##language:de
#pragma section-numbers off
## * Änderungen
## * 2005 Philipp Gühring (original Autor)
## * 2005 Eric Grehm (Übersetzung ins Englische)
## * 2005 Peter Palfrader (editing, layout, language fixes)
## * 2007 Bernhard Fröhlich (extensive revision)
## * 2010 Ulrich Schroeter, PoJAM addons, Practice Documents clarification
##  contributions made are under [http://www.cacert.org/policy/CAcertCommunityAgreement.php CCA]
## * 2011 Ulrich Schroeter, Restructure for inclusions, adding Names, Signatures, Dates from ATE presentations
## * 2011 Ulrich Schroeter, Added AssuranceHandbook2#Questions_Answered 3 rules from a20110418.1
## * 2012 Ulrich Schroeter, added CAcert Assurance vs. Pure Id Document Check, Id Doc Photocopy
## * 2013 Etienne Ruedin, twice "ATE" linked to "ATE" (to explain the abreviation)
## * 2014 Eva Stöwe, as Arbitrator of a20140624.1, added ruling about assuring multiple accounts of same person
## * 2016 Übersetzung der englischen Version vom 2016-07-12 ins Deutsche
##
##

 . '''To CAcert.org''' '''[[Brain#CAcert.org_Education_&_Training| Education & Training]]'''  - '''To CAcert.org Education & Training''' '''[[Brain/EducationTraining| Overview]]'''
 . '''To [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy]]'''

----
 [[AssuranceHandbook2/CZ|česky]] | '''deutsch''' | [[AssuranceHandbook2|english]]

----

= CAcert.org Assurer Handbuch (incl. PracticeOnNames) =
 
Da Übersetzungen im Allgemeinen nicht eins zu eins stattfinden können, kann dieses Dokument nur als eine möglichst gute Annäherung an das Orginal gestaltet werden. Ausschlaggebend ist immer das Originale Handbuch (z.Zt. in englisch). Des weiteren wird in der englischen Sprache nicht zwischen Du und Sie unterschieden. Daher  wird in dieser Übersetzung durchgehend das Du verwendet, da davon ausgegangen wird, dass in einer Gemeinschaft des Vertrauens (Vertrauensnetzwerk = Web of Trust) die privatere Anrede zu vertreten ist. Um den Text einfacher lesbar zu gestalten, wird bei Personenbezeichnungen mal die männliche Form verwendet, mal die weibliche Form. Die andere Form ist dabei immer mitgedacht.
 
== Meta Kommentare ==
 
 ||Die [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy]] (englisch) hat den Status '''POLICY''' und ist somit gültig! [[PolicyDecisions|p20090105.2]] (englisch)||
 
 * Dies ist das Trainings Handbuch für Assurance, genehmigt gemäß der [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy]] (englisch).
 * Es ist ein Arbeitspapier für uns Assurer. Es wird wahrscheinlich ständiger Aktualisierung bedürfen!
 * Bitte korrigiert und komplettiert es, damit es so bald wie möglich auch für neue Assurer nützlich ist.
 * Ted hat hier schon einen gewaltigen Berg an Arbeit geleistet, um all diese Informationen zusammenzutragen.
 * Das neue Assurer-Team um Ulrich, Joost, Ian, Dirk, Ted und Sebastian
   * testen es auf Praxistauglichkeit und
   * wollen ein lebendes Dokument daraus machen.
 * Du kannst helfen: Füge Kommentare in ''kursiv'' ein, wo Änderungen notwendig sind.
 * Bitte beachten: Organisation Asurance (OA) hat ein eigenes Handbuch.
 
----
 
 Inhaltsverzeichnis  <<TableOfContents(3)>>
 
== Einführung ==
 
Dieses Handbuch ist für angehende und neue Assurer gedacht. Es soll einen ersten Anhalt geben, was zu tun ist und was man wissen sollte, wenn man als CAcert-Assurer handelt. Außerdem soll es ein Augangspunkt sein zu einem tiefern Verständnis bei speziellen Themen.
 
=== Zugehörige Dokumente ===
 
 * Die Dokumentation zur Assurance ist aufgeteilt zwischen [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (AP)]] (englisch) und diesem [[AssuranceHandbook2/DE|Assurer Handbuch (AH)]].
 * Das [[AssuranceHandbook2/DE|Assurer Handbuch]] hat weitere praxisorientierte Unter-/Zusatzdokumente um die AP näher zu erläutern. Sollte dieses Handbuch oder eine der praxisorienterten Dokumente der AP widersprechen, so hat die AP Vorrang. Die Praxisdokumente sind auch wichtig für die Streitschlichtung (Arbitration).
   * [[PracticeOnNames|Practice On Names]] (PoN) (ist mittlerweile Bestandteil dieses AH)
   * [[Assurance/PracticeOnIdChecking|Practice on ID Checking]] (PoIDC)
  * Zusatzdokumente zur [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (AP)]]
  * Policy on Junior Assurers / Members [[https://svn.cacert.org/CAcert/Policies/PolicyOnJuniorAssurersMembers.html|PoJAM (DRAFT)]]
  * TTP-Assisted-Assurance [[https://svn.cacert.org/CAcert/Policies/TTPAssistedAssurancePolicy.html|TTP-Assisted-Assurance (DRAFT)]]

=== Übergeordnete Dokumente ===

Obwohl dieses Dokument dazu gedacht ist, ihre "Assurer-Bibel" zu sein, gibt es dennoch einige wichtige andere Dokumente. Insbesondere:

 * [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy]] (englisch) '''(POLICY)''' ist das maßgebliche Dokument, welches das Assurer-System definiert. Sein Ziel ist es, eine Assurance so durchzuführen, wie sie für die Zertifizierung nach CPS (s.u.) gefordert wird. Es genehmigt dieses Handbuch als gültige, aktuelle Praxis.
 * [[http://www.cacert.org/policy/CertificationPracticeStatement.php#p3|Certification Practice Statement ]] (CPS, englisch) '''(DRAFT; für die Community bindend)''' widerum ist das maßgebliche Dokument, wie ein Zertifikat auszugeben ist. Der Abschnitt [[http://www.cacert.org/policy/CertificationPracticeStatement.php#p3.2|3.2.2. Authentication of Individual Identity]] verknüpft zu der Assurance Policy (s.o.) um zu zeigen, worauf sich die Mitglieder verlassen können, wenn sie ein Zertifikat nutzen.
 * [[http://www.cacert.org/policy/OrganisationAssurancePolicy.php|Organisation Assurance Policy]] (englisch) '''(POLICY)''' ist ausschlaggebend für die Assurance von Organisationen.
 * Jedes Mitglied von CAcert (und damit jeder Assurer) ist an das [[http://www.cacert.org/policy/CAcertCommunityAgreement.php|CAcertCommunityAgreement]] (englisch) '''(POLICY)''' gebunden.

==== Einige Bemerkungen zu Grundlagendokumenten (POLICYS) ====

Dieses Handbuch ist kein Grundlagenpapier (POLICY), sondern eine Anleitung für die praktische Arbeit. Für den Fall, dass sich Widersprüche ergeben, haben die POLICYs immer Vorrang, deshalb sollte dieses Handbuch mit diesen Dokumenten konform sein. Sollten Sie Widersprüche finden, so gebe Sie diese bitte auf der CAcert Policy-Liste [ cacert-policy@lists.cacert.org ] bekannt.

Andere Grundlagenpapiere und Dokumente von CAcert können auf [[Policy/Tasks| offizielle Dokumente ]] (englisch) gefunden werden. Die Arbeit mit und die Entwicklung von Grundlagenpapieren ist definiert in [[https://www.cacert.org/policy/PolicyOnPolicy.php|Policy on Policy]] (englisch) und wird über CAcerts öffentliche Liste [ cacert-policy@lists.cacert.org ] geführt; jedes Mitglied kann der Liste beitreten und teilhaben.

Solange noch an den Dokumenten gearbeitet wird, bekommen sie den Status "in Arbeit" ( WIP -> ''work-in-progress''). Wenn sie fertig bearbeitet sind, erhalten sie den Status "Entwurf" (DRAFT) und sind damit schon bindend für die Gemeinschaft (Community), müssen jedoch noch von CAcert Inc. genehmigt werden. Sobald sie genehmigt sind, erhalten sie den Status Grundlagenpapier (POLICY) und werden offiziell auf der gesicherten und überwachten Website https://www.cacert.org/policy veröffentlicht.

Alle Grundlagenpapiere habe Einfluss auf die Assurance, auch wenn dies dort nicht ausdrücklich erwähnt wird. Z.B. hat auch das [[http://www.cacert.org/index.php?id=10|Privacy Policy]] (englisch) eine Bedeutung für den Prozess.

