Note that the criteria formerly here has now moved to A.2.z. The genesis of this requirement was the event of December 2008 when one CA was able to buy a false cert off another CA, due to poor or absent controls in a reseller. The specific case was the failure to check control of the domain. Control of domain is checked by the CA, and the CA does not outsource that part. Assurance is conducted by the Assurers and others under AP, so this part falls within scope of the criteria. As of 20090131 there is no specific post-verification process over the work of the Individual Assurers. Potential answers: Assurers operate in dual control mode, in that at least two Assurers are needed to reach 50 points (leaving aside Exceptions for now). Assurances become mutual. This is already permitted under AP and is encouraged practice. Making it routine for all Assurer-Assurer instances would create a strong statistical verification. Have Assurers allocate the Experience Points. This would metricise the verification. AP: CAP forms are kept for 7 years. Arbitrators can review. Event coordinators may have this responsibility for larger scale Assurance events. Query posted on policy group, 20090131, "how do we verify the Assurers?" Further proposal posted on policy group, around 20090429, Organisation Assurers work in association with O-Admins, which adds four eyes control over some of the information. (However, this area is not verified.)