bug 1131: Updated Policies based on new versions send by Policy Officer
[cacert-devel.git] / www / policy / TTPAssistedAssurancePolicy.html
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" lang="en">
5 <title> CAcert -- TTP-Assisted Assurance Policy </title>
6 <style type="text/css">
7 <!--
8 .comment {
9 color : steelblue;
10 }
11 -->
12 </style>
13 </head>
14 <body>
15
16 <div class="comment">
17 <table width="100%">
18
19 <tbody>
20 <tr>
21 <td rowspan="2">
22 Name: TTP-Assist <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD13.2</a>
23 <br>
24 Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
25 <br>
26 Editor: <a style="color: steelblue" href="https://wiki.cacert.org/UlrichSchroeter">Ulrich Schroeter</a>
27 <br>
28 Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy"> CC-by-sa+DRP </a>
29 <br>
30 </td>
31 <td align="right" valign="top">
32 <a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
33 <img src="images/cacert-policy.png" alt="TTP-Assist Status - DRAFT" style="border-style: none;" height="31" width="88" uri="file:///home/iphigenie/data/CAcert/Policy/CAcert%20--%20TTP-Assisted%20Assurance%20Policy_draft_files/cacert-draft.bin">
34 </a>
35
36 </td>
37 </tr>
38 </tbody>
39 </table>
40 </div>
41
42
43 <h1> TTP-Assisted Assurance Policy </h1>
44
45
46 <h2 id="g0.1">Preliminaries </h2>
47
48 <p>
49 This sub-policy extends the
50 <a href="https://www.cacert.org/policy/AssurancePolicy.php">
51 Assurance Policy</a> ("AP" =&gt; COD13)
52 by specifying how Assurers can be assisted by
53 outsourcing the identity documents verification
54 component of assurance to trusted third parties (TTPs).
55 Other definitions and terms can be found in AP or in
56 <a href="https://wiki.cacert.org/AssuranceHandbook">Assurance Handbook</a>
57 ("AH").
58 </p>
59
60
61 <h2 id="g0.2">Scope </h2>
62
63 <p>
64 This sub-policy is restricted to members located
65 in areas not well-served with Assurers.
66 It serves a goal of promoting both Assurers and Members in those areas.
67 </p>
68
69
70 <h2 id="g0.3">Roles </h2>
71
72
73 <h3 id="g0.3.1">Trusted Third Party </h3>
74
75 <p>
76 A Trusted Third Party ("TTP") is a person who is traditionally respected
77 for making reliable statements to others, especially over identification
78 documents. Typically, notaries public (anglo),
79 Notaries (European), bank managers, accountants
80 and lawyers.
81 </p>
82
83
84 <h3 id="g0.3.2">The Assurer (aka TTP-admin) </h3>
85
86 <p>
87 To employ a TTP in an assurance,
88 the Assurer must be a <a href="https://wiki.cacert.org/SeniorAssurer">Senior Assurer</a>.
89 The Assurer must be familiar with the local
90 language and customs.
91 </p>
92
93
94 <h3 id="g0.3.3">Member </h3>
95
96
97 <p>
98 A Member ("assuree") who is located in a place not well-served
99 by Assurers may use the TTP-assisted assurance.
100 </p>
101
102
103 <h2 id="g0.4">The Assurance </h2>
104
105
106 <p>
107 Assurance assisted by TTP must meet these requirements:
108 </p>
109
110 <ol style="list-style-type: lower-alpha;">
111 <li id="s3.a">
112 The Assurer must positively confirm the identity and
113 suitability of the TTP.
114 </li>
115 <li id="s3.b">
116 The TTP and the Member must meet face-to-face.
117 </li>
118 <li id="s3.c">
119 The TTP confirms the details supporting the Assurance Statement.
120 </li>
121 <li id="s3.d">
122 The Assurer makes a reliable statement to confirm the
123 Assurance Statement.
124 </li>
125 <li id="s3.e">
126 Assurance must be marked as TTP-Assisted
127 (e.g., by use of TTPAdmin flag).