=== Deine Obliegenheiten als Assurer ===

 * Du musst die Assurances durchführen, wie es die Grundlagendokumente regeln; insbesondere [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (POLICY) (englisch)]].
 * Du musst dich selber darum kümmern, die Änderungen der Grundlagendokumente mitzubekommen.
 Einige einfache Wege um über Änderungen informiert zu bleiben sind:
 * Einschreiben in die Mailingliste [[https://lists.cacert.org/wws/subscribe/cacert|cacert@lists.cacert.org]] (Diese hat ein vergleichsweise geringes Mail-Aufkommen.
 * Besuche Ab und Zu CAcert [[https://blog.cacert.org/|Blog]] oder abbonniere den RSS feed.
 * Absolviere die AssuranceChallange [[https://cats.cacert.org|CATS (CAcert Automated Training System)]] jedes Jahr mindestens einmal

=== Deine Risiken und Haftungen ===

Wenn Du CAcert beitrittst, akzeptierst Du die [[https://www.cacert.org/policy/CAcertCommunityAgreement.php|CAcert Community Agreement (CCA) (englisch)]]. Darin werden die Risiken und die Haftung der CAcert-Mitglieder geregelt. Du solltest vertraut sein mit diesem Dokument, damit Du die Risiken und auch Deine Haftung verstehst und jedem potenziellen Mitglied darüber Auskunft geben kannst.

Dabei gibt es gute und schlechte Nachricht: Die CCA setzt beschränkt Deine finanzielle Haftung auf 1.000 EUR (eintausend Euro). Des weiteren akzeptiert jedes Mitglied die [[AssuranceHandbook2#Arbitration|Schiedsgerichtsbarkeit von CAcert]]. Dies ist unser System, um Konflikte untereinander innerhalb der Gemeinschaft zu lösen, anstatt die Mitglieder auf Gerichte zu verweisen, die in fernen Ländern liegen können und damit teure Anwälte erfordern und/oder eine Gerichtsbarkeit haben, die nicht voll abschätzen kann, worum es bei Zertifikaten geht. Die Haftungsgrenze ist innerhalb der Gemeinschaft ausgewogen, da sie für Dich gilt, wie für jeden anderen der einen Streitfall mit Dir hat; damit ist es beides, ein Maximum an Schutz für Dich und eine Obergrenze für Deine Haftbarkeit.

Daher solltest Du immer sorgfältig vorgehen, wenn du jemanden bestätigst (eine Assurance machst), denn Du kannst bis zu diesem Limit '''von einem Schiedsmann von CAcert verantwortlich gemacht werden'''!

== Der Vorgang des Bestätigens (Durchführen einer Assurance) ==

Der Vorgang des Bestätigens ist ein entscheidender Teil des CAcert Projekts. Solange die Bestätigungen in einer verlässlichen Art und Weise durchgeführt werden, können sich die Mitglieder voll und ganz auf die Zertifikate von CAcert verlassen. Wenn jedoch die Bestätigungen oberflächlich gemacht werden, geht diese Verlässlcihkeit verloren und das Projekt wird scheitern. Also hängt alles von '''Dir''' ab!

Das im folgenden beschriebene Vorgehen ist ein Vorschlag. Du kannst die Vorgehensweise ändern, aber dann musst Du sicherstellen, dass bei Deinem Vorgehen die Bedingungen der [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (POLICY)  (englisch)]] ''!!'' erfüllt sind.

=== Gib Dich als CAcer Assurer zu erkennen ===

Der wahrscheinlich einfachste Weg ist es, in Deinem Profil einen Ort einzutragen und zu erlauben, das Dein Eintrag in der users Liste angezeigt wird. Andere Möglichkeiten zu finden, wie z.B. Deine Freunde und Bekannte zu informieren, bleiben Dir überlassen.

Bestätigungen innerhalb des ''Web of Trust'' ist keine Einbahnstraße, daher solltest Du ein Minimum an Informationen wie Deine Email-Adresse und Deinen Namen mitteilen. Zm Beispiel auf der Visitenkarte. Siehe auch [[#MutualAssurance|Gegenseitige Bestätigung]].

=== Empfohlene Vorbereitung für eine Bestätigung ===

Nehmen wir einmal an, jemand hat mit Dir Kontakt aufgenommen und bittet Dich, ihre/seine Identität für CAcert zu bestätigen. (Es gibt auch andere Wege eine korrekte Bestätigung durchzuführen, doch die folgende ist eine gute erste Variante).

==== Drucke ein vorausgefülltes CAP-Formular aus ====

Als allererstes solltest Du überprüfen, ob der Interessent schon einen Account bei CAcert hat. Dazu gehst Du nach https://secure.cacert.org/wot.php?id=5 und gibst die EmailAdresse ein, die Dir der Interessent angegeben hat. Wenn diese Adresse korrekt war, bekommst Du ein interaktives Bestätigungsformular angezeigt. '''Auf keinen Fall jetzt schon etwas in dem Formular ändern!!''', benutze nur einen der Links in der Bodenzeile, um ein vorausgefülltes CAP-Formular als PDF-Dokument zu öffnen und anzudrucken.

Wenn die Emailadresse im System nicht gefunden wird, dann frage den Interessenten nach seiner primären Adresse für den Account.

 . Das aktuelle CAP-Formular ist unter [[https://www.cacert.org/cap.php (englisch)]] zu bekommen.
 . Ein weiterer Vordruck ist unter [[https://www.cacert.org/capnew.php (englisch)]] zu finden, dies enthält mehrere Zeilen für unterschiedliche Namensvariationen bei unterschiedlichen Dokumenten.
 . Am einfachsten ist ein CAP-Formular in deutsch zu bekommen, wenn Du Dich bei CAcert einwählst und dort den entsprechenden Link anklickst.
 

{{{#!wiki red/solid
Bei der Bestätigung sollte die erste Frage an die Interessierte sein: 
<<BR>>
 .             Haben Sie einen Account bei www.cacert.org?
<<BR>>
Notier Dir bitte die Antwort am besten irgendwo auf dem Formular z.B.
<<BR>>
 .       [+]  Account existiert
 .       [-]  Account existiert nicht  (siehe unten 'Ausstehende Kontoerstellung')
<<BR>>
Wenn die Antwort 'JA' ist, 
<<BR>>
   frage nach, ob die angegebene Email-Adresse die primäre Email-Adresse der Interessentin ist.
<<BR>>
Wenn die Antwort 'NEIN' ist, 
<<BR>>
  gehe weiter vor, wie es hier im Kapitel Bestätigung von Nicht-Mitgliedern beschrieben wird. 
}}}

==== Bestätigen von Nicht-Mitgliedern ====

Wenn die Interessentin noch kein Konto erstellt hat, wirst Du sie nicht in unserer Datenbank finden. In diesem Fall, die Interessentin ist noch kein Mitglied, solltest Du sie bitten, ein Konto anzulegen und Mitglied zu werden, bevor Du sie bestätigst.

Unter bestimmten Bedingungen, wie z.B. eine Massen-Bestätigung auf der CeBIT oder ein zufälliges Treffen, kann es sinnvoll sein, die Bestätigung schon durchzuführen, bevor die Interessentin ein Mitglied ist. Wie auch immer, es sollte möglichst vermieden werden, da einige Sicherheits- und auch juristische Gefahren bestehen, wenn die Person zuerst bestätigt und das Konto erst später angelegt wird. So hatte die Interessentin nicht genügend Zeit, das [[http://www.cacert.org/policy/CAcertCommunityAgreement.php|CAcertCommunityAgreement]] (englisch) zu lesen, was sie einfacher am Bildschirm oder später machen sollte. (Denk daran, dass bei Events immer einige Kopien der [[https://svn.cacert.org/CAcert/Events/Public/CCA-Translations/CAcert_CCA_DE.pdf | CAcert_CCA_DE]] zum mitgeben da sind.)

Auf jeden Fall solltest Du in der Lage sein, der Interessierten einen kurzen Überblick über die beiden wichtigsten Punkte in der CCA zu geben:
 * Das sie an die CAcert-eigene Schiedsgerichtsbarkeit gebunden ist (CCA 2.1 Risiken, CCA 3.2 Arbitration als Forum für die Schiedsgerichtbarkeit)
 * Das eine mögliche Haftung begrenzt ist auf 1000 € (eintausend Euro) (CCA 2.2 Haftung)

'''''Vorgeschlagener Ablauf:''' Für den Fall, dass Du Dich entscheidest weiterzumachen und ein Nicht-Mitglied zu bestätigen bevor sie ein Konto erstellt und/oder der CCA zugestimmt hat, richte Dich nach der folgenden Vorgehensweise um Dich und das Nicht-Mitglied zu schützen'':
 * ''Das zukünftige Mitglied kreuzt den Satz "Hiermit stimme ich der Vereinbarung der CAcert-Gemeinschaft (CCA) zu." oberhalb der Unterschrift an,''
 * ''du markierst das Formular als '''Kontoerstellung geplant''', ''
 * ''du gibst ihr eine Kopie der [[https://svn.cacert.org/CAcert/Events/Public/CCA-Translations/CAcert_CCA_DE.pdf | CAcert_CCA_DE]] und sagst ihr, wo sie zu finden ist,''
 * ''gib ihr Deine Email-Adresse, damit sie Dich anweisen kann, das Formular zu vernichten, wenn sie sich entscheiden nicht zuzustimme und kein Mitglied zu werden.''
''Auf diesem Weg zeigst Du an, dass das zukünftige Mitglied später Zeit hat, die CCA zu lesen und bei der Kontoerstellung wird sie ihre Zustimmung bestätigen. Wenn das Konto nicht erstellt wird, ist die Zustimmung null und nichtig und du kannst das Formular entsprechend markieren oder direkt vernichten. Zwischenzeitlich habt ihr aber beide zugestimmt, die Bestätigung unter den Bedingungen von CAcerts Grundlagendokumenten und den entsprechenden Verfahren zur Streitbeilegung durchzuführen.''
 

