© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Welcome!
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Agenda Hi! Thanks for coming Thanks to Graeme & the Red Lion
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Agenda CAcert and the Audit Assurance – Purpose, Essentials The CAcert Community Agreement “old” and “new” CAP forms? Names, transliterations Foreign Passports Arbitration Organisation Assurance
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit To get CAcert Root into Browsers => Audit is required => which requires: management policies + practices review of business & systems (against policies and practices).
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit ➢ CAcert has two major business areas: ➔ Assurance ➔ Systems
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit a. Assurance Assurance Policy now is in full POLICY status ➔ It is binding on all Assurers The process of Assurance can be reviewed.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit a.i Auditor on (ATE) Tour Assurers shall assure the Auditor == Evidence of Assurance to policy. verifies quality of assurance (Increased quality of assurance?)
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit a.ii In the absence of the Auditor A Senior and Experienced Assurer should stand in his stead and be assured by each Assurer. (If already assured, then she should instead oversite the assurance of another person) Make a statement that: „assurances were conducted to Assurance Policy” "Secondary evidence" in the audit process
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit a.iii The review of assurances the gathering of evidence is planned to be completed 16 th May Munich.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit b. Systems Review of the systems was delayed by lack of a secure hosting service. The systems were moved 1 st October, 2008 from Vienna to the secure data center at BIT, a company in Ede, NL.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit b. Systems (cont.) A new team of systems administrators Approval of the Security Policy to DRAFT mode => Binding on the systems administrators and the Access Engineers => now possible to review the systems against the policy.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit b.i On-Site Inspection 1 st visit on 4, 5, 6 th May, 2009 warm-up: personnel, Roots, Access, inventory probably 1 st of 3 visits. Next scheduled mid-June
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit b.ii We still lack the CPS (which is nearly ready)
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAcert and the Audit b.iii Review of the software Innsbruck software camp Week 20 th April Serious difficulties in maintenance, improvement and securing Cannot form a conclusion over software New software development team, new design, new build
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Audit Background
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Audit Background The audit criteria: DRC for "David Ross Criteria". David is a retired quality engineer He started Cacert's Audit He was called to Grand Jury duty
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Audit Background DRC has a strong feature: requires the ➔ Risks, ➔ Liabilities, and ➔ Obligations to be clearly stated to everyone!
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Audit Background This raised several huge barriers for the CA: what exactly are the R/L/O? who do they apply to? are they reasonable? and, how do we deal with them?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Audit Background These barriers are subtle: ➔ DRC doesn't ask them to be fair, but ➔ disclosure of R/L/O makes us consider them but CAcert people want them to be fair. which means we have to deal with them!
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Audit Background One big result of this thinking process we required: ➔ a CAcert Community Agreement ● and it had to do following things:
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Audit Background a. make Members a mutually binding Community. b. to state the R/L/O c. to limit the liabilities ➔ 1000 Euros ➔ to *allocate the liabilities* back to the Members
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Audit Background How do we allocate the liabilities? ➔ By making our own „forum of dispute resolution“, ➔ agreeing to be bound to that resolution, ➔ writing a Policy to control that process: ==> Arbitration.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Audit Background Summary: The original “Why” of Arbitration: ➔ Audit (DRC) forced disclosure of Liabilities ➔ simple fix: limiting ➔ complex fix: allocation ➔ the safe and cheap way to allocate is: ➔ to use our own Arbitration (Last section discusses „How“.)
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Essential Documents
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Essential Documents
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Essential Documents CAcert Community Agreement (CCA) CAcertCommunityAgreement.ph p
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Essential Documents Assurance Policy (AP) AssurancePolicy.php
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Essential Documents Assurance Handbook (AH) AssuranceHandbook2
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Essential Documents Non-Related Persons (Disclaimer and Licence) (NRP-DaL) NRPDisclaimerAndLicence.php
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Essential Documents Dispute Resolution Policy (DRP) DisputeResolutionPolicy.php
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Ulrich Schroeter Questions ? Essential Documents Thanks, Questions & Answers
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 the Purpose of an Assurance
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The Purpose of an Assurance What has all this got to do with Assurance? For many reasons, it is essential that we are all in this together! Therefore, the Assurance Policy includes: A Wider Purpose!
