisations created + ("incorporated") by states. + </li><li> + However, there is no need for strict national lines; + it is possible to have 2 SubPols in one country, or one + covering several countries with the same language + (e.g., Austria with Germany, England with Wales but not Scotland). + </li><li> + There could also be SubPols for special + organisations, one person organisations, + UN agencies, churches, etc. + </li><li> + Where it is appropriate to use the SubPol + in another situation (another country?), it + can be so approved. + (e.g., Austrian SubPol might be approved for Germany.) + The SubPol must record this approval. +</li></ol> + + +<h2> <a name="4"> 4. </a> Process </h2> + +<h3> <a name="4.1"> 4.1 </a> Standard of Organisation Assurance </h3> +<p> +The essential standard of Organisation Assurance is: +</p> + +<ol type="a"><li> + the organisation exists + </li><li> + the organisation name is correct and consistent: + <ol type="i"> + <li>in official documents specified in SubPol.</li> + <li>on COAP form.</li> + <li>in CAcert database.</li> + <li>form or type of legal entity is consistent</li> + </ol> + </li><li> + signing rights: + requestor can sign on behalf of the organisation. + </li><li> + the organisation has agreed to the terms of the + Registered User Agreement, + and is therefore subject to Arbitration. +</li></ol> + +<p> + Acceptable documents to meet above standard + are stated in the SubPol. +</p> + +<h3> <a name="4.2"> 4.2 </a> COAP </h3> +<p> +The COAP form documents the checks and the resultant +assurance results to meet the standard. +Additional information to be provided on form: +</p> + +<ol type="a"><li> + CAcert account of O-Admin (email address?) + </li><li> + location: + <ol type="i"> + <li>country (MUST).</li> + <li>city (MUST).</li> + <li>additional contact information (as required by SubPol).</li> + </ol> + </li><li> + administrator account names (1 or more) + </li><li> + domain name(s) + </li><li> + Agreement with registered user agreement. + Statement and initials box for organsation + and also for OA. + </li><li> + Date of completion of Assurance. + Records should be maintained for 7 years from + this date. +</li></ol> + +<p> +The COAP should be in English. Where translations +are provided, they should be matched to the English, +and indication provided that the English is the +ruling language (due to Arbitration requirements). +</p> + +<h3> <a name="4.3"> 4.3 </a> Jurisdiction </h3> + +<p> +Organisation Assurances are carried out by +CAcert Inc under its Arbitration jurisdiction. +Actions carried out by OAs are under this regime. +</p> + +<ol type="a"><li> + The organisation has agreed to the terms of the + Registered User Agreement, + </li><li> + The organisation, the Organisation Assurers, CAcert and + other related parties are bound into CAcert's jurisdiction + and dispute resolution. + </li><li> + The OA is responsible for ensuring that the + organisation reads, understands, intends and + agrees to the registered user agreement. + This OA responsibility should be recorded on COAP + (statement and initials box). +</li></ol> + +<h2> <a name="5"> 5. </a> Exceptions </h2> + + +<ol type="a"><li> + <b> Conflicts of Interest.</b> + An OA must not assure an organisation in which + there is a close or direct relationship by, e.g., + employment, family, financial interests. + Other conflicts of interest must be disclosed. + </li><li> + <b> Trusted Third Parties.</b> + TTPs are not generally approved to be part of + organisation assurance, + but may be approved by subsidiary policies according + to local needs. + </li><li> + <b>Exceptional Organisations.</b> + (e.g., Vatican, International Space Station, United Nations) + can be dealt with as a single-organisation + SubPol. + The OA creates the checks, documents them, + and subjects them to to normal policy approval. + </li><li> + <b>DBA.</b> + Alternative names for organisations + (DBA, "doing business as") + can be added as long as they are proven independently. + E.g., registration as DBA or holding of registered trade mark. + This means that the anglo law tradition of unregistered DBAs + is not accepted without further proof. +</li></ol> + |