==== Informiere Dich über die Dokumente, die die Anfragende vorzeigen möchte ====

Du solltest die Interessentin fragen, welche Identifikationsdokumente sie vorlegen will. Weise sie darauf hin, dass Du mindestens einen (besser sind zwei!) Identitätsnachweis mit Bild im Original sehen musst von denen dann mindestens einer von einer Behörde ausgestellt sein und das Geburtsdatum beinhalten muss. Wenn sie ungewöhnliche oder ausländische Dokumente vorlegen will, informiere Dich bitte im voraus, wie diese Dokumente aussehen müssen. Du kannst die Seite [[https://wiki.cacert.org/AcceptableDocuments|Anerkannte Dokumente]] (englisch) als Ausgangspunkt für die Suche nehmen.

Du solltest die Interessentin auch bitten das Ablaufdatum der Dokumente zu kontrollieren, damit Du nicht in die Verlegenheit kommst, entscheiden zu müssen, ob die evtl. abgelaufenen Dokumente gültig sind. 


==== Plane das Treffen ====

Du musst die Interessentin persönlich treffen (von Angesicht zu Angesicht). Keine Bestätigung am Telefon, noch nicht einmal über Videotelefonie!
Daher müsst Ihr einen Treffpunkt ausmachen. Wenn Dein Arbeitgeber damit einverstanden ist, wäre Dein Arbeitsplatz ein guter Treffpunkt. Natürlich könnt ihr Euch auch bei Dir zu Hause treffen, wenn Du das möchtest. Ansonsten solltet Ihr einen Ort wählen, der nicht zu belebt ist. 

Nimm das vor ausgefüllte CAP-Formular mit und vergiss nicht einen Kugelschreiber mitzunehmen, Die Interessentin muss das Formular noch unterschreiben.


=== Das Treffen ===

Bitte stelle sicher, das Du während des Treffens nicht unter Zeitdruck stehst. Du solltest mindestens fünf Minuten ansetzen, um die Dokumente zu prüfen und die Interessentin das Formular unterschreiben zu lassen! Lass Dir Zeit.

Schüttle der Interessentin die Hand und schenke ihr/ihm vielleicht ein Lächeln. Gib dem Mitglied, wenn möglich, eine Visitenkarte mit Deinem Namen, Deiner Email-Adresse und deiner Bezeichnung als Cacert-Assurer. Dies kann auch handgeschrieben sein. CAcert ist eine Gemeinschaft, keine Firma.


=== Checkliste ===

Dinge, die Du überprüfen solltest:

 1. Die Daten auf den Dokumenten (Name und Geburtstag) stimmen mit denen des CAP-Formulars überein.
 1. Frage, ob der Account schon angelegt ist.
 1. Frage, ob die Email-Adresse auf dem CAP-Formular die primäre Adresse ist. Ist dies nicht klar, schreibe Dir die alternativen Email-Adressen auf. 
 1. Kontrolliere, ob auf dem CAP-Formular die Zustimmung zur CCA oberhalb des Unterschriftfeldes eingetragen ist. Wenn die Zeit es erlaubt, mache der Interessentin klar, was diese Zustimmung bedeutet (Verantwortung und Schiedsbarkeit). Vielleicht kannst Du ihr einen Ausdruck der CCA aushändigen.
 1. Lasse die Interessentin das CAP-Formular unterschreiben.
 1. Vergleiche die Person mit der auf den Dokumenten.
 1. Notiere Dir die Art der Dokumente, die vorgezeigt wurden (z.B. Personalausweis, Führerschein, Reisepass) und mögliche Namensvariationen (zusätzliche Vornamen, akademische Titel, Geburtsname) die in den Dokumenten auftauchen. Wenn die Namen auf einem Dokument sich von denen auf dem (vorgedruckten) CAP-Formular unterscheiden, kopiere den Namen vom Dokument so genau wie möglich auf das CAP-Formular. ‚‘‘‘Das CAP-Formular ist Dein einziger Beweis für das, was Du gesehen hast!‘‘‘

  {{{#!wiki red/solid
Bezüglich Namen und Namensteilen:

Akzeptiere nur Namen oder Namensteile (z.B. Titel), die Du gegen ein offizielles behördliches Dokument mit Bild prüfen kannst.
}}}

Einige Punkte die Du beachten solltest:
 * Fotos/Bilder
  * in einigen Ländern läuft der Führerschein nie ab, so musst Du hier auf sehr alte Bilder und Unterschriften gefasst sein.
 * Unterschrift
  * Es ist wünschenswert, dass die Interessentin die Unterschrift vor den Augen des Assurers (also Dir) macht.
  * Wenn das CAP-Formular schon unterschrieben ist, bitte die Interesentin, es an einer anderen Stelle noch einmal zu unterschreiben, während Du zusiehst.
  * Sollte die Unterschrift unleserlich sein, bitte die Interessentin die Unterschrift vergleichbar mit dem Dokument zu leisten.
  * (manchmal ist es eine neuere Bank-Karte ein guter Hinweis, wenn die Unterschrift gravierend abweicht, jedoch ist es verboten, Details von der Bank-Karte abzuschreiben. Halte deshalb die Finger über die sensiblen Daten oder bitte sie, diese selbst zu verbergen)
  * wenn ein vorgelegtes Dokument nicht unterschrieben ist, bitte die Interessentin, es jetzt zu unterschreiben. ‘‘Ob das sinnvoll ist, eine gefälschte Unterschrift zu erkennen, ist aber fraglich‘‘

 * Sicherheitsmerkmale
  * Das Siegel muss auf Bild und Dokument genau aneinanderpassen.
  * Hologramme
  * Spezielle Drucktechniken wie ‚fine Print‘ oder Farben 
  * Spezialpapier
  * Die Klartextinformationen auf dem Dokument sollten mit den maschinenlesbaren Teilen des Dokuments übereinstimmen
  * Wasserzeichen
 * Ablaufdatum
  * in manchen Ländern gibt es für Führerscheine kein Ablaufdatum
  * Personalausweise hat normalerweise eins von 10 Jahren
  * abgelaufene Dokumente können akzeptiert werde, du kannst dann die Punkteanzahl die Du gibst vermindern 
  * Du solltest die Interessentin darauf hinweisen, dass das Dokument bald ungültig wird
  * Sind Ausgabe- und Ablaufdatum sinnvoll und ergeben eine sinnvolle Gültigkeitsdauer (z.B. 10 Jahre), Ausgabedatum und Ablaufdatum müssen sich um mindestens einen Tag unterscheiden (z.B. 15. Juni und 14. Juni
 * Geburtsdatum
 * Date of birth
  * don't get confused by the different formats all over the world. Check your input twice if the formats are the same on the form, the documents and the web interface. If the date in the web interface is wrong, it must be changed BEFORE you can give the points.  File a dispute to get it changed.
  * does the member seem to be around that age?
  * consider rewriting it in your own writing if the Member's version is ambiguous
  * Note the numeric month in character short month format (this helps to reduce DoB errors about 50 % !!! don't ask why? :-) )
 * Names! The Assurance works with Name variations.
   * Write down any additional names on the form.
   * The online account should include the longest and fullest form of the name possible.
   * The Assurance is over one or more Names.  Carefully write down each name variation fully on the CAP form against the document that it is found on.
   * Often you will find the Name on the CAP is different to the name on the ID documents, and again the online web interface is different again.  Discuss with the Member what the best form of the name should be, and consider filing a dispute to get the online web interface name changed to the best form.
   * artist names are officially-recognised alternate names that a person in an artistic field uses.  As they are supported by the documents, they can be Assured.
  * consider rewriting it in your own writing if the Member's version is ambiguous
  * remember about the short rule: Allow only names or name parts (i.e. suffixes) that you can verify at least against one govermental photo ID
  * in general: its allowed to reduce information, but it is prohibited to add informations
   * often bonafide members gets encouraged to enter their title as suffix in the Join form and find the samples on the linked wikipedia site, but these titles aren't in any govermental photo ID. So these suffixes cannot be assured. Not in the face-2-face meeting, nor later on the online form.
 * Test Questions:
  * place of birth
  * place of issue
 * Note that unique numbers on Identity Documents '''should not to be stored''' due to problems with liability and the potential to cause ID theft.


