7d8699c43e74244564d82894c26b0bc0bb385855
[cacert.git] / www / policy / OrganisationAssurancePolicy.php
1 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2
3 <html>
4 <head><title>Organisation Assurance Policy</title></head>
5 <body>
6
7 <table width="100%">
8
9 <tr>
10 <td> OAP </td>
11 <td> </td>
12 <td width="20%"> Jens </td>
13 </tr>
14
15 <tr>
16 <td> POLICY&nbsp;<a href="http://wiki.cacert.org/wiki/TopMinutes-20070917">m20070918.x</a> </td>
17 <td> </td>
18 <td>
19 $Date: 2008-01-18 22:56:31 $
20 <!--
21 to get this to work, we have to do this:
22 svn propset svn:keywords "Date" file.html
23 except it does not work through the website.
24 -->
25 </td>
26 </tr>
27
28 <tr>
29 <td> COD11 </td>
30 <td> </td>
31 <td> </td>
32 </tr>
33
34
35 <tr>
36 <td> </td>
37 <td > <b>Organisation&nbsp;Assurance&nbsp;Policy</b> </td>
38 <td> </td>
39 </tr>
40
41 </table>
42
43
44
45 <h2> <a name="0"> 0. </a> Preliminaries </h2>
46
47 <p>
48 This policy describes how Organisation Assurers ("OAs")
49 conduct Assurances on Organisations.
50 It fits within the overall web-of-trust
51 or Assurance process of Cacert.
52 </p>
53
54 <p>
55 This policy is not a Controlled document, for purposes of
56 Configuration Control Specification ("CCS").
57 </p>
58
59 <h2> <a name="1"> 1. </a> Purpose </h2>
60
61 <p>
62 Organisations with assured status can issue certificates
63 directly with their own domains within.
64 </p>
65
66 <p>
67 The purpose and statement of the certificate remains
68 the same as with ordinary users (natural persons)
69 and as described in the CPS.
70 </p>
71
72 <ul><li>
73 The organisation named within is identified.
74 </li><li>
75 The organisation has been verified according
76 to this policy.
77 </li><li>
78 The organisation is within the jurisdiction
79 and can be taken to Arbitration.
80 </li></ul>
81
82
83 <h2> <a name="2"> 2. </a> Roles and Structure </h2>
84
85 <h3> <a name="2.1"> 2.1 </a> Assurance Officer </h3>
86
87 <p>
88 The Assurance Officer ("AO")
89 manages this policy and reports to the board.
90 </p>
91
92 <p>
93 The AO manages all OAs and is responsible for process,
94 the CAcert Organisation Assurance Programme form ("COAP"),
95 OA training and testing, manuals, quality control.
96 In these responsibilities, other Officers will assist.
97 </p>
98
99 <h3> <a name="2.2"> 2.2 </a> Organisation Assurers </h3>
100
101 <p>
102 </p>
103
104 <ol type="a"> <li>
105 An OA must be an experienced Assurer
106 <ol type="i">
107 <li>Have 150 assurance points.</li>
108 <li>Be fully trained and tested on all general Assurance processes.</li>
109 </ol>
110
111 </li><li>
112 Must be trained as Organisation Assurer.
113 <ol type="i">
114 <li> Global knowledge: This policy. </li>
115 <li> Global knowledge: A OA manual covers how to do the process.</li>
116 <li> Local knowledge: legal forms of organisations within jurisdiction.</li>
117 <li> Basic governance. </li>
118 <li> Training may be done a variety of ways,
119 such as on-the-job, etc. </li>
120 </ol>
121
122 </li><li>
123 Must be tested.
124 <ol type="i">
125 <li> Global test: Covers this policy and the process. </li>
126 <li> Local knowledge: Subsidiary Policy to specify.</li>
127 <li> Tests to be created, approved, run, verified
128 by CAcert only (not outsourced). </li>
129 <li> Tests are conducted manually, not online/automatic. </li>
130 <li> Documentation to be retained. </li>
131 <li> Tests may include on-the-job components. </li>
132 </ol>
133
134 </li><li>
135 Must be approved.
136 <ol type="i">
137 <li> Two supervising OAs must sign-off on new OA,
138 as trained, tested and passed.
