bug 1131: Updated Policies based on new versions send by Policy Officer
[cacert-devel.git] / www / policy / OrganisationAssurancePolicy.html
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" lang="en">
5 <title> Organisation Assurance Policy </title>
6 <style type="text/css">
7 <!--
8 .comment {
9 color : steelblue;
10 }
11 -->
12 </style>
13 </head>
14 <body>
15
16 <div class="comment">
17 <table width="100%">
18
19 <tbody>
20 <tr>
21 <td>
22 Name: OAP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11</a>
23 <br>
24
25 Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
26 <br>
27 Editor: Jens Paul
28 <br>
29 Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy"> CC-by-sa+DRP </a>
30 <br>
31 </td>
32 <td align="right" valign="top">
33 <a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
34 <img src="images/cacert-policy.png" alt="CCA Status - POLICY" style="border-style: none;" height="31" width="88">
35 </a>
36
37 </td>
38 </tr>
39 </tbody>
40 </table>
41 </div>
42
43
44 <h1> Organisation&nbsp;Assurance&nbsp;Policy </h1>
45
46 <h2 id="g0.1">Preliminaries </h2>
47
48 <p>
49 This policy describes how Organisation Assurers ("OAs")
50 conduct Assurances on Organisations.
51 It fits within the overall web-of-trust
52 or Assurance process of CAcert.
53 </p>
54
55 <p>
56 This policy is not a Controlled document, for purposes of
57 Configuration Control Specification ("CCS").
58 </p>
59
60 <h2 id="g0.2">Purpose </h2>
61
62 <p>
63 Organisations with assured status can issue certificates
64 directly with their own domains within.
65 </p>
66
67 <p>
68 The purpose and statement of the certificate remains
69 the same as with ordinary users (natural persons)
70 and as described in the CPS.
71 </p>
72
73 <ul>
74 <li>
75 The organisation named within is identified.
76 </li>
77 <li>
78 The organisation has been verified according
79 to this policy.
80 </li>
81 <li>
82 The organisation is within the jurisdiction
83 and can be taken to CAcert Arbitration.
84 </li>
85 </ul>
86
87
88 <h2 id="g0.3">Roles and Structure </h2>
89
90 <h3 id="g0.3.1">Assurance Officer </h3>
91
92 <p>
93 The Assurance Officer ("AO")
94 manages this policy and reports to the CAcert Inc. Committee ("Board").
95 </p>
96
97 <p>
98 The AO manages all OAs and is responsible for process,
99 the CAcert Organisation Assurance Programme ("COAP") form,
100 OA training and testing, manuals, quality control.
101 In these responsibilities, other Officers will assist.
102 </p>
103 <p>
104 The OA is appointed by the Board.
105 Where the OA is failing the Board decides.
106 </p>
107
108 <h3 id="g0.3.2">Organisation Assurers </h3>
109
110 <p>
111 </p>
112
113 <ol type="a">
114
115 <li>
116 An OA must be an experienced Assurer
117
118 <ol type="i">
119
120 <li>Have 150 assurance points.</li>
121
122 <li>Be fully trained and tested on all general Assurance processes.</li>
123
124 </ol>
125
126 </li>
127
128 <li>
129 Must be trained as Organisation Assurer.
130
131 <ol type="i">
132
133 <li> Global knowledge: This policy. </li>
134
135 <li> Global knowledge: A OA manual covers how to do the process.</li>
136
137 <li> Local knowledge: legal forms of organisations within jurisdiction.</li>
138
139 <li> Basic governance. </li>
140
141 <li> Training may be done a variety of ways,
142 such as on-the-job, etc. </li>
143
144 </ol>
145
146 </li>
147
148 <li>
149 Must be tested.
150
151 <ol type="i">
152
153 <li> Global test: Covers this policy and the process. </li>
154
155 <li> Local knowledge: Subsidiary Policy to specify.</li>
156
157 <li> Tests to be created, approved, run, verified
158 by CAcert only (not outsourced). </li>
159
160 <li> Tests are conducted manually, not online/automatic. </li>
161
162 <li> Documentation to be retained. </li>
163
164 <li> Tests may include on-the-job components. </li>
165
166 </ol>
167
168 </li>
169
170 <li>
171 Must be approved.
172
173 <ol type="i">
174
175 <li> Two supervising OAs must sign-off on new OA,
176 as trained, tested and passed.</li>
177
178 <li> AO must sign-off on a new OA,
179 as supervised, trained and tested.</li>
180
181 </ol>
182
183 </li>
184
185 <li>The OA can decide when a CAcert
186 (individual) Assurer
187 has done several OA Application Advises to appoint this
188 person to OA Assurer.