128 </li>
129 </ol>
130
131
132
133
134 <h2 id="g0.5">Assurance Officer ("AO") </h2>
135
136 <p>
137 The Board routinely delegates its responsibilities to the
138 Assurance Officer (and this section assumes that, but does
139 not require it).
140 </p>
141
142
143 <p>
144 A report is requested annually from the Assurance Officer
145 on performance of this policy for the association's
146 annual report.
147 </p>
148
149 <h3 id="g0.5.1">Practice </h3>
150
151 <p>
152 Assurance Officer should prepare a
153 <a href="https://wiki.cacert.org/TTP">detailed documentation</a>
154 under
155 <a href="https://wiki.cacert.org/AssuranceHandbook">AH</a>
156 that meets the needs of this policy, including:
157 </p>
158
159 <ul>
160 <li>
161 Form for TTPs
162 </li>
163 <li>
164 Guide for TTPs.
165 </li>
166 <li>
167 Form for TTP-assisted assurance (used by Assurer)
168 </li>
169 <li>
170 Guide and protocol for Assurers.
171 </li>
172 <li>
173 Mechanisms for contacting Assurers available for
174 TTP-assisted assurances.
175 </li>
176 <li>
177 Definition of
178 <a href="https://wiki.cacert.org/SeniorAssurer">
179 Senior Assurer</a>.
180 </li>
181 </ul>
182
183
184 <h3 id="g0.5.2">Deserts </h3>
185
186 <p>
187 The Assurance Officer maintains a
188 <a href="https://wiki.cacert.org/deserts">list of regions</a>
189 that are designated as '<i>deserts,</i>' being areas that are so short
190 of Assurers as to render face-to-face Assurance impractical.
191 In each region, approved types of TTP are listed (e.g., Notary).
192 The list is expected to vary according to the
193 different juridical traditions of different regions.
194 Changes to the regional lists are prepared by
195 either an Organisation Assurer for that region
196 (as described by OAP)
197 or by two Assurers familiar with the traditions
198 in that region.
199 Changes are then submitted to the Board for approval.
200 </p>
201
202 <p>
203 Use of a type of TTP not on the list must be approved by
204 AO and notified to Board.
205 It is an explicit goal to reduce the usage of
206 TTP-assisted assurances in favour of face-to-face Assurance.
207 </p>
208
209
210 <p>
211 In coordination with internal and external auditors,
212 the Assurance Officer shall design and implement a
213 suitable programme to meet the needs of audit.
214 Where approved by auditors or Board, the Assurance
215 Officer may document and implement minor variations to this policy.
216 </p>
217
218
219 <h2 id="g0.6">Topup Assurance </h2>
220
221
222 <p>
223 AO is to operate a <cite>Topup Assurance Programme</cite>
224 to help seed deserts with Assurers.
225 A topup assurance will add additional Assurance Points
226 to those gained from two previously conducted TTP-assisted assurances,
227 in order for a Member to reach 100 Assurance Points
228 for the express purpose of becoming an Assurer.
229 </p>
230
231
232 <p>
233 A topup assurance is conducted by a third Senior Assurer
234 according to the following requirements:
235 </p>
236
237
238 <ol>
239 <li id="s5.1">
240 Assurer Challenge must be completed as passed by Member.
241 </li>
242 <li id="s5.2">
243 The topup must be requested by Member for
244 purpose of enabling the Member to reach Assurer level.
245 </li>
246 <li id="s5.3">
247 Topup Assurer must be a Senior Assurer,
248 and must be independent of the TTP-assist Assurers.
249 </li>
250 <li id="s5.4">
251 The Topup Assurer reviews the two TTP-assisted assurances,
252 and conducts other checks as set by the Assurance Officer.
253 The normal face-to-face meeting is not conducted.
254 </li>
255 <li id="s5.5">
256 Topup Assurer may award up to 35 points.
257 </li>
258 <li id="s5.6">
259 Assurance must be marked as Topup
260 (e.g., by use of new feature with TTPAdmin flag).
261 </li>
262 </ol>
263
264
265 <p>
266 Each topup is to be reported to AO.
267 Topup is only available in designated deserts.
268 </p>
269
270 </body>
271 </html>