From: Felix Dörre
Assurance Policy for CAcert Community Members
-
Editor: Teus Hagen
Creation date: 2008-05-30
@@ -38,7 +38,7 @@ Status: POLICY p20090105.2
-See also Organisation Assurance Policy (OAP) -and CAcert Policy Statement (CPS). +See also Organisation Assurance Policy (OAP) +and CAcert Policy Statement (CPS).
The person is a bona fide Member. In other words, the person is a member of the CAcert Community as defined by the CAcert -Community Agreement (CCA);
+Community Agreement (CCA);The Member has a (login) account with CAcert's on-line @@ -135,7 +135,7 @@ the Assurance Points.
The primary goal of the Assurance Statement is for the express purpose of certificates to meet the needs of the Relying Party Statement, which latter is found in the Certification Practice -Statement (CPS). +Statement (CPS).
When a certificate is issued, some of the Assurance Statement may be incorporated, e.g. Name. Other parts may be implied, e.g. @@ -290,7 +290,7 @@ The number of Assurance Points for each Member is not published.
The CAcert Policy Statement -(CPS) +(CPS) and other policies may list other capabilities that rely on Assurance Points.
@@ -600,7 +600,7 @@ Education Team;Updating this Assurance Policy, under the process -established by Policy on Policy (PoP);
+established by Policy on Policy (PoP);Management of all Subsidiary Policies (see below) for @@ -703,7 +703,7 @@ internal purposes.
circumstances:Under Arbitrator ruling, in a duly filed dispute (Dispute Resolution Policy +
Under Arbitrator ruling, in a duly filed dispute (Dispute Resolution Policy => COD7);
CAcert is a Community formed of Members who agree to the - + CAcert Community Agreement. The CA is technically operated by the Community, under the direction of the Board of CAcert Incorporated. @@ -320,7 +320,7 @@ intermediate CAs under the present CPS.
Registration Authorities (RAs) are controlled under Assurance Policy -(COD13). +(COD13).
Member. Membership of the Community is as defined in the -COD9. +COD9. Only Members may RELY or may become Subscribers. Membership is free.
@@ -358,7 +358,7 @@ A senior and experienced Member of the CAcert Community who resolves disputes between Members, including ones of certificate reliance, under Dispute Resolution Policy -(COD7). +(COD7).@@ -381,7 +381,7 @@ are unaware of the ramifications of usage. Their relationship with CAcert is described by the Non-related Persons - Disclaimer and Licence -(COD4). +(COD4). No other rights nor relationship is implied or offered.
@@ -416,8 +416,8 @@ and risks, liabilities and obligations inGeneral | @@ -674,7 +674,7 @@ and will be submitted to vendors via the (Top-level) Root.
---|
- | |||||||||||
Anon | Name | Name+Anon | -|||||||||
Root |
- | | |
+ |
|
|
|
@@ -705,7 +705,7 @@ and will be submitted to vendors via the (Top-level) Root.
||||
SubRoot |
|
- | |
|
|
|
@@ -713,8 +713,8 @@ and will be submitted to vendors via the (Top-level) Root.
|||||
SubRoot |
- | | |
+ |
|
|
|
@@ -722,8 +722,8 @@ and will be submitted to vendors via the (Top-level) Root.
||||
SubRoot |
- | | |
+ |
|
|
|
@@ -731,14 +731,14 @@ and will be submitted to vendors via the (Top-level) Root.
||||
Expiry of Certificates | -|||||||||||
Types | -(Inclusive to the left.) |
- | |||||||||
Named | Anonymous | Named | -|||||||
1 |
@@ -790,21 +790,21 @@ look at the CPS to figure it out.
|||||||||
3 |
- | | |
+ |
|
|
- Assured Members only. Intended for Reliance. |
+ Assured Members only. Intended for Reliance. |
|
Expiry of Certificates | -|||||||||
Types available | -
This document is administered by the policy group of -the CAcert Community under Policy on Policy (COD1). +the CAcert Community under Policy on Policy (COD1).
CPS is controlled and updated according to the Policy on Policy -(COD1) +(COD1) which is part of Configuration-Control Specification (COD2).
@@ -913,7 +913,7 @@ As per above. Member. Everyone who agrees to the CAcert Community Agreement - (COD9). + (COD9). This generally implies having an account registered at CAcert and making use of CAcert's data, programs or services. A Member may be an individual ("natural person") @@ -923,7 +923,7 @@ As per above. Community. The group of Members who agree to the CAcert Community Agreement - (COD9) + (COD9) or equivalent agreements.@@ -938,7 +938,7 @@ As per above. Assured Member. A Member whose identity has been sufficiently verified by Assurers or other - approved methods under Assurance Policy.