  {{{#!wiki red/solid
For names or name parts:

  * in general: its allowed to reduce information, but it is prohibited to add informations
}}}

=== CAcert Assurance vs. Pure Id Document Check ===

 * CAcert's Assurances has a wider purpose

  || '''Purpose of Assurance''' || '''Pure Id Document Check''' || '''CAcert Assurance''' ||
  || Member                     ||                              || Check for Account ||
  || Account                    ||                              || Check Primary Email ||
  || Certificates               ||                              || Check Arbitration Acceptance ||
  ||<^> Arbitration                ||                              || Disclose R/L/O<<BR>>Check CCA Acceptance ||
  || Some Data                  || Id Document Check            || Id Document Check ||

 * Disclosure of R/L/O -> Risks, Liabilities, Obligations
  * '''R'''isks -> You may find yourself subject to Arbitration
  * '''L'''iabilities -> limited to 1000 Euro
  * '''O'''bligations -> to keep your primary email in good working order

=== Things to discuss ===

Have a little chat with the applicant, if time permits and both parties are interested. ;-)  As a representative of CAcert, you the Assurer may find yourself helping the Member in wider aspects of the Community.  Some general things to discuss are:

 * What it means to be a Member.  In 2007, the Community became more organised with the introduction of the CCA.  Members agree to that document, although like all contracts and legal blah blah, it is likely that the new Member has not read it all or understood it all.  You as Assurer have read the CCA, and can introduce some important ideas to the new Member.
 * The Assurance covers the 5 points listed in "[[http://www.cacert.org/policy/AssurancePolicy.php#1.1|The Assurance Statement]]" of the AP.  It is not just a check of Identity.
 * Security and Obligations.  In CCA there are a set of obligations which can be discussed:  things like looking after your private keys, and understanding the difficulties of modern virus-ridden platforms, complicated websites and script-driven browsers.
 * Arbitration and dispute resolution.  As a Community, we resolve our disputes internally.  For some people this is scary, as they believe in the protection of their own courts.  It is often good to point out why Arbitration works for CAcert:  in the international context of the Internet, Arbitration means we can protect the Member from disputes in far away places.  See the section on [[#Arbitration|Arbitration]] in this Handbook, and [[http://www.cacert.org/policy/DisputeResolutionPolicy.php#4|DRP's last section]] for more discussion on this.
 * What the Member wants to use certificates for.  It is generally hard to figure out how a lot of technology is used in the field, and meeting someone is a good time to get a view.  As a user, the person finds difficulties and experiences that the more technically-oriented people are blind to.  This is your chance to '''listen''' to user experiences, and think strategically about how to improve her security.
 * Helping CAcert: Try to find out, in which area the Assuree has skills. What hobbies he has. What kind of job he is doing. CAcert searches for volunteers in many places: Assurers, Events, Presentations, Support, Documentation, System administration, Development, Deployment, Arbitration, Communicators, Consultants, Managers ... make a note on the CAP form for which area the Assuree is interested in and forward the contact details to the appropiate team leader by CC'ing the Assuree to the email you'll send.

If you do get a chance to discuss anything with the Assuree, it is good to make a small note on the CAP form about what it was.

=== After the meeting ===
If you did notice anything unusual, make some notes on the backside of the CAP form. Things you should note include (but are not restricted to):

 * very unusual documents
 * very old or worn documents
 * if something "just didn't feel right"
 * the applicant tried to hurry you through the process
 * Something unexpected did happen
Those notes might help you to remember what happened later, just in case a dispute is filed and someone asks you about details of the meeting.

==== Issuing Assurance Points ====

Now login to the CAcert website, go to https://secure.cacert.org/wot.php?id=5 once again and enter the applicants email. Now fill out the assurance form, check the data once again and issue your points if there are no reasons against. If the situation was not ideal you should give less points, see Assurance/PracticeOnIdChecking for some guidelines about the number of points to give.

The meaning of the Assurance Points is your expression in the confidence of the [[http://www.cacert.org/policy/AssurancePolicy.php#1.1|Assurance Statement]].  If you are completely sure, issue maximum points.  From [[http://www.cacert.org/policy/AssurancePolicy.php#4.3|AP4.3]], completely sure means:

 * Detail on form, system, documents, person in accordance;
 * Sufficient quality identity documents have been checked;
 * Assurer's familiarity with identity documents;
 * The Assurance Statement is confirmed.

If the documents look good but are unfamilliar to you (like foreign documents), you may decide to issue partial points (although some Assurers choose to issue only maximum or none).

There are two special cases:  if you have no confidence in the Assurance Statement, then issue zero points.  This will most often occur if the documents are totally unfamiliar to you.  For example, a Finnish driver's license presented to an Australian Assurer at an event in Chile!  The documents mean nothing to you, but as you have still made a good faith attempt to do the Assurance, it is good to record that fact.  It is still worth experience, and your CAP form is still a good record.  Advise the Member that this may happen, and the reasons why, so as to maintain good faith.

The second special case is if you have ''negative confidence''.  That is, you think there is something wrong, such as some of the documents are false or inconsistent.  In this case, do not complete the Assurance (do not sign the form and do not press the "I am sure of myself"-Button on the web application), but instead consider filing dispute.

Remember the following issues:

 * do not log in from a Computer which is not secure (possibly has any malware like viruses and trojans on it).
 * do not use other people's computers unless you are sure that you can trust them. If in doubt do it from a Live-CD like knoppix.
 * use an up-to-date browser and go to https://www.cacert.org/.
 * '''FOR SECURITY REASONS: LOGOFF AND CLOSE THE BROWSER WHEN WORK IS DONE'''.
 * If someone tried to use faked IDs or otherwise tried to obtain an assurance by fraud, file a dispute by emailing support at c.o.

=== What about that CAP form? ===
As well as the Assurance details (Name, primary email, DoB), the CAP form (short for CAcert Assurance Programme form) must contain [[http://www.cacert.org/policy/AssurancePolicy.php#4.5|AP4.5]]:
 * applicant's signature ''made by his/her own hand''.
 * applicant's permission to conduct the Assurance.
 * applicant's acceptance of the CCA and thus the risks, liabilities and obligations of membership.
 * Your Name
 * Assurance points you allocate
 * you CARS:
   * you agree to the CCA,
   * you are an Assurer (have done CATS Challenge, have 100 Assurance Points),
   * that you have conducted the assurance to Assurance Policy,
   * all covered by your signature.
 * Date and location (reminder) of the Assurance

For the old-style one-way Assurance, cross out the fields for your email address and Date of Birth, as desired.  (Note that we are now preferring the mutual Assurance where possible.)

'''Mutual Assurance.''' For a mutual Assurance, fill them in (or use two CAP forms).  If the other Member is not an Assurer as yet, then
 1. if the other Member is unsure, you may keep the CAP form(s) on her behalf (and take responsibility for both Assurances) which is why the form itself has both sets of details on it.
 1. if the other Member is about to become an Assurer, or you otherwise judge the Member is capable of meeting the storage requirements, then she may keep her CAP form recording her Assurance over you.

'''Storage.''' The Assurer has to '''securely keep the paper CAP form for at least seven years'''.  You are personally responsible for this (and in the mutual assurance with a non-Assurer, you remain responsible!) ! It is your evidence that you have followed CAcert's Assurance Policy and that you met the applicant in person (face to face).

For data protection and privacy reasons no-one else should have access to the CAP forms, once completed.  '''Do not scan the CAP form and keep it electronically.'''  CAcert's Assurance is deliberately designed to create a paper foundation on which digital certificates are issued; by maintaining a base of paper, the digital framework is strongly constructed with a classical legal foundation.  Not only does scanning weaken that foundation, you may also violate data protection laws on electronic data storage.

In the case of a dispute you may be requested to send the original paper form to a CAcert Arbitrator. See below for more details.

If you find yourself unable to keep the CAP forms for whatever reason, file a dispute at support@cacert.org, explain the circumstances, and request the Arbitrator to provide instructions.

==== Sending CAP forms to CAcert by request ====

An Arbitrator may request you to send him the CAP forms, maybe because there was a complaint about a certificate or just as part of a quality assurance process. CAP forms contain personal data, so the requester has to be authorized to see them and you have to make sure that no-one else can read that data.

