Building Trust: Levels of Assurance

Many of the sections above require a collaborating infrastructure to have 
certain types of documents: policies, procedures, logs, lists of 
members, etc. In some cases there is no problem in making these 
documents available publically on the web. However, in other cases, 
privacy or security considerations may cause the infrastructure to want 
to restrict distribution of such documents, while at the same time 
assuring other infrastructures that the documents do exist and fulfill 
the requirements described above. 

To accomodate these needs, we consider 3 levels of assurance an 
infrastructure can meet: 

1) Level 1: the infrastructure asserts the existence of all required 
documents but makes no comprehensive effort to prove the existence of 
the documents. Some documents may be published on the web. 

2) Level 2: the infrastructure makes their document set available in a 
protected and secured manner to some designated body that verifies the 
level 1 assertion that the documents exist. The "SPI" group could evolve 
into a more formal committee that performs such verifications, as 
regional PMAs do on behalf of the IGTF. 

3) Level 3: the infrastructure makes their document set available in a 
protected and secured manner to an independent body that not only 
verifies their existence but also performs an "operational review" that 
demonstrates the documents are accurate, up to date, and serve their 
intended purposes. Checklists for each type of document can be prepared 
to guide these operational reviews, which can again be performed by the 
"SPI" successor group. 

Charts will be maintained showing what level of assurance different 
infrastructures have met, which will allow other infrastructures to make 
informed decisions about which partners are deserving of their trust.