189 </li>
190
191 </ol>
192
193 <h3 id="g0.3.3">Organisation Assurance Advisor ("OAA") </h3>
194
195 <p>In countries/states/provinces where no OA Assurers are
196 operating for an OA Application (COAP) the OA
197 can be advised by an experienced local CAcert
198 (individual) Assurer to take the decision
199 to accept the OA Application (COAP) of the organisation.
200 </p>
201
202 <p>
203 The local Assurer must have at least 150 Points,
204 should know the language, and know
205 the organisation trade office registry culture and quality.
206 </p>
207
208
209 <h3 id="g0.3.4">Organisation Administrator </h3>
210
211 <p>
212 The Administrator within each Organisation ("O-Admin")
213 is the one who handles the assurance requests
214 and the issuing of certificates.
215 </p>
216
217 <ol type="a">
218 <li>
219 O-Admin must be Assurer
220
221 <ol type="i">
222
223 <li>Have 100 assurance points.</li>
224
225 <li>Fully trained and tested as Assurer.</li>
226
227 </ol>
228
229 </li>
230
231 <li>
232 Organisation is required to appoint O-Admin,
233 and appoint ones as required.
234
235 <ol type="i">
236
237 <li> On COAP Request Form.</li>
238
239 </ol>
240
241 </li>
242
243 <li>
244 O-Admin must work with an assigned OA.
245
246 <ol type="i">
247
248 <li> Have contact details.</li>
249
250 </ol>
251
252 </li>
253
254 </ol>
255
256 <h2 id="g0.4">Policies </h2>
257
258 <h3 id="g0.4.1">Policy </h3>
259
260 <p>
261 There is one policy being this present document,
262 and several subsidiary policies.
263 </p>
264
265 <ol type="a">
266
267 <li> This policy authorises the creation of subsidiary policies. </li>
268
269 <li> This policy is international. </li>
270
271 <li> Subsidiary policies are implementations of the policy. </li>
272
273 <li> Organisations are assured under an appropriate subsidiary policy. </li>
274
275 </ol>
276
277 <h3 id="g0.4.2">Subsidiary Policies </h3>
278
279 <p>
280 The nature of the Subsidiary Policies ("SubPols"):
281 </p>
282
283 <ol type="a">
284 <li>
285 SubPols are purposed to check the organisation
286 under the rules of the jurisdiction that creates the
287 organisation. This does not evidence an intention
288 by CAcert to
289 enter into the local jurisdiction, nor an intention
290 to impose the rules of that jurisdiction over any other
291 organisation.
292 CAcert assurances are conducted under the jurisdiction
293 of CAcert.
294 </li>
295 <li>
296 For OAs,
297 SubPol specifies the <i>tests of local knowledge</i>
298 including the local organisation assurance COAP forms.
299 </li>
300 <li>
301 For assurances,
302 SubPol specifies the <i>local documentation forms</i>
303 which are acceptable under this SubPol to meet the
304 standard.
305 </li>
306 <li>
307 SubPols are subjected to the normal
308 policy approval process.
309 </li>
310 </ol>
311
312 <h3 id="g0.4.3">Freedom to Assemble </h3>
313
314 <p>
315 Subsidiary Policies are open, accessible and free to enter.
316 </p>
317
318 <ol type="a">
319 <li>
320 SubPols compete but are compatible.
321 </li>
322 <li>
323 No SubPol is a franchise.
324 </li>
325 <li>
326 Many will be on State or National lines,
327 reflecting the legal
328 tradition of organisations created
329 ("incorporated") by states.
330 </li>
331 <li>
332 However, there is no need for strict national lines;
333 it is possible to have 2 SubPols in one country, or one
334 covering several countries with the same language
335 (e.g., Austria with Germany, England with Wales but not Scotland).
336 </li>
337 <li>
338 There could also be SubPols for special
339 organisations, one person organisations,
340 UN agencies, churches, etc.
341 </li>
342 <li>
343 Where it is appropriate to use the SubPol
344 in another situation (another country?), it
345 can be so approved.
346 (e.g., Austrian SubPol might be approved for Germany.)