 * Verify that the requester's email is @cacert.org. No other TLD (like .com, .net etc) is allowed!
 * Verify that the requester is an Arbitrator or Case Manager for a case relating to the person who has signed the CAP form. Current Arbitration cases are listed at [[ArbitrationCases]], the Arbitrator/Case Manager should have stated the case number in her request.
 * The request will be sent to you either signed by a CAcert verified PGP key or using a CAcert-issued S/MIME certificate. Please ensure that the certificate is valid and issued/signed by CAcert.
 * If you do not know how to reliably verify a signature please ask someone for help on on IRC (irc://irc.cacert.org/cacert or irc://irc.cacert.org/cacert.ger) or one of the mailinglists (like [[mailto:cacert@lists.cacert.org|mailto:cacert@lists.cacert.org]] or [[mailto:cacert-de@lists.cacert.org|mailto:cacert-de@lists.cacert.org]]). This is '''not''' a trivial task, don't just trust your mailer's icon!
 * Usually you will be requested to send a scan of the CAP form. Please make sure that you send the image using an encrypted mail. If you cannot send it encrypted for any reason, send a copy of the form via paper mail.  After you confirm receipt of the scanned CAP form, delete your digital copy carefully.
 * If you are requested to send in the original CAP form, keep a copy of it in your documents. ''N.B.: I have not heard of this being requested, but it may be necessary some time.''
 * If you have '''any''' doubts about a request ask for help. Once again, try IRC or mailing list(s)! If the request tries to discourage you from getting help (stating it a top secret business or something like that) there's something fishy about the request!

=== Fees ===
 * Certificates are free! Customers create them themselves using the web interface.
 * Assurances may cost money but the price has to be set out ''before'' the meeting. Otherwise it ''must'' be done at no charge.
 * If you choose to demand money for the assurance, keep it to a sensible amount of "expense recovery". If the applicant visits you, something between 5 and 15 EUR seems sensible in central Europe. If you visit an applicant yourself you may add travel expenses.
 * Note: if you demand money for the service of assurance this may make you a commercial service provider, which, in turn, may have other legal consequences (like paying taxes, the need for a trade license or such things), depending on the laws of your country.

=== Assurance Events ===
You may be asked to be an Assurer at an Event.  Have a look at EventOrganisation.  This is a great opportunity to build up experience as an Assurer because you will be working with other experienced people, and you can discuss all sorts of issues and difficulties.  This should also be reflected in your Experience Points!

== The Standard of Assurance ==
''IMHO this paragraph still needs some work to be less confusing for newbie (and experienced) assurers. The CAP links to this handbook for a definition of the "Standard of Assurance", so it has to be done. I'm still thinking about it, if you have an idea feel free to propose it. BernhardFröhlich''

''Also, see [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (POLICY)]] ... which should nail down the Standard of Assurance ... once and for all :) iang.''

[[http://www.cacert.org/policy/AssurancePolicy.php#5|AP5]] puts the responsibility of the standard of assurance on the Assurance Officer, stating that this role includes:
|| ''Maintaining a sufficient strength in the Assurance process (web-of-trust) to meet the agreed needs of the Community.'' ||

The customary standard includes these points:

 1. For a full-points Assurance, at least one government-issued photo ID containing the name and date of birth must be verified by the Assurer.
   * Acceptable forms include Passports, Drivers Licenses and National Identity Cards.

   '' This may be customary - and even preferred - but does not actually match up with AP - as far as I can see, the only requirement is for the name to be in the photo-ID doc (AP 2.1) and that "Sufficient quality identity documents have been checked" (AP 4.3). As far as I can see the DOB in photo ID requirement is not mentioned specifically elsewhere in either AP or Assessors Handbook! 
  It is required that the date of birth is validated, but, as far as I can see, that can legitimately be done from other documents (such as a birth certificate) provided the name matches. (There may be an issue here if someone has had a name change (eg on marriage) but I believe that provided there is a "chain of evidence" that is examined (ie the document causing the name change) this ought to be acceptable) 
  This is particularly relevant in countries that have either no formal national ID or have many that could be regarded as acceptable! [[mailto:alex@alex-robertson.co.uk|Alex Robertson]]''

  ||''We do not want to repeat the AP here. Here we want to give simple procedures which remain "on the safe side" of the AP. The list of documents is not complete, and constantly expanded at AcceptableDocuments, but these are the most common ones. If you deviate from these procedures you should take care of documenting very comprehensible (sometimes Arbitrators can be really dumb!) why you were sure that the document you checked met the requirements of the AP. BernhardFröhlich''||

 1. For a Name to appear in a certificate, the Member should have been verified by at least two Assurers.
   * Exceptions see below in "Major Variations".

Your Assurance is a CAcert Assurer Reliable Statement, or CARS.  This means that anyone in the community may rely on your statement.

=== Minor Variations ===
An Assurer may control minor variation, such as poor quality ID or missing ID, by reducing Assurance points.

It would be extremely unusual to issue full points if the Member does not have a good government-issued photo ID.  On the other, such an ID does not mean full points; look at the additional documents to confirm.

=== Major Variations ===
Four Major Variations exist to the above

 * the TTP programme, see [[TTP]].  '''''(New program under deployment)'''''
 * the Super-Assurer programme, see SuperAssurers.  This programme is administered by the board and can result in an Assurer getting more experience points temporarily. '''''Terminated Permanently in April 2009.'''''
 * Tverify, which takes certificates and other information from other CAs.  '''''Terminated Permanently on 16th November 2009.'''''
 * the Organisation Assurance programme, see OrganisationAssurance.

== All about Names ==

=== Name Matching ===

The relevant policy text for name matching is [[http://www.cacert.org/policy/AssurancePolicy.php#2.1|Chapter 2.1]] and 2.2 of the Assurance Policy. More specific information as well as many examples can be found at PracticeOnNames.

=== Transliterations ===
Usual transliterations, missing accents and similar things are accepted. So if the ID doc says "André Müller" but the name in the account is "Andre Mueller" that's OK.

Note that the reason for accepting plain ASCII representations of non-ASCII characters are usual restrictions of computer environments. Therefore it is not accepted to assure someone as "Müller" if the ID documents contain "Mueller".

Still it's not well defined how names of other character sets (like for example Chinese or Hebrew) should be handled. The Assurance Policy encourages using exact representations in unicode, but allows transliterations. Transliteration rules can be found at http://en.wikipedia.org/wiki/Transliteration

=== Case Sensitive - Case Insensitive ===

 '''Following was from the Assurance Policy work, for consideration now in the Handbook:'''

{{{
  [[http://en.wikipedia.org/wiki/Transliteration|Transliteration]] of characters as defined in the transliteration character table ([[http://svn.cacert.org/CAcert/Policies/transtab.utf|UTF Transtab]]) for names is permitted, but the result must be 7-bit ASCII for the full name. Transliteration is one way and is towards 7-bit ASCII. Transliteration is a way to compare two names. However transliteration of a Name makes the Name less discriminative.

  In general names are handled case insensitively.

  Abbreviation of second given name(s), middle name(s), titles and name extensions in the name of an individual to one character and the dot indicating the abbreviation, is permitted. If the first given name in the ID document is abbreviated, the first given name in the web account Name may be abbreviated. Abbreviation of a name makes the name less discriminative, so it is deprecated.

  A Name on an ID which has initials (abbreviations) for titles, name extensions and given names, and/or transliterations as defined in the transliteration table can be taken into account for assurance for a Name in the account which is not abbreviated or transliterated.

  Titles and name extensions in the name of an individual may be omitted.

  The assurance ambition is to pursue a highly discriminative assured Name in the account. The ambition is to have only a Name in the account which has no abbreviation(s), no transliteration and is case sensitive.
}}}
'''End of insert from WiP-AP.'''

'''Arbitration case [[Arbitrations/a20090618.13|a20090618.13]] Opinion'''

Naming and the writing of names is a complicated subject that follows different rules in different cultures. Even within a culture there is a multitude of difference in how names may be spelled.<<BR>>
Capitalization is the subset of name spelling at issue here. There are a multitude of countries in which the script used differs wildly from western letters. In such scripts capitalization may not even exist. Names that are transliterated from such scripts would then have an arbitrary capitalization, since who is to say which parts of such a transliterated name are capitalized.<<BR>>
The claimant has himself stated that often times names in official documents are spelled in all capital letters although the name would generally be spelled with an initial capital letter followed by letters in lower case. So it is evident that even within the culture of the claimant capitalization rules for names (especially when taken outside the context of sentences) are unsettled.<<BR>>
However there are instances where capitalization of names does make a difference. As an example one can think of !McCain or !DeHaviland. Both names are properly spelled with a capital letter at the beginning and the interior of the name. Capitalizing correctly here may alter the name significantly at least within the culture of origin.<<BR>>
As a result naming and name capitalization is not something that can easily be prescribed.<<BR>>
However at question here is really whether an assurance of a name spelled with unusual capitalization is permissible. In order to answer that question one only needs to look at the Assurance Policy, which states:

{{{

1. Assurance Purpose

The purpose of Assurance is to add confidence in the Assurance Statement made by the CAcert Community of a Member.