+ approved methods under Assurance Policy.Assurer. @@ -949,7 +949,7 @@ As per above. Name. As defined in the Assurance Policy - (COD13), + (COD13), to describe a name of a Member that is verified by the Assurance process.
@@ -972,7 +972,7 @@ As per above. CAcert or the certificates that they may use, and are unaware of the ramifications of usage. They are not permitted to RELY, but may USE, under the - Non-Related Persons - Disclaimer and Licence (COD4). + Non-Related Persons - Disclaimer and Licence (COD4).
Reliance. @@ -1058,7 +1058,7 @@ for the general public.
-Under the Assurance Policy (COD13), +Under the Assurance Policy (COD13), there are means for Members to search, retrieve and verify certain data about themselves and others.
@@ -1196,7 +1196,7 @@ does not go into the certificate.Each Member's Name (CN= field) -is assured under the Assurance Policy (COD13) +is assured under the Assurance Policy (COD13) or subsidiary policies (such as Organisation Assurance Policy). Refer to those documents for meanings and variations.
@@ -1237,7 +1237,7 @@ Uniqueness of Names within certificates is not guaranteed. Each certificate has a unique serial number which maps to a unique account, and thus maps to a unique Member. See the Assurance Statement within Assurance Policy -(COD13). +(COD13).@@ -1249,7 +1249,7 @@ can only be registered to one Member.
Organisation Assurance Policy -(COD11) +(COD11) controls issues such as trademarks where applicable. A trademark can be disputed by filing a dispute. See @@ -1263,6 +1263,7 @@ Certificates containing International Domain Names, being those containing a ACE prefix (RFC3490 Section 5), will only be issued to domains satisfying one or more of the following conditions: +
Email address containing International Domain Names in the domain portion of the email address will also be required to satisfy one of the above conditions.
-The following is a list of accepted TLD Registrars: +The following is a list of accepted TLD Registrars:
Policy (character list) |
This criteria will apply to the email address and server host name fields for all certificate types. @@ -1494,7 +1495,7 @@ The CAcert Inc. Board has the authority to decide to add or remove accepted TLD
Identity verification is controlled by the -Assurance Policy (COD13). +Assurance Policy (COD13). The reader is refered to the Assurance Policy, the following is representative and brief only.
@@ -1524,7 +1525,7 @@ to check the private key dynamically. Agreement. An Internet user becomes a Member by agreeing to the CAcert Community Agreement -(COD9) +(COD9) and registering an account on the online website. During the registration process Members are asked to supply information about themselves: @@ -1546,7 +1547,7 @@ for all service requests such as certificates.Assurance. Each Member is assured according to Assurance Policy -(COD13). +(COD13).
@@ -1617,7 +1618,7 @@ certificates that state their Assured Name(s). Verification of organisations is delegated by the Assurance Policy to the Organisation Assurance Policy -(COD11). +(COD11). The reader is refered to the Organisation Assurance Policy, the following is representative and brief only. @@ -1645,7 +1646,7 @@ stated in the OAP, briefly presented here:The general life-cycle for a new certificate for an Individual Member is: - +
(Some steps are not applicable, such as anonymous certificates.) @@ -1774,6 +1775,7 @@ The Member can claim ownership or authorised control of a domain or email address on the online system. This is a necessary step towards issuing a certificate. There are these controls: +
Members generate their own key-pairs. The CAcert Community Agreement -(COD9) +(COD9) obliges the Member as responsible for security. See CCA2.5, §9.6.
@@ -1894,7 +1896,7 @@ following checks:-Notes. +Notes.
-For an individual client certificate, the following is required. +For an individual client certificate, the following is required.
-For a server certificate, the following is required: +For a server certificate, the following is required:
- | ||||||||
Class of Root | @@ -2616,13 +2618,13 @@ No stipulation.Role | Policy | Comments | |||||
Assurer | -COD13 | +COD13 | Passes Challenge, Assured to 100 points. | |||||
Organisation Assurer | -COD11 | +COD11 | Trained and tested by two supervising OAs. | |||||
Technical | -SM => COD08 | +SM => COD08 | Teams responsible for testing. | |||||
Arbitrator | -COD7 | +COD7 | Experienced Assurers. | @@ -2855,7 +2857,6 @@ Refer to Security Policy 5, 6 (§1.4 for limitations to service.) -
- - + + |
-The document "Non Related Persons - Disclaimer And Licence" was replaced by the Root Distribution Licence, which can be found here. +The document "Non Related Persons - Disclaimer And Licence" was replaced by the Root Distribution Licence, which can be found here. |