View Issue Details

IDProjectCategoryView StatusLast Update
0001009Main CAcert Websitewebsite contentpublic2013-05-01 01:10
ReporterINOPIAE Assigned ToNEOatNHNG  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2011 Q1 
Fixed in Version2013 Q1 
Summary0001009: Exchange OA policy in the WebDB with the one in SVN (rev p20080401.1)
DescriptionAs the OA Policy in the WebDB is not the current one this needs to be replaced with the one from the SVN
TagsNo tags attached.
Attached Files
OrganisationAssurancePolicy_p20080401.html (11,668 bytes)   
<?xml version="1.0" encoding="utf-8"?>
<html xmlns="">
<title> Organisation Assurance Policy </title>
<style type="text/css">
.comment {
        color : steelblue;


<div class="comment">
<table width="100%">

  Name: OAP <a style="color: steelblue" href="//">COD11</a><br />

  Status: POLICY/DRAFT <a style="color: steelblue" href="//">m20070918.x </a><br />

  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;           <span class="draftadd">DRAFT p20080401.1   </span> <br />
  Editor: Jens Paul <br />
   Licence: <a style="color: steelblue" href="//" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP.  More at" > CC-by-sa+DRP </a><br /></td>
<td valign="top" align="right">
  <a href="//"><img src="images/cacert-policy.png" alt="OAP Status - POLICY" height="31" width="88" style="border-style: none;" /></a><br />
  <a href="//"><img src="images/cacert-draft.png" alt="OAP Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>


<h1> Organisation&nbsp;Assurance&nbsp;Policy </h1>

<h2 id="s0">0.   Preliminaries </h2>

This policy describes how Organisation Assurers ("OAs")
conduct Assurances on Organisations.
It fits within the overall web-of-trust
or Assurance process of CAcert.

This policy is not a Controlled document, for purposes of
Configuration Control Specification ("CCS").

<h2 id="s1"> 1. Purpose </h2>

Organisations with assured status can issue certificates
directly with their own domains within.

The purpose and statement of the certificate remains
the same as with ordinary users (natural persons)
and as described in the CPS.

    The organisation named within is identified.
    The organisation has been verified according
    to this policy.
    The organisation is within the jurisdiction
    and can be taken to CAcert Arbitration.

<h2 id="s2"> 2. Roles and Structure </h2> 

<h3 id="s2.1"> 2.1 Assurance Officer </h3> 

The Assurance Officer ("AO")
manages this policy and reports to the CAcert Inc. Committee ("Board").

The AO manages all OAs and is responsible for process,
the CAcert Organisation Assurance Programme ("COAP") form,
OA training and testing, manuals, quality control.
In these responsibilities, other Officers will assist.
The OA is appointed by the Board. 
Where the OA is failing the Board decides.

<h3 id="s2.2"> 2.2 Organisation Assurers </h3> 


<ol type="a"> <li>
    An OA must be an experienced Assurer
    <ol type="i">
      <li>Have 150 assurance points.</li>
      <li>Be fully trained and tested on all general Assurance processes.</li>

    Must be trained as Organisation Assurer.
    <ol type="i">
      <li> Global knowledge:  This policy. </li>
      <li> Global knowledge:  A OA manual covers how to do the process.</li>
      <li> Local knowledge:   legal forms of organisations within jurisdiction.</li>
      <li> Basic governance. </li>
      <li> Training may be done a variety of ways,
           such as on-the-job, etc. </li>

    Must be tested.
    <ol type="i">
      <li> Global test:  Covers this policy and the process. </li>
      <li> Local knowledge:   Subsidiary Policy to specify.</li>
      <li> Tests to be created, approved, run, verified
           by CAcert only (not outsourced). </li>
      <li> Tests are conducted manually, not online/automatic. </li>
      <li> Documentation to be retained. </li>
      <li> Tests may include on-the-job components. </li>

    Must be approved.
    <ol type="i">
      <li> Two supervising OAs must sign-off on new OA,
           as trained, tested and passed.
      <li> AO must sign-off on a new OA,
           as supervised, trained and tested.
	<li>The OA can decide when a CAcert
	(individual) Assurer
	has done several OA Application Advises to appoint this
	person to OA Assurer.


