0861c507a1f664e5afb228e7400aad235cf5dcd6
[cacert-devel.git] / www / policy / OrganisationAssurancePolicy.html
1 <!DOCTYPE HTML>
2 <html>
3 <head>
4 <meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
5 <title> Organisation Assurance Policy </title>
6 <style type="text/css">
7 <!--
8 .comment {
9 color : steelblue;
10 }
11 .r {
12 text-align : right;
13 }
14 .vTop{
15 vertical-align: top;
16 }
17 -->
18 </style>
19
20 </head>
21 <body>
22
23 <div class="comment">
24 <table style="width: 100%;">
25
26 <tr>
27 <td>
28 Name: OAP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11</a><br>
29
30 Status: POLICY/DRAFT <a style="color: steelblue" href="https://wiki.cacert.org/TopMinutes-20070917">m20070918.x </a><br>
31
32 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span class="draftadd">DRAFT <a href="https://wiki.cacert.org/PolicyDecisions#p20080401.1">p20080401.1</a></span><br>
33 Editor: Jens Paul <br>
34 Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br></td>
35 <td class="r vTop">
36 <a href="https://www.cacert.org/policy/PolicyOnPolicy.html"><img src="images/cacert-policy.png" alt="OAP Status - POLICY" height="31" width="88" style="border-style: none;"></a><br>
37 <a href="https://www.cacert.org/policy/PolicyOnPolicy.html"><img src="images/cacert-draft.png" alt="OAP Status - DRAFT" height="31" width="88" style="border-style: none;"></a>
38
39 </td>
40 </tr>
41 </table>
42 </div>
43
44
45 <h1> Organisation&nbsp;Assurance&nbsp;Policy </h1>
46
47 <h2 id="s0">0. Preliminaries </h2>
48
49 <p>
50 This policy describes how Organisation Assurers ("OAs")
51 conduct Assurances on Organisations.
52 It fits within the overall web-of-trust
53 or Assurance process of CAcert.
54 </p>
55
56 <p>
57 This policy is not a Controlled document, for purposes of
58 Configuration Control Specification ("CCS").
59 </p>
60
61 <h2 id="s1"> 1. Purpose </h2>
62
63 <p>
64 Organisations with assured status can issue certificates
65 directly with their own domains within.
66 </p>
67
68 <p>
69 The purpose and statement of the certificate remains
70 the same as with ordinary users (natural persons)
71 and as described in the CPS.
72 </p>
73
74 <ul><li>
75 The organisation named within is identified.
76 </li><li>
77 The organisation has been verified according
78 to this policy.
79 </li><li>
80 The organisation is within the jurisdiction
81 and can be taken to CAcert Arbitration.
82 </li></ul>
83
84
85 <h2 id="s2"> 2. Roles and Structure </h2>
86
87 <h3 id="s2.1"> 2.1 Assurance Officer </h3>
88
89 <p>
90 The Assurance Officer ("AO")
91 manages this policy and reports to the CAcert Inc. Committee ("Board").
92 </p>
93
94 <p>
95 The AO manages all OAs and is responsible for process,
96 the CAcert Organisation Assurance Programme ("COAP") form,
97 OA training and testing, manuals, quality control.
98 In these responsibilities, other Officers will assist.
99 </p>
100 <p>
101 The OA is appointed by the Board.
102 Where the OA is failing the Board decides.
103 </p>
104
105 <h3 id="s2.2"> 2.2 Organisation Assurers </h3>
106
107 <p>&nbsp;
108 </p>
109
110 <ol style="list-style-type: lower-latin;"> <li>
111 An OA must be an experienced Assurer
112 <ol style="list-style-type: lower-roman;">
113 <li>Have 150 assurance points.</li>
114 <li>Be fully trained and tested on all general Assurance processes.</li>
115 </ol>
116
117 </li><li>
118 Must be trained as Organisation Assurer.
119 <ol style="list-style-type: lower-roman;">
120 <li> Global knowledge: This policy. </li>
121 <li> Global knowledge: A OA manual covers how to do the process.</li>
122 <li> Local knowledge: legal forms of organisations within jurisdiction.</li>
123 <li> Basic governance. </li>
124 <li> Training may be done a variety of ways,
125 such as on-the-job, etc. </li>
126 </ol>
127
128 </li><li>
129 Must be tested.
130 <ol style="list-style-type: lower-roman;">
131 <li> Global test: Covers this policy and the process. </li>
132 <li> Local knowledge: Subsidiary Policy to specify.</li>
133 <li> Tests to be created, approved, run, verified
134 by CAcert only (not outsourced). </li>
135 <li> Tests are conducted manually, not online/automatic. </li>
136 <li> Documentation to be retained. </li>
137 <li> Tests may include on-the-job components. </li>
138 </ol>
139
140 </li><li>
141 Must be approved.
142 <ol style="list-style-type: lower-roman;">
143 <li> Two supervising OAs must sign-off on new OA,
144 as trained, tested and passed.
