+++ /dev/null
-<?xml version="1.0" encoding="utf-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
- "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<title> Organisation Assurance Policy </title>
-<style type="text/css">
-<!--
-.comment {
- color : steelblue;
-}
--->
-</style>
-
-</head>
-<body>
-
-<div class="comment">
-<table width="100%">
-
-<tr>
-<td>
- Name: OAP <a style="color: steelblue" href="//svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11</a><br />
-
- Status: POLICY/DRAFT <a style="color: steelblue" href="//wiki.cacert.org/wiki/TopMinutes-20070917">m20070918.x </a><br />
-
- <span class="draftadd">DRAFT p20080401.1 </span> <br />
- Editor: Jens Paul <br />
- Licence: <a style="color: steelblue" href="//wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a><br /></td>
-<td valign="top" align="right">
- <a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="/images/cacert-policy.png" alt="OAP Status - POLICY" height="31" width="88" style="border-style: none;" /></a><br />
- <a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="/images/cacert-draft.png" alt="OAP Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>
-
-</td>
-</tr>
-</table>
-</div>
-
-
-<h1> Organisation Assurance Policy </h1>
-
-<h2 id="s0">0. Preliminaries </h2>
-
-<p>
-This policy describes how Organisation Assurers ("OAs")
-conduct Assurances on Organisations.
-It fits within the overall web-of-trust
-or Assurance process of CAcert.
-</p>
-
-<p>
-This policy is not a Controlled document, for purposes of
-Configuration Control Specification ("CCS").
-</p>
-
-<h2 id="s1"> 1. Purpose </h2>
-
-<p>
-Organisations with assured status can issue certificates
-directly with their own domains within.
-</p>
-
-<p>
-The purpose and statement of the certificate remains
-the same as with ordinary users (natural persons)
-and as described in the CPS.
-</p>
-
-<ul><li>
- The organisation named within is identified.
- </li><li>
- The organisation has been verified according
- to this policy.
- </li><li>
- The organisation is within the jurisdiction
- and can be taken to CAcert Arbitration.
-</li></ul>
-
-
-<h2 id="s2"> 2. Roles and Structure </h2>
-
-<h3 id="s2.1"> 2.1 Assurance Officer </h3>
-
-<p>
-The Assurance Officer ("AO")
-manages this policy and reports to the CAcert Inc. Committee ("Board").
-</p>
-
-<p>
-The AO manages all OAs and is responsible for process,
-the CAcert Organisation Assurance Programme ("COAP") form,
-OA training and testing, manuals, quality control.
-In these responsibilities, other Officers will assist.
-</p>
-<p>
-The OA is appointed by the Board.
-Where the OA is failing the Board decides.
-</p>
-
-<h3 id="s2.2"> 2.2 Organisation Assurers </h3>
-
-<p>
-</p>
-
-<ol type="a"> <li>
- An OA must be an experienced Assurer
- <ol type="i">
- <li>Have 150 assurance points.</li>
- <li>Be fully trained and tested on all general Assurance processes.</li>
- </ol>
-
- </li><li>
- Must be trained as Organisation Assurer.
- <ol type="i">
- <li> Global knowledge: This policy. </li>
- <li> Global knowledge: A OA manual covers how to do the process.</li>
- <li> Local knowledge: legal forms of organisations within jurisdiction.</li>
- <li> Basic governance. </li>
- <li> Training may be done a variety of ways,
- such as on-the-job, etc. </li>
- </ol>
-
- </li><li>
- Must be tested.
- <ol type="i">
- <li> Global test: Covers this policy and the process. </li>
- <li> Local knowledge: Subsidiary Policy to specify.</li>
- <li> Tests to be created, approved, run, verified
- by CAcert only (not outsourced). </li>
- <li> Tests are conducted manually, not online/automatic. </li>
- <li> Documentation to be retained. </li>
- <li> Tests may include on-the-job components. </li>
- </ol>
-
- </li><li>
- Must be approved.
