-1. ToDO and Notes

2010-10-11

/!\ with TTP-Assisted-Assurance Policy in DRAFT, this page has not been approved by AO currently. So its currently only for archival purposes and/or review

TTP Assurance Policy - v0.2 (2008-05-30)

The TTP Assurance Programme allocates 100 points to a Member, using two TTPs with 50 points each. This is a high risk for CAcert's Community and our web-of-trust, so all steps should be verified keenly.

Note that Assurance Policy (POLICY) now limits a single TTP to 50 points, and two TTPs together to 100 points. This policy is now in POLICY, so the limit is now in effect. The older TTP programme allocated 150 points for "full assurer" level which no longer makes sense because of the Assurer Challenge.

§ 0 - Split the Work

The main person that processes all mail and forms is allowed to nominate helping hands to do the form checks § 1 - 3. Helping hands may be picked from § 3a.

The main person has to provide all details from the TTP form to the helping hands. It's possible to send the details by email, use an web interface or just email a scan of the form.

The helping hand report back as soon as possible.

All checks for a form should be processed within 7 days.

§ 1 - Initial Form Check

TTP Forms can be printed in multiple languages and the printed version should exactly match the online version.

It's recommended to pass foreign language forms to helping hands (see § 0) to check if the content is correct.

§ 2 - TTP

Qualifications

(from CPS) There is no specific qualification for TTPs. They are generally selected and approved by the board on the basis of country conditions. Notary Publics and bank managers are generally acceptable, however country conditions vary dramatically.

Identity Check

Every "unknown" TTP has to be "checked". It is not enough to do spot checks.

Unknown TTP means: CAcert has never received a TTP Assurance Form from this TTP before and never done a TTP Identity Check. If the TTP is a company and the company's name and address is not "Unknown" to CAcert and only the name of the signing person is different, then this TTP may be considered as "Known".

A TTP passes a check if it is listed with name, address and telephone number (the phone extension may be different) in at least one of the sources listed in § 2a. The name of the signing person does not need to be listed.

It must be understood that a TTP Assurance has to be rejected if it is not possible for CAcert to check the identity of the TTP.

Process

A pack of information is sent to each TTP. The subjects need to provide a copy of all documents to CAcert, notarised by TTP. CAcert then accepts the subjects as Assurers. As soon as possible, those accepted in this programme are likewise Assured by Assurers from other communities.

§ 2a - Allowed Sources for TTP check

It is not allowed to just call the TTP for the TTP Identity Check (the telephone number might belong to the person faking the TTP. Therefore also a Assurance Verification (§ 3) is not sufficient.

§ 3 - Assurance Verification

At least 30% of the TTP Assurances have to be personally verified.

30% means: Every third TTP Form has to be verified. The only exception is, if a TTP passed a verification before, it may be trusted for further assurances for 1 year, as long as the signing person doesn't change.

"personally verified" means, that the TTP has to be called by a person listed in § 3a. This call has to verify if the TTP did a proper assurance and proper identity checks.

If an Assurance Verification fails because of language problems, CAcert should try to find native speakers to help with the translation before rejecting the TTP.

If the Assurance isn't confirmed by the TTP the TTP Form has to be rejected.

§ 3a - Persons for TTP Assurance Verification

If someone is fully assured he/she can apply (or be asked) to do a TTP Assurance Verification.

§ 4 - TTP in Dense WoT Areas

In areas that already have a well connected Web of Trust of CAcert users, a TTP Assurances should be seperately justified by the person that wants to be assured. Check the TTP Availability information for your country.

If many users are using a service there it is more likely that someone tries to exploit it.

§ 5 Problems


PolicyDrafts/TTPAssurerCheck (last edited 2013-06-13 11:51:46 by MarcusMängel)