347 The SubPol must record this approval.
348 </li>
349 </ol>
350
351
352 <h2 id="g0.5">Process </h2>
353
354 <h3 id="g0.5.1">Standard of Organisation Assurance </h3>
355 <p>
356 The essential standard of Organisation Assurance is:
357 </p>
358
359 <ol type="a">
360 <li>
361 the organisation exists
362 </li>
363
364 <li>
365 the organisation name is correct and consistent:
366
367 <ol type="i">
368
369 <li>in official documents specified in SubPol.</li>
370
371 <li>on COAP form.</li>
372
373 <li>in CAcert database.</li>
374
375 <li>form or type of legal entity is consistent</li>
376
377 </ol>
378
379 </li>
380
381 <li>
382 signing rights:
383 requestor can sign on behalf of the organisation.
384 </li>
385
386 <li>
387 the organisation has agreed to the terms of the
388 CAcert Community Agreement
389 and is therefore subject to Arbitration.
390 </li>
391
392 </ol>
393
394 <p>
395 Acceptable documents to meet above standard
396 are stated in the SubPol.
397 </p>
398
399 <h3 id="g0.5.2">COAP </h3>
400 <p>
401 The COAP form documents the checks and the resultant
402 assurance results to meet the standard.
403 Additional information to be provided on form:
404 </p>
405
406 <ol type="a">
407 <li>
408 CAcert account of O-Admin (email address?)
409 </li>
410 <li>
411 location:
412
413 <ol type="i">
414
415 <li>country (MUST).</li>
416
417 <li>city (MUST).</li>
418
419 <li>additional contact information (as required by SubPol).</li>
420
421 </ol>
422
423 </li>
424
425 <li>
426 administrator account name(s) (1 or more)
427 </li>
428
429 <li>
430 domain name(s)
431 </li>
432
433 <li>
434 Agreement with
435 CAcert Community Agreement.
436 Statement and initials box for organisation
437 and also for OA.
438 </li>
439
440 <li>
441 Date of completion of Assurance.
442 Records should be maintained for 7 years from
443 this date.
444 </li>
445
446 </ol>
447
448 <p>
449 The COAP should be in English. Where translations
450 are provided, they should be matched to the English,
451 and indication provided that the English is the
452 ruling language (due to Arbitration requirements).
453 </p>
454
455 <h3 id="g0.5.3">Jurisdiction </h3>
456
457 <p>
458 Organisation Assurances are carried out by
459 CAcert Inc. under its Arbitration jurisdiction.
460 Actions carried out by OAs are under this regime.
461 </p>
462
463 <ol type="a">
464
465 <li>
466 The organisation has agreed to the terms of the
467 CAcert Community Agreement.
468 </li>
469
470 <li>
471 The organisation, the Organisation Assurers, CAcert and
472 other related parties are bound into CAcert's jurisdiction
473 and dispute resolution.
474 </li>
475
476 <li>
477 The OA is responsible for ensuring that the
478 organisation reads, understands, intends and
479 agrees to the
480 CAcert Community Agreement.
481 This OA responsibility should be recorded on COAP
482 (statement and initials box).
483 </li>
484
485 </ol>
486
487 <h2 id="g0.6">Exceptions </h2>
488
489 <ol type="a">
490
491 <li>
492 <b> Conflicts of Interest.</b>
493 An OA must not assure an organisation in which
494 there is a close or direct relationship by, e.g.,
495 employment, family, financial interests.
496 Other conflicts of interest must be disclosed.
497 </li>
498
499 <li>
500 <b> Trusted Third Parties.</b>
501 TTPs are not generally approved to be part of
502 organisation assurance,
503 but may be approved by subsidiary policies according
504 to local needs.
505 </li>
506
507 <li>
508 <b>Exceptional Organisations.</b>
509 (e.g., Vatican, International Space Station, United Nations)
510 can be dealt with as a single-organisation
511 SubPol.
512 The OA creates the checks, documents them,
513 and subjects them to to normal policy approval.
514 </li>
515
516 <li>
517 <b>DBA.</b>
518 Alternative names for organisations
519 (DBA, "doing business as")
520 can be added as long as they are proven independently.
521 E.g., registration as DBA or holding of registered trade mark.
522 This means that the anglo law tradition of unregistered DBAs
523 is not accepted without further proof.
524 </li>
525
526 </ol>
527
528 </body>
529 </html>