- <ol type="i">
- <li> Two supervising OAs must sign-off on new OA,
- as trained, tested and passed.
- </li>
- <li> AO must sign-off on a new OA,
- as supervised, trained and tested.
- </li>
- </ol>
- </li>
- <li>The OA can decide when a CAcert
- (individual) Assurer
- has done several OA Application Advises to appoint this
- person to OA Assurer.
- </li>
-
-</ol>
-
-<h3 id="s2.3"> 2.3 Organisation Assurance Advisor ("OAA") </h3>
- <p>In countries/states/provinces where no OA Assurers are
- operating for an OA Application (COAP) the OA
- can be advised by an experienced local CAcert
- (individual) Assurer to take the decision
- to accept the OA Application (COAP) of the organisation.
- </p>
- <p>
- The local Assurer must have at least 150 Points,
- should know the language, and know
- the organisation trade office registry culture and quality.
- </p>
-
-
-<h3 id="s2.4"> 2.4 Organisation Administrator </h3>
-
-<p>
-The Administrator within each Organisation ("O-Admin")
-is the one who handles the assurance requests
-and the issuing of certificates.
-</p>
-
-<ol type="a"> <li>
- O-Admin must be Assurer
- <ol type="i">
- <li>Have 100 assurance points.</li>
- <li>Fully trained and tested as Assurer.</li>
- </ol>
-
- </li><li>
- Organisation is required to appoint O-Admin,
- and appoint ones as required.
- <ol type="i">
- <li> On COAP Request Form.</li>
- </ol>
-
- </li><li>
- O-Admin must work with an assigned OA.
- <ol type="i">
- <li> Have contact details.</li>
- </ol>
- </li>
-</ol>
-
-
-<h2 id="s3"> 3. Policies </h2>
-
-<h3 id="s3.1"> 3.1 Policy </h3>
-
-<p>
-There is one policy being this present document,
-and several subsidiary policies.
-</p>
-
-<ol type="a">
- <li> This policy authorises the creation of subsidiary policies. </li>
- <li> This policy is international. </li>
- <li> Subsidiary policies are implementations of the policy. </li>
- <li> Organisations are assured under an appropriate subsidiary policy. </li>
-</ol>
-
-<h3 id="s3.2"> 3.2 Subsidiary Policies </h3>
-
-<p>
-The nature of the Subsidiary Policies ("SubPols"):
-</p>
-
-<ol type="a"><li>
- SubPols are purposed to check the organisation
- under the rules of the jurisdiction that creates the
- organisation. This does not evidence an intention
- by CAcert to
- enter into the local jurisdiction, nor an intention
- to impose the rules of that jurisdiction over any other
- organisation.
- CAcert assurances are conducted under the jurisdiction
- of CAcert.
- </li><li>
- For OAs,
- SubPol specifies the <i>tests of local knowledge</i>
- including the local organisation assurance COAP forms.
- </li><li>
- For assurances,
- SubPol specifies the <i>local documentation forms</i>
- which are acceptable under this SubPol to meet the
- standard.
- </li><li>
- SubPols are subjected to the normal
- policy approval process.
-</li></ol>
-
-<h3 id="s3.3"> 3.3 Freedom to Assemble </h3>
-
-<p>
-Subsidiary Policies are open, accessible and free to enter.
-</p>
-
-<ol type="a"><li>
- SubPols compete but are compatible.
- </li><li>
- No SubPol is a franchise.
- </li><li>
- Many will be on State or National lines,
- reflecting the legal
- tradition of organisations created
- ("incorporated") by states.
- </li><li>
- However, there is no need for strict national lines;
- it is possible to have 2 SubPols in one country, or one
- covering several countries with the same language
- (e.g., Austria with Germany, England with Wales but not Scotland).
- </li><li>
- There could also be SubPols for special
- organisations, one person organisations,
- UN agencies, churches, etc.
