e4626932bea7e2523ed845b95587c25efa44a1c1
[cacert.git] / www / policy / OrganisationAssurancePolicy.php
1 <?='<?xml version="1.0" encoding="utf-8"?>'?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
3 "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
4 <html xmlns="http://www.w3.org/1999/xhtml">
5 <head>
6 <title> Organisation Assurance Policy </title>
7 <style type="text/css">
8 <!--
9 .comment {
10 color : steelblue;
11 }
12 -->
13 </style>
14
15 </head>
16 <body>
17
18 <div class="comment">
19 <table width="100%">
20
21 <tr>
22 <td>
23 Name: OAP <a style="color: steelblue" href="//svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11</a><br />
24
25 Status: POLICY/DRAFT <a style="color: steelblue" href="//wiki.cacert.org/wiki/TopMinutes-20070917">m20070918.x </a><br />
26
27 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span class="draftadd">DRAFT p20080401.1 </span> <br />
28 Editor: Jens Paul <br />
29 Licence: <a style="color: steelblue" href="//wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br /></td>
30 <td valign="top" align="right">
31 <a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="/images/cacert-policy.png" alt="OAP Status - POLICY" height="31" width="88" style="border-style: none;" /></a><br />
32 <a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="/images/cacert-draft.png" alt="OAP Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>
33
34 </td>
35 </tr>
36 </table>
37 </div>
38
39
40 <h1> Organisation&nbsp;Assurance&nbsp;Policy </h1>
41
42 <h2 id="s0">0. Preliminaries </h2>
43
44 <p>
45 This policy describes how Organisation Assurers ("OAs")
46 conduct Assurances on Organisations.
47 It fits within the overall web-of-trust
48 or Assurance process of CAcert.
49 </p>
50
51 <p>
52 This policy is not a Controlled document, for purposes of
53 Configuration Control Specification ("CCS").
54 </p>
55
56 <h2 id="s1"> 1. Purpose </h2>
57
58 <p>
59 Organisations with assured status can issue certificates
60 directly with their own domains within.
61 </p>
62
63 <p>
64 The purpose and statement of the certificate remains
65 the same as with ordinary users (natural persons)
66 and as described in the CPS.
67 </p>
68
69 <ul><li>
70 The organisation named within is identified.
71 </li><li>
72 The organisation has been verified according
73 to this policy.
74 </li><li>
75 The organisation is within the jurisdiction
76 and can be taken to CAcert Arbitration.
77 </li></ul>
78
79
80 <h2 id="s2"> 2. Roles and Structure </h2>
81
82 <h3 id="s2.1"> 2.1 Assurance Officer </h3>
83
84 <p>
85 The Assurance Officer ("AO")
86 manages this policy and reports to the CAcert Inc. Committee ("Board").
87 </p>
88
89 <p>
90 The AO manages all OAs and is responsible for process,
91 the CAcert Organisation Assurance Programme ("COAP") form,
92 OA training and testing, manuals, quality control.
93 In these responsibilities, other Officers will assist.
94 </p>
95 <p>
96 The OA is appointed by the Board.
97 Where the OA is failing the Board decides.
98 </p>
99
100 <h3 id="s2.2"> 2.2 Organisation Assurers </h3>
101
102 <p>
103 </p>
104
105 <ol type="a"> <li>
106 An OA must be an experienced Assurer
107 <ol type="i">
108 <li>Have 150 assurance points.</li>
109 <li>Be fully trained and tested on all general Assurance processes.</li>
110 </ol>
111
112 </li><li>
113 Must be trained as Organisation Assurer.
114 <ol type="i">
115 <li> Global knowledge: This policy. </li>
116 <li> Global knowledge: A OA manual covers how to do the process.</li>
117 <li> Local knowledge: legal forms of organisations within jurisdiction.</li>
118 <li> Basic governance. </li>
119 <li> Training may be done a variety of ways,
120 such as on-the-job, etc. </li>
121 </ol>
122
123 </li><li>
124 Must be tested.
125 <ol type="i">
126 <li> Global test: Covers this policy and the process. </li>
127 <li> Local knowledge: Subsidiary Policy to specify.</li>
128 <li> Tests to be created, approved, run, verified
129 by CAcert only (not outsourced). </li>
130 <li> Tests are conducted manually, not online/automatic. </li>
131 <li> Documentation to be retained. </li>
132 <li> Tests may include on-the-job components. </li>
133 </ol>
134
135 </li><li>
136 Must be approved.
137 <ol type="i">
138 <li> Two supervising OAs must sign-off on new OA,
139 as trained, tested and passed.
