bug 1131: Updated TTP-Policies by Policy Officer
[cacert-devel.git] / www / policy / TTPAssistedAssurancePolicy.html
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
5 <title> CAcert -- TTP-Assisted Assurance Policy </title>
6 <style type="text/css">
7 <!--
8 .comment {
9 color : steelblue;
10 }
11 -->
12 </style>
13 </head>
14 <body>
15
16 <div class="comment">
17 <table width="100%">
18
19 <tbody>
20 <tr>
21 <td rowspan="2">
22 Name: TTP-Assist <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD13.2</a>
23 <br>
24 Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
25 <br>
26 Editor: <a style="color: steelblue" href="https://wiki.cacert.org/UlrichSchroeter">Ulrich Schroeter</a>
27 <br>
28 Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy"> CC-by-sa+DRP </a>
29 <br>
30 </td>
31 <td align="right" valign="top">
32 <a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
33 <img src="images/cacert-policy.png" alt="TTP-Assist Status - POLICY" style="border-style: none;" height="31" width="88">
34 </a>
35 </td>
36 </tr>
37 </tbody>
38 </table>
39 </div>
40
41
42 <h1> TTP-Assisted Assurance Policy </h1>
43
44
45 <h2 id="g0.1">0. Preliminaries </h2>
46
47 <p>
48 This sub-policy extends the
49 <a href="https://www.cacert.org/policy/AssurancePolicy.php">
50 Assurance Policy</a> ("AP" =&gt; COD13)
51 by specifying how Assurers can be assisted by
52 outsourcing the identity documents verification
53 component of assurance to trusted third parties (TTPs).
54 Other definitions and terms can be found in AP or in
55 <a href="https://wiki.cacert.org/AssuranceHandbook">Assurance Handbook</a>
56 ("AH").
57 </p>
58
59
60 <h2 id="g0.2">1. Scope </h2>
61
62 <p>
63 This sub-policy is restricted to members located
64 in areas not well-served with Assurers.
65 It serves a goal of promoting both Assurers and Members in those areas.
66 </p>
67
68
69 <h2 id="g0.3">2. Roles </h2>
70
71
72 <h3 id="g0.3.1">2.1 Trusted Third Party </h3>
73
74 <p>
75 A Trusted Third Party ("TTP") is a person who is traditionally respected
76 for making reliable statements to others, especially over identification
77 documents. Typically, notaries public (anglo),
78 Notaries (European), bank managers, accountants
79 and lawyers.
80 </p>
81
82
83 <h3 id="g0.3.2">2.2 The Assurer (aka TTP-admin) </h3>
84
85 <p>
86 To employ a TTP in an assurance,
87 the Assurer must be a <a href="https://wiki.cacert.org/SeniorAssurer">Senior Assurer</a>.
88 The Assurer must be familiar with the local
89 language and customs.
90 </p>
91
92
93 <h3 id="g0.3.3">2.3 Member </h3>
94
95
96 <p>
97 A Member ("assuree") who is located in a place not well-served
98 by Assurers may use the TTP-assisted assurance.
99 </p>
100
101
102 <h2 id="g0.4">3. The Assurance </h2>
103
104
105 <p>
106 Assurance assisted by TTP must meet these requirements:
107 </p>
108
109 <ol style="list-style-type: lower-alpha;">
110 <li id="s3.a">
111 The Assurer must positively confirm the identity and
112 suitability of the TTP.
113 </li>
114 <li id="s3.b">
115 The TTP and the Member must meet face-to-face.
116 </li>
117 <li id="s3.c">
118 The TTP confirms the details supporting the Assurance Statement.
119 </li>
120 <li id="s3.d">
121 The Assurer makes a reliable statement to confirm the
122 Assurance Statement.
123 </li>
124 <li id="s3.e">
125 Assurance must be marked as TTP-Assisted
126 (e.g., by use of TTPAdmin flag).
127 </li>
128 </ol>
129
130
131
132
133 <h2 id="g0.5">4. Assurance Officer ("AO") </h2>
134
135 <p>
136 The Board routinely delegates its responsibilities to the
137 Assurance Officer (and this section assumes that, but does
138 not require it).
