0. Preliminaries
This policy describes how Organisation Assurers ("OAs") conduct Assurances on Organisations. It fits within the overall web-of-trust or Assurance process of Cacert.
This policy is not a Controlled document, for purposes of
Configuration Control Specification ("CCS").
1. Purpose
Organisations with assured status can issue certificates
directly with their own domains within.
The purpose and statement of the certificate remains
the same as with ordinary users (natural persons)
and as described in the CPS.
-
The organisation named within is identified.
-
The organisation has been verified according
to this policy.
-
The organisation is within the jurisdiction
and can be taken to Arbitration.
2. Roles and Structure
2.1 Organisation Assurance Officer
An Organisation Assurance Officer ("OAO")
manages this policy and reports to Assurance Officer.
The OAO is required to contribute to the Assurance
Officer's annual report to the board, or as directed.
OAO is further required to assist Arbitrators and Auditors.
The OAO manages all OAs and is responsible for
process,
the CAcert Organisation Assurance Programme form ("COAP"),
OA training and testing, manuals, quality control.
In these responsibilities, other Officers will assist.
The OAO may appoint subsidiary officers or form
offices for each subsidiary policy.
In this case, they should be termed as
Organisation Assurance Officer/Office -- subsidiary name.
For example, OAO-Canada, OAO-Churches.
2.2 Organisation Assurers
This role used to be named as Counsellor.
-
An OA must be an experienced Assurer
- Have 150 assurance points.
- Be fully trained and tested on all general Assurance processes.
-
Must be trained as Organisation Assurer.
- Global knowledge: This policy.
- Global knowledge: A (forthcoming) OA manual covers how to do the process.
- Local knowledge: legal forms of organisations within jurisdiction.
- Basic governance.
- Training may be done a variety of ways,
such as on-the-job, etc.
-
Must be tested.
- Global test: Covers this policy and the process.
- Local knowledge: Subsidiary Policy to specify.
- Tests to be created, approved, run, verified
by CAcert only (not outsourced).
- Tests are conducted manually, not online/automatic.
- Documentation to be retained.
- Tests may include on-the-job components.
-
Must be approved.
- Two supervising OAs must sign-off on new OA,
as trained, tested and passed.
- OAO must sign-off on a new OA,
as supervised, trained and tested.
2.3 Organisation Administrator
The Administrator within each Organisation ("O-Admin")
is the one who handles the assurance requests
and the issuing of certificates.
-
O-Admin must be Assurer
- Have 100 assurance points.
- Fully trained and tested as Assurer.
-
Organisation is required to appoint O-Admin.
- On COAP Request Form.
-
O-Admin must work with an assigned OA.
- Have contact details.
This role used to be known as "Agent".
3. Policies
3.1 Super-Policy
There is one super-policy being this present document,
and several subsidiary policies.
- This super-policy is international, over-arching.
- Subsidiary policies are implementations of the super-policy.
- Organisations are assured under the subsidiary policy.
3.2 Subsidiary Policies
The nature of the Subsidiary Policies ("SubPols"):
-
SubPols are under the super policy
and must be compliant with the latter.
-
SubPols are purposed to check the organisation
under the rules of the jurisdiction that creates the
organisation. This does not evidence an intention
to enter into the local jurisdiction, nor an intention
to impose the rules of that jurisdiction over any other
organisation.
CAcert assurances are conducted under the jurisdiction
of CAcert.
-
For OAs,
SubPol specifies the tests of local knowledge
including the local organisational forms.
-
For assurances,
SubPol specifies the local documentation forms
which are acceptable under this SubPol to meet the
standard.
3.3 Freedom to Assemble
Subsidiary Policies are open, accessible and free to enter.
-
SubPols compete but are compatible.
-
No SubPol is a franchise. No man is an island!
-
Many will be on State or National lines,
reflecting the legal
tradition of organisations created
("incorporated") by states.
-
However, there is no need for strict national lines;
it is possible to have 2 SubPols in one country, or one
covering several countries with the same language
(e.g., Austria with Germany, England with Wales but not Scotland).
-
There could also be SubPols for special
organisations, one person organisations,
UN agencies, churches, etc.
-
Where it is appropriate to use the SubPol
in another situation (another country?), it
can be so approved.
(e.g., Austrian SubPol might be approved for Germany.)
The SubPol must record this approval.
3.4 Approval.
-
This super-policy is approved under Policy on Policy
on the [policy] group.
-
By default
(unless the super-policy creates rules
otherwise) the SubPols are also approved on the
policy group.
-
The [policy] group MUST ensure that compliance is
achieved within the super-policy,
and that compatibility is
broadly achieved by each SubPol within the
larger group of all SubPols.
(This does not refer to any Assurance conducted under
these policies.)
-
The OAs for each subsidiary area form an initial
policy subcommittee to work and approve the SubPol.
Each committee is however open.
4. Process
4.1 Standard of Organisation Assurance
The essential standard of Organisation Assurance is:
-
the organisation exists
-
the organisation name is correct and consistent:
- in official documents specified in SubPol.
- on COAP form.
- in CAcert database.
- form or type of legal entity is consistent
-
signing rights:
requestor can sign on behalf of the organisation.
-
the organisation is a registered user and therefore
subject to Arbitration.
Acceptable documents to meet above standard
are stated in the SubPol.
4.2 COAP
The COAP form documents the checks and the resultant
assurance results to meet the standard.
Additional information to be provided on form:
-
CAcert account of O-Admin (email address?)
-
location:
- country (MUST).
- city (MUST).
- state (if required in country).
- street address (optional)
-
administrator account names (1 or more)
-
domain names
-
Agreement with registered user agreement.
Statement and initials box for organsation
and also for OA.
-
Date of completion of Assurance.
Records should be maintained for 7 years from
this date.
The COAP should be in English. Where translations
are provided, they should be matched to the English,
and indication provided that the English is the
ruling language (due to Arbitration requirements).
4.3 Jurisdiction
Organisation Assurances are carried out by
CAcert Inc under its Arbitration jurisdiction.
Actions carried out by OAs are under this regime.
-
The organisation must be a registered user
under the registered user agreement.
-
The organisation, the Organisation Assurers, CAcert and
other related parties are bound into jurisdiction
and dispute resolution.
-
The OA is responsible for ensuring that the
organisation reads, understands, intends and
agrees to the registered user agreement.
This OA responsibility should be recorded on COAP
(statement and initials box).
5. Exceptions
-
Conflicts of Interest.
An OA must not assure an organisation in which
there is a close or direct relationship by, e.g.,
employment, family, financial interests.
Other conflicts of interest must be watched closely.
-
Trusted Third Parties.
TTPs are not generally approved to be part of
organisation assurance,
but may be approved by subsidiary policies according
to local needs.
-
Exceptional Organisations.
(e.g., Vatican, International Space Station, United Nations)
can be dealt with as a single-organisation
SubPol.
The OA creates the checks, documents them,
and proposes it to policy group.
-
DBA.
Alternative names for organisations
(DBA, "doing business as")
can be added as long as they are proven independently.
E.g., registration as DBA or holding of registered trade mark.
This means that the anglo law tradition of unregistered DBAs
is not accepted without further proof.