140 </li>
141 <li> AO must sign-off on a new OA,
142 as supervised, trained and tested.
143 </li>
144 </ol>
145 </li>
146 <li>The OA can decide when a CAcert
147 (individual) Assurer
148 has done several OA Application Advises to appoint this
149 person to OA Assurer.
150 </li>
151
152 </ol>
153
154 <h3 id="s2.3"> 2.3 Organisation Assurance Advisor ("OAA") </h3>
155 <p>In countries/states/provinces where no OA Assurers are
156 operating for an OA Application (COAP) the OA
157 can be advised by an experienced local CAcert
158 (individual) Assurer to take the decision
159 to accept the OA Application (COAP) of the organisation.
160 </p>
161 <p>
162 The local Assurer must have at least 150 Points,
163 should know the language, and know
164 the organisation trade office registry culture and quality.
165 </p>
166
167
168 <h3 id="s2.4"> 2.4 Organisation Administrator </h3>
169
170 <p>
171 The Administrator within each Organisation ("O-Admin")
172 is the one who handles the assurance requests
173 and the issuing of certificates.
174 </p>
175
176 <ol type="a"> <li>
177 O-Admin must be Assurer
178 <ol type="i">
179 <li>Have 100 assurance points.</li>
180 <li>Fully trained and tested as Assurer.</li>
181 </ol>
182
183 </li><li>
184 Organisation is required to appoint O-Admin,
185 and appoint ones as required.
186 <ol type="i">
187 <li> On COAP Request Form.</li>
188 </ol>
189
190 </li><li>
191 O-Admin must work with an assigned OA.
192 <ol type="i">
193 <li> Have contact details.</li>
194 </ol>
195 </ol>
196
197
198 <h2 id="s3"> 3. Policies </h2>
199
200 <h3 id="s3.1"> 3.1 Policy </h3>
201
202 <p>
203 There is one policy being this present document,
204 and several subsidiary policies.
205 </p>
206
207 <ol type="a">
208 <li> This policy authorises the creation of subsidiary policies. </li>
209 <li> This policy is international. </li>
210 <li> Subsidiary policies are implementations of the policy. </li>
211 <li> Organisations are assured under an appropriate subsidiary policy. </li>
212 </ol>
213
214 <h3 id="s3.2"> 3.2 Subsidiary Policies </h3>
215
216 <p>
217 The nature of the Subsidiary Policies ("SubPols"):
218 </p>
219
220 <ol type="a"><li>
221 SubPols are purposed to check the organisation
222 under the rules of the jurisdiction that creates the
223 organisation. This does not evidence an intention
224 by CAcert to
225 enter into the local jurisdiction, nor an intention
226 to impose the rules of that jurisdiction over any other
227 organisation.
228 CAcert assurances are conducted under the jurisdiction
229 of CAcert.
230 </li><li>
231 For OAs,
232 SubPol specifies the <i>tests of local knowledge</i>
233 including the local organisation assurance COAP forms.
234 </li><li>
235 For assurances,
236 SubPol specifies the <i>local documentation forms</i>
237 which are acceptable under this SubPol to meet the
238 standard.
239 </li><li>
240 SubPols are subjected to the normal
241 policy approval process.
242 </li></ol>
243
244 <h3 id="s3.3"> 3.3 Freedom to Assemble </h3>
245
246 <p>
247 Subsidiary Policies are open, accessible and free to enter.
248 </p>
249
250 <ol type="a"><li>
251 SubPols compete but are compatible.
252 </li><li>
253 No SubPol is a franchise.
254 </li><li>
255 Many will be on State or National lines,
256 reflecting the legal
257 tradition of organisations created
258 ("incorporated") by states.
259 </li><li>
260 However, there is no need for strict national lines;
261 it is possible to have 2 SubPols in one country, or one
262 covering several countries with the same language
263 (e.g., Austria with Germany, England with Wales but not Scotland).