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The Purpose of Assurance The Policy says: Section 1 - Assurance Purpose The purpose of Assurance is to add confidence in the Assurance Statement made by the CAcert Community of a Member....
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 the 5 Fingers Rule... Section The Assurance Statement The Assurance Statement makes the following claims about a person:
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The Purpose of an Assurance 1. The person is a bona fide Member. In other words, the person is a member of the CAcert Community as defined by the CAcert Community Agreement (CCA)
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The Purpose of an Assurance 2. The Member has a (login) account with CAcert's on-line registration and service system
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The Purpose of an Assurance 3. The Member can be determined from any CAcert certificate issued by the Account
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The Purpose of an Assurance 4. The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The Purpose of an Assurance 5. Some personal details of the Member are known to CAcert: - the individual Name(s), - primary and other listed individual address(es), - secondary distinguishing feature (e.g. DoB)
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The Purpose of an Assurance In your Assurance, you are now checking: all 5 points The new purpose signals a big shift. Old classical elements (Name, DoB, ), Some more parts: Community, Arbitration
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 What is the CCA?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 What is the CCA? CCA is an abbreviation and stands for CAcert Community Agreement
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Agreement to the CCA means: ➔ We are part of a Community ➔ all are equal (including CAcert Inc.) ➔ we may RELY on certificates What is the CCA?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CCA specifies R/L/O Risks: bad cert, bad security Liabs: to 1000 euros also, points, events,... „foreign courts” Obligations: security, principles,... and of course, Arbitration! What is the CCA?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 legal stuff: Law of NSW Australia (“english common law”) “the Arbitration clause” terminate: by Arbitration maintain address What is the CCA?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Agreement is created by: “your signature on a form to request assurance of identity ("CAP" form),” New CAP form has this, old does not. How CCA relates the Assurance
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Agreement is also created by: “your request on the website to join the Community and create an account,” Check that Member has account (and confirm address is correct). How CCA relates the Assurance
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 How CCA relates the Assurance I agree to the CAcert Community Agreement.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The main difference Assurer's Statement Assurer's Statement: Checked and Verified Assuree I am Member of the Community Passed Assurer Challenge Have at least 100 Points
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Assurer Challenge Assurer Challenge: How many have passed the Challenge ?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 What's the Assurer Challenge? ✔ was introduced April 2008 ✔ Every Assurer has to pass the Challenge ✗ No Challenge? no longer an Assurer! (as of April 2009) ✔ 80% of 25 multi-choice questions ✔ CATS: Cacert Assurer Training System ✔ your 1 st challenge: you'll need a Client Cert
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 CAP form differences Thanks, Questions & Answers Ulrich Schroeter Questions ?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Can Old CAP forms be accepted?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 In short: Yes, they can! But... Can Old CAP forms be accepted?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The important difference between the Old and the New CAP forms is one additional clause in the Applicant's Statement: ✔ I agree to the Cacert Community Agreement Can Old CAP forms be accepted?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 The main difference 2. Applicants Statement Addtl. “I agree to the CAcert Community Agreement” 2.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 According to a ruling made recently: Yes: if you add the statement in handwriting! 1 Can Old CAP forms be accepted?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Can Old CAP forms be accepted?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations General Rule: Reduce information IdDox ==> CAP Form ==> online system Never increase information the full Name from IdDox either re-copy it, or add notes Multiple IdDox ==> write different names
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations Specific Rules: Transliteration ✔ Umlaut to ASCII is possible ✗ ASCII to Umlaut is forbidden Allow only what is in the document Add differences by note
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations Step 1 „Ö” to „OE” Is OK, but better is...
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations Step 1 “Ö” to “OE” And Missing 2 nd given name But better is...