139 </li>
140 <li> AO must sign-off on a new OA,
141 as supervised, trained and tested.
142 </li>
143 </ol>
144 </ol>
145
146
147
148 <h3> <a name="2.3"> 2.3 </a> Organisation Administrator </h3>
149
150 <p>
151 The Administrator within each Organisation ("O-Admin")
152 is the one who handles the assurance requests
153 and the issuing of certificates.
154 </p>
155
156 <ol type="a"> <li>
157 O-Admin must be Assurer
158 <ol type="i">
159 <li>Have 100 assurance points.</li>
160 <li>Fully trained and tested as Assurer.</li>
161 </ol>
162
163 </li><li>
164 Organisation is required to appoint O-Admin,
165 and appoint ones as required.
166 <ol type="i">
167 <li> On COAP Request Form.</li>
168 </ol>
169
170 </li><li>
171 O-Admin must work with an assigned OA.
172 <ol type="i">
173 <li> Have contact details.</li>
174 </ol>
175 </ol>
176
177
178 <h2> <a name="3"> 3. </a> Policies </h2>
179
180 <h3> <a name="3.1"> 3.1 </a> Policy </h3>
181
182 <p>
183 There is one policy being this present document,
184 and several subsidiary policies.
185 </p>
186
187 <ol type="a">
188 <li> This policy authorises the creation of subsidiary policies. </li>
189 <li> This policy is international. </li>
190 <li> Subsidiary policies are implementations of the policy. </li>
191 <li> Organisations are assured under an appropriate subsidiary policy. </li>
192 </ol>
193
194 <h3> <a name="3.2"> 3.2 </a> Subsidiary Policies </h3>
195
196 <p>
197 The nature of the Subsidiary Policies ("SubPols"):
198 </p>
199
200 <ol type="a"><li>
201 SubPols are purposed to check the organisation
202 under the rules of the jurisdiction that creates the
203 organisation. This does not evidence an intention
204 by CAcert to
205 enter into the local jurisdiction, nor an intention
206 to impose the rules of that jurisdiction over any other
207 organisation.
208 CAcert assurances are conducted under the jurisdiction
209 of CAcert.
210 </li><li>
211 For OAs,
212 SubPol specifies the <i>tests of local knowledge</i>
213 including the local organisational forms.
214 </li><li>
215 For assurances,
216 SubPol specifies the <i>local documentation forms</i>
217 which are acceptable under this SubPol to meet the
218 standard.
219 </li><li>
220 SubPols are subjected to the normal
221 policy approval process.
222 </li></ol>
223
224 <h3> <a name=""> </a> 3.3 Freedom to Assemble </h3>
225
226 <p>
227 Subsidiary Policies are open, accessible and free to enter.
228 </p>
229
230 <ol type="a"><li>
231 SubPols compete but are compatible.
232 </li><li>
233 No SubPol is a franchise.
234 </li><li>
235 Many will be on State or National lines,
236 reflecting the legal
237 tradition of organisations created
238 ("incorporated") by states.
239 </li><li>
240 However, there is no need for strict national lines;
241 it is possible to have 2 SubPols in one country, or one
242 covering several countries with the same language
243 (e.g., Austria with Germany, England with Wales but not Scotland).
244 </li><li>
245 There could also be SubPols for special
246 organisations, one person organisations,
247 UN agencies, churches, etc.
248 </li><li>
249 Where it is appropriate to use the SubPol
250 in another situation (another country?), it
251 can be so approved.
252 (e.g., Austrian SubPol might be approved for Germany.)