<h3 id="s2.3"> 2.3 Organisation Assurance Advisor ("OAA") </h3>
	<p>In countries/states/provinces where no OA Assurers are
	operating for an OA Application (COAP) the OA
	can be advised by an experienced local CAcert
	(individual) Assurer to take the decision
	to accept the OA Application (COAP) of the organisation.
	The local Assurer must have at least 150 Points,
	should know the language, and know
	the organisation trade office registry culture and quality.

<h3 id="s2.4"> 2.4 Organisation Administrator </h3> 

The Administrator within each Organisation ("O-Admin")
is the one who handles the assurance requests
and the issuing of certificates.

<ol type="a"> <li>
    O-Admin must be Assurer
    <ol type="i">
      <li>Have 100 assurance points.</li>
      <li>Fully trained and tested as Assurer.</li>

    Organisation is required to appoint O-Admin,
    and appoint ones as required.
    <ol type="i">
      <li> On COAP Request Form.</li>

    O-Admin must work with an assigned OA.
    <ol type="i">
      <li> Have contact details.</li>

<h2 id="s3"> 3. Policies </h2> 

<h3 id="s3.1"> 3.1 Policy </h3> 

There is one policy being this present document,
and several subsidiary policies.

<ol type="a">
  <li>  This policy authorises the creation of subsidiary policies. </li>
  <li>  This policy is international. </li>
  <li>  Subsidiary policies are implementations of the policy. </li>
  <li>  Organisations are assured under an appropriate subsidiary policy. </li>

<h3 id="s3.2"> 3.2 Subsidiary Policies </h3>

The nature of the Subsidiary Policies ("SubPols"):

<ol type="a"><li>
    SubPols are purposed to check the organisation
    under the rules of the jurisdiction that creates the
    organisation.  This does not evidence an intention
    by CAcert to
    enter into the local jurisdiction, nor an intention
    to impose the rules of that jurisdiction over any other
    CAcert assurances are conducted under the jurisdiction
    of CAcert.
    For OAs,
    SubPol specifies the <i>tests of local knowledge</i>
    including the local organisation assurance COAP forms.
    For assurances,
    SubPol specifies the <i>local documentation forms</i>
    which are acceptable under this SubPol to meet the
   SubPols are subjected to the normal 
   policy approval process.

<h3 id="s3.3"> 3.3  Freedom to Assemble </h3>

Subsidiary Policies are open, accessible and free to enter. 

<ol type="a"><li>
    SubPols compete but are compatible.
    No SubPol is a franchise.
    Many will be on State or National lines,
    reflecting the legal
    tradition of organisations created
    ("incorporated") by states.
    However, there is no need for strict national lines;
    it is possible to have 2 SubPols in one country, or one
    covering several countries with the same language
    (e.g., Austria with Germany, England with Wales but not Scotland).
    There could also be SubPols for special
    organisations, one person organisations,
    UN agencies, churches, etc.
    Where it is appropriate to use the SubPol
    in another situation (another country?), it
    can be so approved.
    (e.g., Austrian SubPol might be approved for Germany.)
    The SubPol must record this approval.

<h2 id="s4"> 4.  Process </h2>

<h3 id="s4.1"> 4.1  Standard of Organisation Assurance </h3>
The essential standard of Organisation Assurance is:

<ol type="a"><li>
    the organisation exists
    the organisation name is correct and consistent:
    <ol type="i">
      <li>in official documents specified in SubPol.</li>
      <li>on COAP form.</li>
      <li>in CAcert database.</li>
      <li>form or type of legal entity is consistent</li>
    signing rights:
    requestor can sign on behalf of the organisation.
    the organisation has agreed to the terms of the
    CAcert Community Agreement
    and is therefore subject to Arbitration.