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations Step 1 Assurer note Added as Read Added 2 nd given name
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations Step 2 Remember The rules: 1. is possible 2. is possible 3. finishing assurance is possible
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations We have 3 objects with 2 „transfer“ tasks Document => CAP form => Account task 1 task 2 Meeting
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations We have 3 objects with 2 „transfer“ tasks Document => CAP form => Account “Ö” to “Ö” to “Ö” OK “Ö” to “Ö” to “OE” OK “Ö” to “OE” to “Ö” forbidden “OE” to “Ö” to … forbidden
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Name Transliterations Forbidden … Means You cannot finish the Assurance
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Ulrich Schroeter Questions ? Name Transliterations Thanks, Questions & Answers
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Names in the Practice
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Names & Practice Simple Rule: Have a look into „Policy on Names” PolicyOnNames Includes many examples
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Names & Practice
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Names & Practice
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Names & Practice
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 If You Set Eyes On Foreign Passports?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Check Documents on the Web Get info about their Security features 1. before face-to-face meeting 2. after face-to-face meeting Foreign Passports
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 PRADO: European Passports and Idcards searchByIssuingCountry.htmlhttp:// Also: wikipedia Also: wiki.cacert.org/wiki/AcceptableDocuments Foreign Passports Before Or After The Meeting
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports Before Or After The Meeting
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports At The Meeting Check Security Features with UV-light (if possible) At Big Events: UV-lights are often available
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports At The Meeting UV-lights: Desk-Lights about Euro UV-Money-Tester... about 4 Euro (!!!)
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports At The Meeting For example: If it's the first time you see a foreign document award half of your max. points if it looks good (has recognisable security features) If it does not look good only award points after some research.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports At The Meeting In some doubt, award less points. If you have zero confidence: issue zero points You may reduce points later on, if the documents seem more doubtful.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports At The Meeting Check The Date 1980/01/ /01/ Not Once, not twice, but Three Times!!! Where Does The Passport Come From? US-English has different dates?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports After The Meeting You always have the option of „Deferring the Decision” What Does This Mean?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports After The Meeting Answer: Maybe the ID documents are weak Assurer reconsiders the amount of points Usually you should notify Member of this by .
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports Non-European Documents Check Security Features documents with fewer Security Features exist: Italian Identity cards old Driver's licences: German, Austrian, NL
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports Non-European Documents If no UV-Money-Tester ==> prefer two documents. If one is OK, and one is weak ==> give less points fundamentally: your judgement
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Foreign Passports Non-European Documents Unfamiliar documents: Ask other Assurers (who are familiar with them) But remember: your judgement on Assurance
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 New Germany IDcard starting
Organisation Assurance
Have to be able to agree to CCA Have to be identifiable Become CAcert Members Represented by an Organisation Admin Organisations
Organisation Admin Assurer Authorised by the Organisation May act on behalf of the Organisation
Requirements Organisation is listed in an official Register The signer of the COAP can bind the Organisation Domains are controlled by the Organisation
Procedure Request through Contact by Organisation Assurer
Philipp Dunkel Assurer Organisation Assurer Arbitrator Member of CAcert Board
Arbitration
Agreement to CCA... You agree to CAcert Arbitration We resolve disputes internally
Agreement to CCA... Instead of using local courts finding ourselves in foreign courts CAcert and certs are international One system: Protection + equality
What does it do? Limits and Allocates Liability Handles Exceptions Clarifies Policies Resolve Disputes
What has it done? administration: changing names contradictions: official CAP form? dual control: run special SQL script!
Importance! certs are for important claims claims must go wrong (one day!) solve real problems in Arbitration (one day!)
Who? Senior & Experienced Assurers Dispute Resolution Officer Approved by CAcert Board approx. 10 on the list
How? to file a dispute, mail to allocated to an Arbitrator follows Dispute Resolution Policy
How? the english common law approach: i. collects evidence ii. applies the Policies (and the Law) iii. delivers a Ruling the Ruling is binding on all
Legal Basis Dispute Resolution Policy Arbitration Act (International Arbitration Act 1974) CCA - All members agree to Arbitration NRP - have no rights of reliance!
Experience... Around 20 Arbitrations running at any one time 80% for administrative purposes (Names) important decisions: terminations, dual control
Philipp Dunkel Assurer Organisation Assurer Arbitrator Member of CAcert Board