With sufficient assurances, a Member may: (a) issue certificates with their assured Name included, (b) participate in assuring others, and (c) other related activities. The strength of these activities is based on the strength of the assurance.
1.1.The Assurance Statement

The Assurance Statement makes the following claims about a person:

   1. The person is a bona fide Member. In other words, the person is a member of the CAcert Community as defined by the CAcert Community Agreement (CCA);
   2. The Member has a (login) account with CAcert's on-line registration and service system;
   3. The Member can be determined from any CAcert certificate issued by the Account;
   4. The Member is bound into CAcert's Arbitration as defined by the CAcert Community Agreement;
   5. Some personal details of the Member are known to CAcert: the individual Name(s), primary and other listed individual email address(es), secondary distinguishing feature (e.g. DoB).

The confidence level of the Assurance Statement is expressed by the Assurance Points. 

}}}

Specifically at issue is item 5 of the Assurance Statement, because the question is whether a name "is known" to CAcert if the capitalization is arbitrary and potentially different from the presented Identification Documents. In other words:<<BR>>
<<BR>>
If I tell you that my name is "philipp dunkel" do you then know my name?<<BR>>
<<BR>>
In this specific case I would answer that question with yes. However that is a judgment call that will depend highly on the name and culture at issue. Throughout the Assurance Process the Assurer should be guided by their own sound judgment. In fact the entire system of the CAcert Web of Trust is based on us trusting an Assurers judgment. Since none of the items mentioned in point 3.1 of the Assurance Policy as guidelines resolve the issue of capitalization the Assurer is allowed, or in fact required, to use his own judgment.<<BR>>
So on the question of whether the claimant may complete this Assurance as requested in the original claim:<<BR>>
 * There is nothing that would explicitly prohibit this Assurance from being completed at this time.
 * However whether the Assurer feels confident that CAcert knows the Assurees name given the capitalization, he will have to use his own judgment.

=== Middle names and Initials ===

According to the AP it is preferred that all given names which can be verified in one of the ID documents are recorded in the account.

If a person has multiple given names (or middle names) at least one given name must be used in the account unabbreviated. Additional names may be omitted or abbreviated, usually to the first character with or without a dot to indicate the abbreviation. 

So someone called "Bernhard Andreas Fröhlich" may create his account as "Bernhard Fröhlich", "Andreas Fröhlich" or "Bernhard Andreas Fröhlich". Initials are deprecated, but are currently tolerated, so if the said person would use the name "Bernhard A. Fröhlich" this would currently be OK.

But remember, you may not assure an Account with a name you did not see on at least one ID document! If all ID docs state "Bernhard Fröhlich", assuring him as "Bernhard Andreas Fröhlich" is prohibited!

If the name on the presented ID documents is not identical to that on the CAP form it is the best to note the name as exactly as possible somewhere on the paper, including all given/middle names. If the account is disputed later then you can remember the exact name you've seen.

=== Multiple Names, Pseudonyms ===
According to the [[http://www.cacert.org/policy/AssurancePolicy.php#2.2|Assurance Policy (POLICY)]], multiple names are accepted, if matching ID documents can be presented. 

Currently the CAcert software cannot handle them, but if you note them on the CAP form you can assure them later once the feature is implemented.


==== Practice On Names ====
 * [[PracticeOnNames]]

<<Include(PracticeOnNames)>>  

== Signatures ==

Most Assurers aren't graphologists. Signatures may vary on daytime, may vary by using different writing utensils, may vary in a lifetime, may vary from document to document you'll check, may vary ....

So therefor, we check: the assuree signs in front of us

If there are slight differences between signature made on the CAP form and the ID documents, we don't request: "Please sign as in the ID doc" - this is unprofessional ! Ask for other documents. Bank cards, credit cards are documents, the user gets his money from the bank ....

== Dates ==

Dates - the ''magic'' 8 numbers ... seems to be complicated to new members also to Assurers. New members, who enters their DoB into the online account and didn't noticed the missing number, as they'll enter their DoB on a recuring basis and their keyboard has a hiccup. There are many more error conditions, that makes the DoB checking a challenge of its own.

=== Date Formats ===

In the international world, we come across with several different date formats

 * 12/04/2011 - the US variant
 * 12-04-2011 - the UK / Commonwelth variant
 * 12.04.2011 - the European variant
 * "XX<N>" format, where "<N>" represents years passed since the Emperor's coronation. "XX" - Japanese variant
 * 2011-04-12 - the proposed format on CAP forms

As yet to be known.

As long the date can be identified clearly (12 can be a month, 4 too for above example), but in 30.03.1980 a switch between day and month is impossible, the format on the CAP form can be used freely.

=== Number Switches ===

As Assurance Policy was roled out back in Spring 2009, Arbitration discovered a raising DoB error cases. Often caused by typos:
 1.  01 instead of 10 - numbers switched around
 1.  1 instead of 15 - missing number
 1.  2011 instead of 1980 - current year instead of DoB year
 1.  12.04.2011 instead of 30.3.1980 - todays date instead of DoB
 1.  11 instead of 12 - number near the other number on keyboard

All these errors applies to errors on CAP forms AND all these errors applies to errors in online data !!!

=== The 3 Steps in Date Checking ===

  {{{#!wiki red/solid
 1. Check and identify the Day to Day, Month to Month, Year to Year between ID document and CAP form
 1. Check each field value ... especialy on number ordering -> 01 .. 10
 1. Add the month in written form behind the written date ->  2011-04-12  Apr
}}}

== Frequently encountered situations ==

=== Junior Members ===

In principle, children or minors or juniors can also be assured. There is no minimum age set by CAcert.

Policy on Junior Assurers / Members moves to DRAFT and is therefor binding since Jan 31, 2010

There are, however, some difficulties that need to be taken into account.

 * The way that persons enter into CAcert's Community is by agreeing to the CCA.  This is in effect a legal contract, and in general, entering into legal contracts is for adults, not minors/juniors/children.
 * This is one area where you should be aware of your country's laws, if they apply.
 * In general, a minor may be able to enter into an agreement with permission of the parent or legal guardian.  So you can ask for a co-signing of the form by a parent or legal guardian.  However you should stress that the form is signed first by the minor, and then counter-signed by the parent.
 * Treat the minor as an adult, with respect, always.  One day soon, she will be.
 * You will likely have to test points of understanding with both the Member and the parent.
 * Acceptable photo IDs are not so useful for young people under 10.

''Questions''
 * ''Basically, this may result in some interesting Arbitrations.  An Arbitrator may have to take into account that the CCA is not as strong in the case of a minor.''
 * ''Does it make sense to assure children at infant age? The reason I'd not assure infants (let's say up to age 14) is that they protect their credentials against theft even less well than most grown ups.''

<<Anchor(PoJAM)>>
==== Policy On Junior Assurers Members 2 ====

 * Update Feb 1st, 2010: Policy on Junior Assurers / Members [[https://svn.cacert.org/CAcert/Policies/PolicyOnJuniorAssurersMembers.html|PoJAM DRAFT]]

 * ''Proposed is a ParentsKit, a CAP form related form that describes the consent and the required confirmation for becoming assured for the Junior Member. This ParentsKit should also include an informations package for the parents, what is CAcert, what does the CCA mean and so on, to be aware that the parents will understand easily what happens with the assurance. Please also add your phone number or an email address to the package, where the parents gets additional infos, where they can ask additional questions. The assurer has to make an arrangement how the signed ParentsForm receives the Assurer and the signed parents form can be returned to the Junior Member, maybe possible by snail-mail, or a second face-to-face meeting. The assurer has to notify the parents confirmation and that he has seen the signature from the parents, probably by a copy or an additional statement onto the CAP form. This procedure is for a single form carried by the Junior Member for showing to the Assurer, rather than a parent's signature over each individual CAP form.''

## blue <#6699ff>
## red <#ff8080>
## grey <#c0c0c0>
  {{{#!wiki red/solid
 1. The Junior Member asks an Assurer to assure him.