    Acceptable documents to meet above standard
    are stated in the SubPol.

<h3 id="s4.2"> 4.2  COAP </h3>
The COAP form documents the checks and the resultant
assurance results to meet the standard.
Additional information to be provided on form:

<ol type="a"><li>
    CAcert account of O-Admin (email address?)
    <ol type="i">
      <li>country (MUST).</li>
      <li>city (MUST).</li>
      <li>additional contact information (as required by SubPol).</li>
    administrator account name(s) (1 or more)
    domain name(s)
    Agreement with
    CAcert Community Agreement.
    Statement and initials box for organisation
    and also for OA.
    Date of completion of Assurance.
    Records should be maintained for 7 years from
    this date.

The COAP should be in English.  Where translations
are provided, they should be matched to the English,
and indication provided that the English is the
ruling language (due to Arbitration requirements).

<h3 id="s4.3"> 4.3 Jurisdiction </h3>

Organisation Assurances are carried out by
CAcert Inc. under its Arbitration jurisdiction.
Actions carried out by OAs are under this regime.

<ol type="a"><li>
    The organisation has agreed to the terms of the
    CAcert Community Agreement.
    The organisation, the Organisation Assurers, CAcert and
    other related parties are bound into CAcert's jurisdiction
    and dispute resolution.
    The OA is responsible for ensuring that the
    organisation reads, understands, intends and
    agrees to the
    CAcert Community Agreement.
    This OA responsibility should be recorded on COAP
    (statement and initials box).

<h2 id="s5"> 5. Exceptions </h2>

<ol type="a"><li>
    <b> Conflicts of Interest.</b>
    An OA must not assure an organisation in which
    there is a close or direct relationship by, e.g.,
    employment, family, financial interests.
    Other conflicts of interest must be disclosed.
    <b> Trusted Third Parties.</b>
    TTPs are not generally approved to be part of
    organisation assurance,
    but may be approved by subsidiary policies according
    to local needs.
    <b>Exceptional Organisations.</b>
    (e.g., Vatican, International Space Station, United Nations)
    can be dealt with as a single-organisation
    The OA creates the checks, documents them,
    and subjects them to to normal policy approval.
    Alternative names for organisations
    (DBA, "doing business as")
    can be added as long as they are proven independently.
    E.g., registration as DBA or holding of registered trade mark.
    This means that the anglo law tradition of unregistered DBAs
    is not accepted without further proof.

Reviewed byNEOatNHNG, BenBE
Test Instructions


related to 0001130 closedUli60 Replace DisputeResolutionPolicy.html with rev p20121213 
related to 0001131 closedNEOatNHNG Rename _all_ Policies from .php to .html and fix all links (was: Rename PolicyOnPolicy.php to .html) 
related to 0000941 needs workUli60 Policy Repository Migration 



2012-12-21 17:46

developer   ~0003542

Policy copy [1] has been prepared to meet ruling of a20120121.1 [2]. This copy should be published into website repository [3] to conform with ruling.





2012-12-21 18:36

updater   ~0003543

updated OAP to reflect state p20080401.1
according to
and arbitration ruling order to update CURRENT revision intermediate ruling 0000002 from 2012-01-29


2013-01-06 22:42

updater   ~0003588

Pushed fix to


2013-01-08 08:18

updater   ~0003601

The Organisation Assurance Policy shows the entry DRAFT p20080401.1 and the logos.

New policy works

Werner Dworak

2013-01-08 10:51

updater   ~0003606

The Organisation Assurance Policy shows the entry DRAFT p20080401.1 and the logos and else shows the same contents as SVN.

Therefore it works.