139 </p>
140
141
142 <p>
143 A report is requested annually from the Assurance Officer
144 on performance of this policy for the association's
145 annual report.
146 </p>
147
148 <h3 id="g0.5.1">4.1 Practice </h3>
149
150 <p>
151 Assurance Officer should prepare a
152 <a href="https://wiki.cacert.org/TTP">detailed documentation</a>
153 under
154 <a href="https://wiki.cacert.org/AssuranceHandbook">AH</a>
155 that meets the needs of this policy, including:
156 </p>
157
158 <ul>
159 <li>
160 Form for TTPs
161 </li>
162 <li>
163 Guide for TTPs.
164 </li>
165 <li>
166 Form for TTP-assisted assurance (used by Assurer)
167 </li>
168 <li>
169 Guide and protocol for Assurers.
170 </li>
171 <li>
172 Mechanisms for contacting Assurers available for
173 TTP-assisted assurances.
174 </li>
175 <li>
176 Definition of
177 <a href="https://wiki.cacert.org/SeniorAssurer">
178 Senior Assurer</a>.
179 </li>
180 </ul>
181
182
183 <h3 id="g0.5.2">4.2 Deserts </h3>
184
185 <p>
186 The Assurance Officer maintains a
187 <a href="https://wiki.cacert.org/deserts">list of regions</a>
188 that are designated as '<i>deserts,</i>' being areas that are so short
189 of Assurers as to render face-to-face Assurance impractical.
190 In each region, approved types of TTP are listed (e.g., Notary).
191 The list is expected to vary according to the
192 different juridical traditions of different regions.
193 Changes to the regional lists are prepared by
194 either an Organisation Assurer for that region
195 (as described by OAP)
196 or by two Assurers familiar with the traditions
197 in that region.
198 Changes are then submitted to the Board for approval.
199 </p>
200
201 <p>
202 Use of a type of TTP not on the list must be approved by
203 AO and notified to Board.
204 It is an explicit goal to reduce the usage of
205 TTP-assisted assurances in favour of face-to-face Assurance.
206 </p>
207
208
209 <p>
210 In coordination with internal and external auditors,
211 the Assurance Officer shall design and implement a
212 suitable programme to meet the needs of audit.
213 Where approved by auditors or Board, the Assurance
214 Officer may document and implement minor variations to this policy.
215 </p>
216
217
218 <h2 id="g0.6">5. Topup Assurance </h2>
219
220
221 <p>
222 AO is to operate a <cite>Topup Assurance Programme</cite>
223 to help seed deserts with Assurers.
224 A topup assurance will add additional Assurance Points
225 to those gained from two previously conducted TTP-assisted assurances,
226 in order for a Member to reach 100 Assurance Points
227 for the express purpose of becoming an Assurer.
228 </p>
229
230
231 <p>
232 A topup assurance is conducted by a third Senior Assurer
233 according to the following requirements:
234 </p>
235
236
237 <ol>
238 <li id="s5.1">
239 Assurer Challenge must be completed as passed by Member.
240 </li>
241 <li id="s5.2">
242 The topup must be requested by Member for
243 purpose of enabling the Member to reach Assurer level.
244 </li>
245 <li id="s5.3">
246 Topup Assurer must be a Senior Assurer,
247 and must be independent of the TTP-assist Assurers.
248 </li>
249 <li id="s5.4">
250 The Topup Assurer reviews the two TTP-assisted assurances,
251 and conducts other checks as set by the Assurance Officer.
252 The normal face-to-face meeting is not conducted.
253 </li>
254 <li id="s5.5">
255 Topup Assurer may award up to 35 points.
256 </li>
257 <li id="s5.6">
258 Assurance must be marked as Topup
259 (e.g., by use of new feature with TTPAdmin flag).
260 </li>
261 </ol>
262
263
264 <p>
265 Each topup is to be reported to AO.
266 Topup is only available in designated deserts.
267 </p>
268
269
270 </body>
271 </html>