253 The SubPol must record this approval.
254 </li></ol>
255
256
257 <h2> <a name="4"> 4. </a> Process </h2>
258
259 <h3> <a name="4.1"> 4.1 </a> Standard of Organisation Assurance </h3>
260 <p>
261 The essential standard of Organisation Assurance is:
262 </p>
263
264 <ol type="a"><li>
265 the organisation exists
266 </li><li>
267 the organisation name is correct and consistent:
268 <ol type="i">
269 <li>in official documents specified in SubPol.</li>
270 <li>on COAP form.</li>
271 <li>in CAcert database.</li>
272 <li>form or type of legal entity is consistent</li>
273 </ol>
274 </li><li>
275 signing rights:
276 requestor can sign on behalf of the organisation.
277 </li><li>
278 the organisation has agreed to the terms of the
279 Registered User Agreement,
280 and is therefore subject to Arbitration.
281 </li></ol>
282
283 <p>
284 Acceptable documents to meet above standard
285 are stated in the SubPol.
286 </p>
287
288 <h3> <a name="4.2"> 4.2 </a> COAP </h3>
289 <p>
290 The COAP form documents the checks and the resultant
291 assurance results to meet the standard.
292 Additional information to be provided on form:
293 </p>
294
295 <ol type="a"><li>
296 CAcert account of O-Admin (email address?)
297 </li><li>
298 location:
299 <ol type="i">
300 <li>country (MUST).</li>
301 <li>city (MUST).</li>
302 <li>additional contact information (as required by SubPol).</li>
303 </ol>
304 </li><li>
305 administrator account names (1 or more)
306 </li><li>
307 domain name(s)
308 </li><li>
309 Agreement with registered user agreement.
310 Statement and initials box for organsation
311 and also for OA.
312 </li><li>
313 Date of completion of Assurance.
314 Records should be maintained for 7 years from
315 this date.
316 </li></ol>
317
318 <p>
319 The COAP should be in English. Where translations
320 are provided, they should be matched to the English,
321 and indication provided that the English is the
322 ruling language (due to Arbitration requirements).
323 </p>
324
325 <h3> <a name="4.3"> 4.3 </a> Jurisdiction </h3>
326
327 <p>
328 Organisation Assurances are carried out by
329 CAcert Inc under its Arbitration jurisdiction.
330 Actions carried out by OAs are under this regime.
331 </p>
332
333 <ol type="a"><li>
334 The organisation has agreed to the terms of the
335 Registered User Agreement,
336 </li><li>
337 The organisation, the Organisation Assurers, CAcert and
338 other related parties are bound into CAcert's jurisdiction
339 and dispute resolution.
340 </li><li>
341 The OA is responsible for ensuring that the
342 organisation reads, understands, intends and
343 agrees to the registered user agreement.
344 This OA responsibility should be recorded on COAP
345 (statement and initials box).
346 </li></ol>
347
348 <h2> <a name="5"> 5. </a> Exceptions </h2>
349
350
351 <ol type="a"><li>
352 <b> Conflicts of Interest.</b>
353 An OA must not assure an organisation in which
354 there is a close or direct relationship by, e.g.,
355 employment, family, financial interests.
356 Other conflicts of interest must be disclosed.
357 </li><li>
358 <b> Trusted Third Parties.</b>
359 TTPs are not generally approved to be part of
360 organisation assurance,
361 but may be approved by subsidiary policies according
362 to local needs.
363 </li><li>
364 <b>Exceptional Organisations.</b>
365 (e.g., Vatican, International Space Station, United Nations)
366 can be dealt with as a single-organisation
367 SubPol.
368 The OA creates the checks, documents them,
369 and subjects them to to normal policy approval.
370 </li><li>
371 <b>DBA.</b>
372 Alternative names for organisations
373 (DBA, "doing business as")
374 can be added as long as they are proven independently.
375 E.g., registration as DBA or holding of registered trade mark.
376 This means that the anglo law tradition of unregistered DBAs
377 is not accepted without further proof.
378 </li></ol>
379