264 </li><li>
265 There could also be SubPols for special
266 organisations, one person organisations,
267 UN agencies, churches, etc.
268 </li><li>
269 Where it is appropriate to use the SubPol
270 in another situation (another country?), it
271 can be so approved.
272 (e.g., Austrian SubPol might be approved for Germany.)
273 The SubPol must record this approval.
274 </li></ol>
275
276
277 <h2 id="s4"> 4. Process </h2>
278
279 <h3 id="s4.1"> 4.1 Standard of Organisation Assurance </h3>
280 <p>
281 The essential standard of Organisation Assurance is:
282 </p>
283
284 <ol type="a"><li>
285 the organisation exists
286 </li><li>
287 the organisation name is correct and consistent:
288 <ol type="i">
289 <li>in official documents specified in SubPol.</li>
290 <li>on COAP form.</li>
291 <li>in CAcert database.</li>
292 <li>form or type of legal entity is consistent</li>
293 </ol>
294 </li><li>
295 signing rights:
296 requestor can sign on behalf of the organisation.
297 </li><li>
298 the organisation has agreed to the terms of the
299 CAcert Community Agreement
300 and is therefore subject to Arbitration.
301 </li></ol>
302
303 <p>
304 Acceptable documents to meet above standard
305 are stated in the SubPol.
306 </p>
307
308 <h3 id="s4.2"> 4.2 COAP </h3>
309 <p>
310 The COAP form documents the checks and the resultant
311 assurance results to meet the standard.
312 Additional information to be provided on form:
313 </p>
314
315 <ol type="a"><li>
316 CAcert account of O-Admin (email address?)
317 </li><li>
318 location:
319 <ol type="i">
320 <li>country (MUST).</li>
321 <li>city (MUST).</li>
322 <li>additional contact information (as required by SubPol).</li>
323 </ol>
324 </li><li>
325 administrator account name(s) (1 or more)
326 </li><li>
327 domain name(s)
328 </li><li>
329 Agreement with
330 CAcert Community Agreement.
331 Statement and initials box for organisation
332 and also for OA.
333 </li><li>
334 Date of completion of Assurance.
335 Records should be maintained for 7 years from
336 this date.
337 </li></ol>
338
339 <p>
340 The COAP should be in English. Where translations
341 are provided, they should be matched to the English,
342 and indication provided that the English is the
343 ruling language (due to Arbitration requirements).
344 </p>
345
346 <h3 id="s4.3"> 4.3 Jurisdiction </h3>
347
348 <p>
349 Organisation Assurances are carried out by
350 CAcert Inc. under its Arbitration jurisdiction.
351 Actions carried out by OAs are under this regime.
352 </p>
353
354 <ol type="a"><li>
355 The organisation has agreed to the terms of the
356 CAcert Community Agreement.
357 </li><li>
358 The organisation, the Organisation Assurers, CAcert and
359 other related parties are bound into CAcert's jurisdiction
360 and dispute resolution.
361 </li><li>
362 The OA is responsible for ensuring that the
363 organisation reads, understands, intends and
364 agrees to the
365 CAcert Community Agreement.
366 This OA responsibility should be recorded on COAP
367 (statement and initials box).
368 </li></ol>
369
370 <h2 id="s5"> 5. Exceptions </h2>
371
372
373 <ol type="a"><li>
374 <b> Conflicts of Interest.</b>
375 An OA must not assure an organisation in which
376 there is a close or direct relationship by, e.g.,
377 employment, family, financial interests.
378 Other conflicts of interest must be disclosed.
379 </li><li>
380 <b> Trusted Third Parties.</b>
381 TTPs are not generally approved to be part of
382 organisation assurance,
383 but may be approved by subsidiary policies according
384 to local needs.
385 </li><li>
386 <b>Exceptional Organisations.</b>
387 (e.g., Vatican, International Space Station, United Nations)
388 can be dealt with as a single-organisation
389 SubPol.
390 The OA creates the checks, documents them,
391 and subjects them to to normal policy approval.
392 </li><li>
393 <b>DBA.</b>
394 Alternative names for organisations
395 (DBA, "doing business as")
396 can be added as long as they are proven independently.
397 E.g., registration as DBA or holding of registered trade mark.
398 This means that the anglo law tradition of unregistered DBAs
399 is not accepted without further proof.
400 </li></ol>
401 </body>
402 </html>