 2. The Assurer checks that the age of the Junior Member is in reliance to the local countries law<<BR>>(eg. Germany its age is under 18 years, for other countries this may vary)

 3. The Assurer starts a regular assurance

 4. The first Assurer hands out to the Junior Member a !ParentsKit that includes a !ParentsForm and an info package.

 5. The Parents of the Junior Member signs the !ParentsForm

 6. !ParentsForm Retour
  a. The Parents returns the !ParentsForm to the Assurer by a second face-to-face meeting,<<BR>>by snail-mail or by a scan of the signed !ParentsForm sent by email

  a. The Junior Member returns the !ParentForm to the Assurer by a second face-to-face meeting,<<BR>>by snail-mail or by a scan of the signed !ParentsForm sent by email

 7. The Assurer makes a note onto the Junior Members CAP form:

   a. writes down the parental name + email<<BR>>(in case of Arbitration the guardian becomes arbitration participiant instead of the junior)

   a. that he has seen the signed !ParentsForm or makes a copy of the !ParentsForm and adds it to the Junior Members CAP form

 8. The Assurer now can transfer the assurance points he gave to the account with the additional (not yet existing)<<BR>>checkbox that he got confirmation from the parents. x^1^)

 9. The Assurer returns the original !ParentForm to the Junior Member for future assurances.<<BR>>A scanned !ParentForm is not sent back by email.
}}}

 . x^1^)

 * common practice for the addtl. CCA acceptance on Assurances is to add +CCA into the locations field
 * this common practice can also be used for the PoJAM acceptance i.e. +PoJAM to signal, that the acceptance from the parents exists and noted onto the CAP form

==== Parental Consent Form (v1.0) ====

 * English
  * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsForm_EN-v1.odt
  * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsForm_EN-v1.pdf

 * German
  * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsForm_DE-v1.odt
  * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsForm_DE-v1.pdf

==== ParentsKit ====

 * [[PoJAM|PoJAM Info for the Parents]] (English)
  * [[PoJAM/DE|PoJAM Info für Eltern]] (Deutsch)
 * CAcert Community Agreement
  * https://svn.cacert.org/CAcert/Events/Public/CCA-Translations/CAcert_CCA_EN.pdf (English)
  * https://svn.cacert.org/CAcert/Events/Public/CCA-Translations/CAcert_CCA_DE.pdf (Deutsch)
 * [[https://svn.cacert.org/CAcert/Policies/PolicyOnJuniorAssurersMembers.html|PoJAM DRAFT Subpolicy]]
 * [[AssuranceHandbook2#Junior_Members|Assurance Handbook - Junior Members]]
 * [[AssuranceHandbook2#CAcert_Assurer_Reliable_Statement|Assurance Handbook - CAcert Assurer Reliable Statement]]
 * [[GettingSupport]]
 * Parental Consent Form
  * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsForm_EN-v1.pdf (English)
  * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsForm_DE-v1.pdf (Deutsch)

 * All above for Printing (last updated 2010-10-11)
  * English
   * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsKit_EN-1p.pdf (single paged)
   * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsKit_EN-2p.pdf (double-sided printing)
  * Deutsch
   * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsKit_DE-1p.pdf (einseitiger Ausdruck)
   * https://svn.cacert.org/CAcert/Events/Public/PoJAM/ParentsKit_DE-2p.pdf (zweiseitiger Ausdruck)

=== Mutual Assurance ===
Mutual assurance should be done where practical ([[http://www.cacert.org/policy/AssurancePolicy.php#4.2|AP4.2]]).  Note that an assurance is always at the request of the Assuree and the agreement of the Assurer, so mutual assurance remains a voluntary process for both sides.

Mutual assurance has these advantages:

 * it prepares non-Assurers for becoming Assurers,
 * it exchanges information in a balanced fashion (sometimes known as the principle of reciprocity) and makes us more equal,
 * it helps experienced assurers to pass knowledge to junior assurers about new and better practices.

There are some disadvantages:

 * it can slow down the process, which will be a nuisance at booths where there are crowds.
 * if the other member is not an Assurer, she may not be ready or familiar with the responsibility of keeping the CAP form safe (you may have to do that).

==== With an Assurer ====

Conducting a Mutual Assurance with another Assurer is easy, and the process is mostly left open to you and your partner-Assurer.  Here are some tips.

The benefit is maximal when we help the other person to see better ways.  This means that:

 * giving orders on the right way to do things is not helpful
 * any thing you spot should be couched in terms of differences, and not instructions
 * use phrases like "I do it this way," rather than "you should do it that way."
 * explain your logic for any variation.  Ask her to explain hers.
 * even if you know the answer, allow a journey of discovery.  Instead of saying "policy X says Y," try this instead:  "I wonder what policy X says?"  And look it up (of course, you will need to have the copy there as well).
 * do not use Arbitration as a weapon.  Instead of saying "or else you'll face Arbitration,"  rather say this:  "In the end, we might have to ask the Arbitrator to decide which way is best."

==== With a Non-Assurer ====
Conducting a Mutual Assurance with a Member who is not yet an Assurer is harder than an ordinary Assurance.  But it is more valuable, because it is a really good way to train the Member towards becoming an Assurer!

To do this,
 1. Take an extra CAP form, or use a CAP form that is designed to be mutual (includes the same detail for both parties).
 1. After doing the process on the Member, ask her to take the forms and repeat the process it on yourself.
 1. Coach the Member as she does the steps.
   * Explain why we do it that way.
   * Allow her to make mistakes, and then explain ''gently'' the nature of the mistake.
   * Ask questions to make sure she understood what she has done.
   * Do not go too deep, do not get into detail.  Concentrate on the essentials, and be prepared to compromise on detail.  The essence is the overall feeling of the Assurance, not on getting every detail correct.  Details and perfection come later with the [[AssurerChallenge|Assurer Challenge]].
   * Make it a fun experience, not a reminder of primary school nightmares.  The goal is to make her want to take your job away :-)  Encourage her (we have many other jobs for experienced Assurers!)
 1. Once the checks over the Assurance Statement are done by her over you, she is now ready to allocate Assurance Points to you.
   * She can allocate 0, 1 or 2 Assurance Points to you.
   * Coach her in what the points mean.
   * It is entirely up to her judgment as to how many points.
   * Indeed, encourage her to be critical, and if it is her first time, issue 0 points to you.  For example, if she is unfamiliar with the process, how can she be familiar with the meaning of the points?
   * In this process, you yourself are not collecting more Assurance Points, but instead training a future generation of Assurer.  Your mission is to teach her the best ways and understandings.
 1.  Once she has allocated the points, have her write them onto the CAP form(s).
 1.  Because you are the Assurer, '''you are totally responsible for the results.'''
   * She is not responsible because she is not an Assurer.
   * You should keep the primary forms.
   * If she is taking copies away, that is OK too.  But advise her of the Assurer's 7 year responsibility, and write that on the form.  She now holds your privacy data.
 1.  At the moment, there is no way to enter these points into the system.
   * These points will have to wait for a future system enhancement.  So for the moment, the result is lost.
   * But the real benefit of training remains.
   * This above procedure can and will change as we get more experience.

==== Who keeps the CAP form? ====



==== Optional ====
Mutual Assurances, like all Assurances, are currently optional at the discretion of both.  You may not want to do a mutual Assurance, but consider:

 * you should share sufficient information with the Member to protect her.  For example, your email address and Name would be a minimum.  A business card would be a good idea.
 * Mutual Assurances are ''highly recommended.''

Likely these things will become standard in the future (see [[https://svn.cacert.org/CAcert/Assurance/Minutes/20090517MiniTOP.html|20090517-MiniTOP on Assurance]]), once Assurance Team figures out all the details.  Let us know your experiences.

<<Anchor(CARS)>>
=== CAcert Assurer Reliable Statement - CARS ===

An Assurance is a CAcert Assurer Reliable Statement, ''CARS'' for short.  It is the primary one you make to the community, as part of our overall Assurance process, or ''web-of-trust''.

If you get involved in other, deeper parts of CAcert, you may be asked to make other reliable statements to help our processes.  Here are some examples:

 * reports prepared by system administrators on changes to the software are relied upon by the Board, and can be verified and scrutinised by audit.
 * co-auditing involves senior assurers checking the assurance process, and making reports back to the Assurance Officer and Auditor.
 * Event Coordinators are required to make sure that all Assurers at an event follow Assurance Policy, and report this back to board.

In order to signal a statement of reliance, you can add the term '''CARS''' to the end of your name.  This is useful if it is not totally obvious that your statement might be relied upon.

Sample of CAcert Assurer Reliable Statement

  {{{#!wiki red/solid
 I make a statement<<BR>>
<<BR>>
 My Givenname Lastname<<BR>>
 CARS
}}}

== Verification and Measurement in the Web Of Trust ==

To construct its global web of trust, CAcert uses a metrics system called Assurance Points to measure how well we know you.

==== Assurance Points ====
The number of Assurance Points measure how much you have been verified in Assurance processes and other approved processes, as per [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (POLICY)]].  They go from 0 (new Member) to 100 (fully assured Member).

 * 0-49 points: "Unassured"
   * This Member is not assured and her name cannot be included in certificates.
   * her certificates will expire after a maximum 6 months.
   * With more than 0 points, the personal details cannot be changed anymore by the Member.
 * 50-99 points: "Assured"
   * Each Assured Name can be added to a certificate.
   * Server certificates are valid for 2 years.
   * You can get a signed PGP/GPG key.
 * 100 points: "Prospective Assurer"
   * the maximum number of points one can get from other Assurers.
   * Code signing authorisation may be requested.
   * You may become an Assurer by passing the AssurerChallenge

Currently points acquired do not "expire" or "decay", but this might be changed in the future.

