History

version changes approval date
1.0 initial policy 2019-01-28
1.1 rephrasing 2020-05-24

Scope

This policy is a sub policy of the Verification Policy.

It describes the process how to verify an organisation.

Organisation

Organisation can be any organisation or individual enterprise who wants to show the organisation name in the certificates.

The organisation MUST be member of the WPIA Cooperative eG.

The Organisation Verification MUST be successfully renewed within 27 months after the last verification.

Organisation RA Agent

An Organisation RA Agent is a special trained RA Agent who is appointed as Organisation RA Agent by Board of WPIA or an appointed person to conduct Organisation Verifications.

As there are many country-specific regulations to be considered an Organisation RA Agent is appointed for a designated country.

The Board of WPIA or an appointed person maintains a non disclosed list of registered Organisation RA Agents per country.

To avoid possible Conflicts of Interest Organisation RA Agents MUST NOT verify an organisation they are related to.

The Organisation Verification Form and releated documents MUST be kept in a secure manner for 7 years after the year of the Verification meeting.

Organisation Administrator

There are two levels of Organisation Administrators:

  • Master Organisation Administrator
  • Organisation Administrator

An Organisation Administrator is a person who issues certificates on behalf of the organisation.

The Organisation Administrator MUST fulfill the requirements of an RA Agent. The Organisation Administrator is responsible to be sure about the identity of a person if they issue personal certificates and MUST be able to prove the finding of the identity.

The Master Organisation Administrator has more rights than an Organisation Adminstrator see below.

Organisation Verification Form

The Organisation Verification Form is used to document the findings to proof the identity of an organisation collected during the Organisation Verification.

There is no need to use a special form but the used form MUST hold:

  • Name of the organisation, if the name of the organisation is longer than 64 characters a short version of the organisations name
  • Address for service / address at or to which a summons may be served
  • Email address as point of contact
  • If available organisation registration number and register
  • List of domains for which certificates should be issued. The organisation MUST proof the ownership of each domain.
  • List of persons who should serve as Organisation Administrator and/or Master Organisation Administrator with name and preferred email address of user account.
  • Date of signature
  • Name, role and signature of each person who signs the form on behalf of the organisation

It is recommended to use the Organisation Verification Form provided by TERACARA.

Organisation Verification

Meeting

During the meeting the representatives of the organisation sign the Organisation Verification Form. The identity of the representatives is verified by a identity check similar to a Verification.

Entering Data

Prior to entering the data the Organisation RA Agent MUST check:

  • That the organisation legaly exists
  • That the organisation is member of the WPIA Cooperative eG [Link]
  • That the representatives of the organisation holds the power to sign on behalf of the organisation
  • That all listed domains are owned by the organisation.

In the case of a renewal the data needs to be corrected and the data needs to be confirmed.

After the successful creation or reverification of the account the organisation MUST be informed.

Organisation Account

The Organisation Account is divided into two areas one maintained by Organisation RA Agent and one maintained by Organisation Administrators.

Organisation RA Agent Area

The section of the organisation part is divided into certificate data and organisation data.

  • Certificate data holds all information that is issued in a certificate. If this data is changed to a later time all certificates issued for the organisation will be revoked by RA Agent System.
  • Organisation data holds additionally all information e.g. contact information. This data can be changed anytime without any impact to the issued certificate.

The domains are added to the account by the Organisation RA Agent only.

Organisation Administrators can be added to the Organisation account by the Organisation RA Agent or a Master Organisation Administrator.

Organisation Administrator Area

Organisation Administrator

The Organisation Administrator MUST confirm the technical ownership of each domain prior to first issuing a certificate for that domain and on a regular basis.

The Organisation Administrator is able to issue server and client certificates. The Organisation Administrator MUST be sure about the identity of a person prior to issuing a client certificate with name.

Master Organisation Administrator

The Master Organisation Administrator is able to grant or revoke other Organisation Administrators to the Organisation Account. They maintain the business email address which is used to receive technical information from the RA Agent System e.g. warning emails.


Back to top of page
Table of Contents | Copyright WPIA 2018-2019 | Imprint | Data Protection