2013-01-08 21:32

updater   ~0003616

About CAcert - Policies
shows -> OrganisationAssurancePolicy.php
request was to set the policy to .HTML

revision that needs to be replaced has a top 2.2.e
and a top 2.4 missing (easy identification)
includes these 2 topics
=> ok

Policy + Draft symbol works
=> ok


2013-01-08 21:44

updater   ~0003618

tested by 3
needs 2nd review and transfer to production


2013-01-15 22:48

administrator   ~0003667

Changes OK (except for a link to the PolicyOnPolicy.html which really is a .php, but Marcus intends to change that) => ready to deploy


2013-01-17 15:28

developer   ~0003685

The fix has been installed on the production server on January 17, 2013. See also:

Issue History

Date Modified Username Field Change
2012-01-27 15:10 INOPIAE New Issue
2012-12-21 15:15 Uli60 Assigned To => Uli60
2012-12-21 15:15 Uli60 File Added: OrganisationAssurancePolicy.html
2012-12-21 15:38 Uli60 File Deleted: OrganisationAssurancePolicy.html
2012-12-21 17:46 iang Note Added: 0003542
2012-12-21 18:12 Uli60 Relationship added related to 0001130
2012-12-21 18:28 Uli60 Relationship added related to 0001131
2012-12-21 18:33 Uli60 File Added: OrganisationAssurancePolicy_p20080401.html
2012-12-21 18:36 Uli60 Note Added: 0003543
2012-12-21 18:36 Uli60 Status new => fix available
2012-12-21 18:44 Uli60 Assigned To Uli60 => BenBE
2012-12-21 18:56 Uli60 Summary Exchange OA policy in the WebDB with the one in SVN => Exchange OA policy in the WebDB with the one in SVN (rev p20080401.1)
2013-01-06 22:42 INOPIAE Note Added: 0003588
2013-01-06 22:57 BenBE Reviewed by => BenBE
2013-01-06 22:57 BenBE Assigned To BenBE => NEOatNHNG
2013-01-06 22:57 BenBE Status fix available => needs review & testing
2013-01-08 08:18 INOPIAE Note Added: 0003601
2013-01-08 10:51 Werner Dworak Note Added: 0003606
2013-01-08 21:32 Uli60 Note Added: 0003616
2013-01-08 21:44 Uli60 Note Added: 0003618
2013-01-08 21:44 Uli60 Status needs review & testing => needs review
2013-01-10 10:45 Werner Dworak Relationship added related to 0000941
2013-01-15 22:48 NEOatNHNG Reviewed by BenBE => NEOatNHNG, BenBE
2013-01-15 22:48 NEOatNHNG Note Added: 0003667
2013-01-15 22:48 NEOatNHNG Status needs review => ready to deploy
2013-01-15 23:17 BenBE Source_changeset_attached => cacert-devel testserver-stable 74a86422
2013-01-15 23:17 INOPIAE Source_changeset_attached => cacert-devel testserver-stable 7cd56607
2013-01-15 23:17 BenBE Source_changeset_attached => cacert-devel testserver-stable f48ae5d7
2013-01-15 23:17 INOPIAE Source_changeset_attached => cacert-devel testserver-stable 3e09b564
2013-01-15 23:17 INOPIAE Source_changeset_attached => cacert-devel testserver-stable 0d6ffa00
2013-01-15 23:17 BenBE Source_changeset_attached => cacert-devel testserver-stable 5ab7aa49
2013-01-16 04:30 BenBE Source_changeset_attached => cacert-devel release 22073b28
2013-01-17 15:28 wytze Note Added: 0003685
2013-01-17 15:28 wytze Status ready to deploy => solved?
2013-01-17 15:28 wytze Resolution open => fixed
2013-01-17 15:32 Werner Dworak Product Version => 2011 Q1
2013-01-17 15:32 Werner Dworak Fixed in Version => 2013 Q1
2013-05-01 01:10 INOPIAE Status solved? => closed