==== Experience Points ====

||Old Points||<style="text-align: center;">  '''Your Experience Points''' ||<style="text-align: center;"> '''Issuable Assurance Points''' ||
||<style="text-align: center;"> 100 ||<style="text-align: center;"> 0 ||<style="text-align: center;"> 10 ||
||<style="text-align: center;"> 110 ||<style="text-align: center;"> 10 ||<style="text-align: center;"> 15 ||
||<style="text-align: center;"> 120 ||<style="text-align: center;"> 20 ||<style="text-align: center;"> 20 ||
||<style="text-align: center;"> 130 ||<style="text-align: center;"> 30 ||<style="text-align: center;"> 25 ||
||<style="text-align: center;"> 140 ||<style="text-align: center;"> 40 ||<style="text-align: center;"> 30 ||
||<style="text-align: center;"> 150 ||<style="text-align: center;"> 50 ||<style="text-align: center;"> 35 ||

For every assurance, an Assurer generally gets 2 points, up to the maximum of 50 points.

Note that this system is currently unimplemented, and the experience is collected as points in the Assurance Points scheme, being points above 100.  See below.

==== Old Points ====

{{{
Note: The meaning of the points has changed since the new [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (POLICY)]].  The change split the old points into Assurance Points and Experience Points.

Before, they were the same points system with different meanings, below and above 100 points. Below 100 the number of old points showed the amount of trust CAcert had in your identity. The points above 100 made a statement about your experience as an Assurer.

Now, there are two points systems, one for each meaning.  Assurance Points ONLY show how well you have been assured.  Experience Points indicate how well an Assurer can do their job.

The separation of Experience Points has not as yet been implemented in the online system.
}}}

<<Anchor(ExperiencedAssurer)>>
=== What is an Experienced Assurer? ===

For each assurance done, an Assurer is given 2 Experience Points ("EPs").
There are also some exceptions such as 5 EPs for attending an [[ATE]] (currently its technical impossible).

When an Assurer has gained the full 50 EPs, probably by conducting
25 assurances, the Assurer is often termed an Experienced Assurer.

<<Anchor(SeniorAssurer)>>
=== What is a Senior Assurer? ===

This is an Assurer:

 1. Experienced Assurer, as described above,
 2. has attended an [[ATE]],
 3. has been co-audited,
 4. knows CARS.

This definition was reached at the [[https://svn.cacert.org/CAcert/Assurance/Minutes/20100206BrusselsMiniTOP.html|Brussels MiniTOP on Assurance]].

<<Anchor(co-auditor)>>
=== What is a co-auditor? ===

A ''co-auditor'' is a very experienced Assurer who helps the Assurance Officer collect results suitable for verifying the entire system of Assurance.  These results are collated for audit over CAcert.

=== What is a co-audited Assurance? ===

A ''co-audit'' or a ''co-audited assurance'' is an assurance that you the Assurer conduct over the co-auditor, see above.  This is done as a Quality Assurance activity so the Assurance Officer has some means to judge the quality of the Assurer Network, as it is requires by the Audit Criteria.

During the assurance, the co-auditor checks lots of things and records the results.  There is no fail for this.  At the end, you should get some helpful feedback.

Co-audits are most often conducted during [[ATE]]s, so you should try and attend.

=== Co-Audited Assurances Results ===

For each ''co-audited assurance'' data is collected and stored in a database as directed by Assurance Officer.  Each record includes the email address of an Assurer as a unique identifier, a collection of pass 
/ fail / not tested results of a seasonal test set, and some context data (location, number of experience points, attendance at [[ATE]]s).

The co-audit project is initiated by [[https://fiddle.it/app/crowdit/criterion/of/A.2.y|DRC-A.2.y]], it is 
instantiated into policy within [[https://svn.cacert.org/CAcert/Policies/TTPAssistedAssurancePolicy.html#s4.2|TTP-Assist 5.]] (''In coordination with internal and external auditors, the Assurance Officer shall design and implement a suitable programme to meet the needs of audit.''), and is further controlled under [[https://www.cacert.org/policy/AssurancePolicy.php#6.2|AP 6.2 High Risk Applications]].

== Questions Answered ==

=== Ruling on multiple accounts ===
 * ''Respondent has multiple accounts.''
 * A CAcert community member has a CAcert login account (see the [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy]])
 * Such an account is the link between the Member (person) and the CAcert system, and information regarding the member (like name, DoB, assurance status) is linked to that account. Although there is no rule that forbids having two or more accounts, it is not recommended, since it can cause problems.
  {{{#!wiki red/solid
 * '''Ruling: ''' It is not forbidden to have multiple accounts
}}}
 . (Source: [[Arbitrations/a20090510.3|a20090510.3]], [[Arbitrations/a20110418.1|a20110418.1]])

=== Ruling on multiple accounts with assurer status ===
 * ''1 of Respondents accounts have assurer status''
 * There is no rule that forbids a CAcert Member to have two accounts with assurer status. However, a ''Member'' with assurer status assures, and uses a CAcert ''account'' to register the assurance. Since an Assurer can only assure another member (a person) only once, it is forbidden for an assurer to assure a single person and register that assurance with more than one account. An assurer can only give the number of points linked to the account that is used to assure someone. Therefore, since having multiple assurer accounts is not required, it is strongly advised not to allow them.
  {{{#!wiki red/solid
 * '''Ruling: ''' It is not forbidden to have multiple assurer accounts
 * '''Ruling: ''' To avoid issues like this one, CAcert shall review if having multiple assurer accounts is acceptable
}}}
 . (Source: [[Arbitrations/a20090510.3|a20090510.3]], [[Arbitrations/a20110418.1|a20110418.1]])

=== Ruling on assuring your own accounts ===
 * ''Respondent assured 1 of his other accounts''
  {{{#!wiki red/solid
 * '''Ruling: ''' An assurer cannot meet himself/herself face-2-face. Therefore all assurances by Respondent of accounts of the Respondent are invalid and must be revoked incl. revocation of experience points.
}}}
 . (Source: [[Arbitrations/a20090510.3|a20090510.3]], [[Arbitrations/a20110418.1|a20110418.1]])

=== Ruling on assuring multiple accounts from one assuree ===
 * ''Respondents assured multiple account of one person with different assurances''
  {{{#!wiki red/solid
 * '''Ruling: ''' As long as each name in each account is only assured by one assurer up to the maximal number of points that the assurer may award and as long as the assurance process is followed for each assurance separately and nobody assures accounts of themselves, the AP is honoured.
 * '''Ruling: ''' Assuring multiple accounts of the same person may not be used to excessively push the experience points of an assurer. A single occurrence of an assurance of a secondary account of an assuree cannot be seen as such a push.
 * '''Ruling: ''' An assurer of multiple accounts from the same person should nonetheless be advised to consider the reasons why the assuree requests an additional assurance. 
}}}
 . (Source: [[Arbitrations/a20140624.1|a20140624.1]])


<<Anchor(IDdoxsCopyForbidden)>>
=== Id Document Photocopy is Forbidden by Default ===

 * Board motion [[EmailBoardDecisionsUpdateFeb2008#m20080422.3]] says:

 * m20080422.3 Removal of copies of ID and identification number information from archives
 * Comments: CAcert when it started in 2002 required that copies of ID's were archived for 7-10 years in the archives of CAcert or archives of CAcert Assurers. In a later instance CAcert required to take note of ID numbers and/or social security numbers of the individual. For privacy reasons both (copy of ID, personal numbers) were dropped. The CAcert Assurance Programme form states that the information should be kept 7-10 years. CAcert Inc. drops the requirements for copies of ID and personal numbers and decides to remove these information from the CAcert archives and requires the CAcert Assurers who are in position of that information to do the same. The information should be deleted with care.
 * Copies of ID are not needed for operational purposes and are not compliant with European privacy Directive (EU DPA).
  * Decision: Accepted
  * Actions: delete paper and digital copies from archive; denote the action and decision in CAcert blog; ask CAcert Assurers to follow CAcert decision. Blog on DoB and Copy IS drop done as well board order to destroy them by operators/adminsitratores has been given in May 2008. 
 * Further clarification:
  * [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy]] lists under 6.2 High Risk Applications:
   . Additional measures may include: 
    . Additional information can be required in process of assurance:
     . photocopy of identity documents
  * Section 6.2 falls under the 6. Subsidiary Policies section.
  * This doesn't mean, that its allowed to make a photocopy of identity documents, but maybe Subsidiary Policies can define such actions.
  * Also an Arbitrator may request a photocopy of an identity document. But this are all individual events and by request.
  * As section 6.2 High Risk Applications says, to take a photocopy is a High Risk Application. So therefor CAcert has decided by a board motion back in 2008 that this action is not in compliance with the EU DPA and therefor dropped it entirely.
 

----

 * [[AssuranceHandbook2/SomeMoreInformation]]

<<Include(AssuranceHandbook2/SomeMoreInformation)>>  

=== Inputs & Thoughts ===

 . YYYYMMDD-YourName

 . {{{
Text / Your Statements, thoughts and e-mail snippets, Please
  }}}

----
 . CategoryAudit
 . CategoryPolicy
 . CategoryAssurance