- </li><li>
- Where it is appropriate to use the SubPol
- in another situation (another country?), it
- can be so approved.
- (e.g., Austrian SubPol might be approved for Germany.)
- The SubPol must record this approval.
-</li></ol>
-
-
-<h2 id="s4"> 4. Process </h2>
-
-<h3 id="s4.1"> 4.1 Standard of Organisation Assurance </h3>
-<p>
-The essential standard of Organisation Assurance is:
-</p>
-
-<ol type="a"><li>
- the organisation exists
- </li><li>
- the organisation name is correct and consistent:
- <ol type="i">
- <li>in official documents specified in SubPol.</li>
- <li>on COAP form.</li>
- <li>in CAcert database.</li>
- <li>form or type of legal entity is consistent</li>
- </ol>
- </li><li>
- signing rights:
- requestor can sign on behalf of the organisation.
- </li><li>
- the organisation has agreed to the terms of the
- CAcert Community Agreement
- and is therefore subject to Arbitration.
-</li></ol>
-
-<p>
- Acceptable documents to meet above standard
- are stated in the SubPol.
-</p>
-
-<h3 id="s4.2"> 4.2 COAP </h3>
-<p>
-The COAP form documents the checks and the resultant
-assurance results to meet the standard.
-Additional information to be provided on form:
-</p>
-
-<ol type="a"><li>
- CAcert account of O-Admin (email address?)
- </li><li>
- location:
- <ol type="i">
- <li>country (MUST).</li>
- <li>city (MUST).</li>
- <li>additional contact information (as required by SubPol).</li>
- </ol>
- </li><li>
- administrator account name(s) (1 or more)
- </li><li>
- domain name(s)
- </li><li>
- Agreement with
- CAcert Community Agreement.
- Statement and initials box for organisation
- and also for OA.
- </li><li>
- Date of completion of Assurance.
- Records should be maintained for 7 years from
- this date.
-</li></ol>
-
-<p>
-The COAP should be in English. Where translations
-are provided, they should be matched to the English,
-and indication provided that the English is the
-ruling language (due to Arbitration requirements).
-</p>
-
-<h3 id="s4.3"> 4.3 Jurisdiction </h3>
-
-<p>
-Organisation Assurances are carried out by
-CAcert Inc. under its Arbitration jurisdiction.
-Actions carried out by OAs are under this regime.
-</p>
-
-<ol type="a"><li>
- The organisation has agreed to the terms of the
- CAcert Community Agreement.
- </li><li>
- The organisation, the Organisation Assurers, CAcert and
- other related parties are bound into CAcert's jurisdiction
- and dispute resolution.
- </li><li>
- The OA is responsible for ensuring that the
- organisation reads, understands, intends and
- agrees to the
- CAcert Community Agreement.
- This OA responsibility should be recorded on COAP
- (statement and initials box).
-</li></ol>
-
-<h2 id="s5"> 5. Exceptions </h2>
-
-
-<ol type="a"><li>
- <b> Conflicts of Interest.</b>
- An OA must not assure an organisation in which
- there is a close or direct relationship by, e.g.,
- employment, family, financial interests.
- Other conflicts of interest must be disclosed.
- </li><li>
- <b> Trusted Third Parties.</b>
- TTPs are not generally approved to be part of
- organisation assurance,
- but may be approved by subsidiary policies according
- to local needs.
- </li><li>
- <b>Exceptional Organisations.</b>
- (e.g., Vatican, International Space Station, United Nations)
- can be dealt with as a single-organisation
- SubPol.
- The OA creates the checks, documents them,
- and subjects them to to normal policy approval.
- </li><li>
- <b>DBA.</b>
- Alternative names for organisations
- (DBA, "doing business as")
- can be added as long as they are proven independently.
- E.g., registration as DBA or holding of registered trade mark.
- This means that the anglo law tradition of unregistered DBAs
- is not accepted without further proof.
- </li></ol>
-</body>
-</html>