145 </li>
146 <li> AO must sign-off on a new OA,
147 as supervised, trained and tested.
148 </li>
149 </ol>
150 </li>
151 <li>The OA can decide when a CAcert
152 (individual) Assurer
153 has done several OA Application Advises to appoint this
154 person to OA Assurer.
155 </li>
156
157 </ol>
158
159 <h3 id="s2.3"> 2.3 Organisation Assurance Advisor ("OAA") </h3>
160 <p>In countries/states/provinces where no OA Assurers are
161 operating for an OA Application (COAP) the OA
162 can be advised by an experienced local CAcert
163 (individual) Assurer to take the decision
164 to accept the OA Application (COAP) of the organisation.
165 </p>
166 <p>
167 The local Assurer must have at least 150 Points,
168 should know the language, and know
169 the organisation trade office registry culture and quality.
170 </p>
171
172
173 <h3 id="s2.4"> 2.4 Organisation Administrator </h3>
174
175 <p>
176 The Administrator within each Organisation ("O-Admin")
177 is the one who handles the assurance requests
178 and the issuing of certificates.
179 </p>
180
181 <ol style="list-style-type: lower-latin;"> <li>
182 O-Admin must be Assurer
183 <ol style="list-style-type: lower-roman;">
184 <li>Have 100 assurance points.</li>
185 <li>Fully trained and tested as Assurer.</li>
186 </ol>
187
188 </li><li>
189 Organisation is required to appoint O-Admin,
190 and appoint ones as required.
191 <ol style="list-style-type: lower-roman;">
192 <li> On COAP Request Form.</li>
193 </ol>
194
195 </li><li>
196 O-Admin must work with an assigned OA.
197 <ol style="list-style-type: lower-roman;">
198 <li> Have contact details.</li>
199 </ol>
200 </li>
201 </ol>
202
203
204 <h2 id="s3"> 3. Policies </h2>
205
206 <h3 id="s3.1"> 3.1 Policy </h3>
207
208 <p>
209 There is one policy being this present document,
210 and several subsidiary policies.
211 </p>
212
213 <ol style="list-style-type: lower-latin;">
214 <li> This policy authorises the creation of subsidiary policies. </li>
215 <li> This policy is international. </li>
216 <li> Subsidiary policies are implementations of the policy. </li>
217 <li> Organisations are assured under an appropriate subsidiary policy. </li>
218 </ol>
219
220 <h3 id="s3.2"> 3.2 Subsidiary Policies </h3>
221
222 <p>
223 The nature of the Subsidiary Policies ("SubPols"):
224 </p>
225
226 <ol style="list-style-type: lower-latin;"><li>
227 SubPols are purposed to check the organisation
228 under the rules of the jurisdiction that creates the
229 organisation. This does not evidence an intention
230 by CAcert to
231 enter into the local jurisdiction, nor an intention
232 to impose the rules of that jurisdiction over any other
233 organisation.
234 CAcert assurances are conducted under the jurisdiction
235 of CAcert.
236 </li><li>
237 For OAs,
238 SubPol specifies the <i>tests of local knowledge</i>
239 including the local organisation assurance COAP forms.
240 </li><li>
241 For assurances,
242 SubPol specifies the <i>local documentation forms</i>
243 which are acceptable under this SubPol to meet the
244 standard.
245 </li><li>
246 SubPols are subjected to the normal
247 policy approval process.
248 </li></ol>
249
250 <h3 id="s3.3"> 3.3 Freedom to Assemble </h3>
251
252 <p>
253 Subsidiary Policies are open, accessible and free to enter.
254 </p>
255
256 <ol style="list-style-type: lower-latin;"><li>
257 SubPols compete but are compatible.
258 </li><li>
259 No SubPol is a franchise.
260 </li><li>
261 Many will be on State or National lines,
262 reflecting the legal
263 tradition of organisations created
264 ("incorporated") by states.
265 </li><li>
266 However, there is no need for strict national lines;
267 it is possible to have 2 SubPols in one country, or one
268 covering several countries with the same language
269 (e.g., Austria with Germany, England with Wales but not Scotland).
270 </li><li>
271 There could also be SubPols for special
272 organisations, one person organisations,
273 UN agencies, churches, etc.
274 </li><li>
275 Where it is appropriate to use the SubPol
276 in another situation (another country?), it
277 can be so approved.
278 (e.g., Austrian SubPol might be approved for Germany.)
279 The SubPol must record this approval.
280 </li></ol>
281
282
283 <h2 id="s4"> 4. Process </h2>
284
285 <h3 id="s4.1"> 4.1 Standard of Organisation Assurance </h3>
286 <p>
287 The essential standard of Organisation Assurance is:
288 </p>
289
290 <ol style="list-style-type: lower-latin;"><li>
291 the organisation exists
292 </li><li>
293 the organisation name is correct and consistent:
294 <ol style="list-style-type: lower-roman;">
295 <li>in official documents specified in SubPol.</li>
296 <li>on COAP form.</li>
297 <li>in CAcert database.</li>
298 <li>form or type of legal entity is consistent</li>
299 </ol>
300 </li><li>
301 signing rights:
302 requestor can sign on behalf of the organisation.
303 </li><li>
304 the organisation has agreed to the terms of the
305 CAcert Community Agreement
306 and is therefore subject to Arbitration.
307 </li></ol>
308
309 <p>
310 Acceptable documents to meet above standard
311 are stated in the SubPol.
312 </p>
313
314 <h3 id="s4.2"> 4.2 COAP </h3>
315 <p>
316 The COAP form documents the checks and the resultant
317 assurance results to meet the standard.
318 Additional information to be provided on form:
319 </p>
320
321 <ol style="list-style-type: lower-latin;"><li>
322 CAcert account of O-Admin (email address?)
323 </li><li>
324 location:
325 <ol style="list-style-type: lower-roman;">
326 <li>country (MUST).</li>
327 <li>city (MUST).</li>
328 <li>additional contact information (as required by SubPol).</li>
329 </ol>
330 </li><li>
331 administrator account name(s) (1 or more)
332 </li><li>
333 domain name(s)
334 </li><li>
335 Agreement with
336 CAcert Community Agreement.
337 Statement and initials box for organisation
338 and also for OA.
339 </li><li>
340 Date of completion of Assurance.
341 Records should be maintained for 7 years from
342 this date.
343 </li></ol>
344
345 <p>
346 The COAP should be in English. Where translations
347 are provided, they should be matched to the English,
348 and indication provided that the English is the
349 ruling language (due to Arbitration requirements).
350 </p>
351
352 <h3 id="s4.3"> 4.3 Jurisdiction </h3>
353
354 <p>
355 Organisation Assurances are carried out by
356 CAcert Inc. under its Arbitration jurisdiction.
357 Actions carried out by OAs are under this regime.
358 </p>
359
360 <ol style="list-style-type: lower-latin;"><li>
361 The organisation has agreed to the terms of the
362 CAcert Community Agreement.
363 </li><li>
364 The organisation, the Organisation Assurers, CAcert and
365 other related parties are bound into CAcert's jurisdiction
366 and dispute resolution.
367 </li><li>
368 The OA is responsible for ensuring that the
369 organisation reads, understands, intends and
370 agrees to the
371 CAcert Community Agreement.
372 This OA responsibility should be recorded on COAP
373 (statement and initials box).
374 </li></ol>
375
376 <h2 id="s5"> 5. Exceptions </h2>
377
378
379 <ol style="list-style-type: lower-latin;"><li>
380 <b> Conflicts of Interest.</b>
381 An OA must not assure an organisation in which
382 there is a close or direct relationship by, e.g.,
383 employment, family, financial interests.
384 Other conflicts of interest must be disclosed.
385 </li><li>
386 <b> Trusted Third Parties.</b>
387 TTPs are not generally approved to be part of
388 organisation assurance,
389 but may be approved by subsidiary policies according
390 to local needs.
391 </li><li>
392 <b>Exceptional Organisations.</b>
393 (e.g., Vatican, International Space Station, United Nations)
394 can be dealt with as a single-organisation
395 SubPol.
396 The OA creates the checks, documents them,
397 and subjects them to to normal policy approval.
398 </li><li>
399 <b>DBA.</b>
400 Alternative names for organisations
401 (DBA, "doing business as")
402 can be added as long as they are proven independently.
403 E.g., registration as DBA or holding of registered trade mark.
404 This means that the anglo law tradition of unregistered DBAs
405 is not accepted without further proof.
406 </li></ol>
407 <p>
408 <a href="http://validator.w3.org/check?uri=referer"><img
409 src="images/valid-html50-blue.png" alt="Valid HTML 5" height="31" width="88"></a>
410 </p>
411 </body>
412 </html>