You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

315 lines
8.5 KiB

<?xml version="1.0" encoding="utf-8"?>
<html xmlns="">
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
<title>Configuration-Control Specification - work-in-progress</title>
<style type="text/css"> <!-- only for WIP -->
body {
font-family : verdana, helvetica, arial, sans-serif;
th {
text-align : left;
.q {
color : green;
font-weight: bold;
text-align: center;
.error {
color : red;
font-weight: bold;
text-align: center;
.change {
color : blue;
font-weight: bold;
.strike {
color : blue;
a:hover {
color : gray;
<body lang="en-GB">
<h1> Configuration-Control Specification </h1>
<!-- Absolute URL because the policies are located absolutely. -->
<table width="100%">
Creation Date : 20091214<br />
Editor: Iang<br />
Status: 20100426 <i>WIP</i> <br />
</td><td align="right">
<a href="//"><img src="Images/cacert-wip.png" alt="CCS Status - work-in-progress" height="31" width="88" style="border-style: none;" /></a>
<h3 id="s1"> 1. Introduction </h3>
<!-- This section from A.1.a through A.1.c -->
The Configuration-Control Specification (CCS COD2) controls and tracks those documents, processes and assets which are critical to the business, security and governance of the CAcert operations.
This document is the procedure for CCS.
This document itself is a component of the CCS,
see &sect;2.
<!-- A.1.c The configuration-control specification controls its own revision process. -->
All other documentation and process specified within
is derivative and is ruled by the CCS.
CCS is formated, inspired and designed to meet the needs of
<span class="change">
David Ross Criteria -
<a href="">Certificate Authority Review Checklist</a>
- section A.1
<span class="change">)</span>.
CCS may be seen as the index to systems audit under DRC.
<h3 id="s2"> 2 Documents </h3>
<!-- A.1.c-h: The configuration-control specification controls the revision process for the CCS,CP,CPS,PP,SP,R/L/O -->
<h4 id="s2.1">2.1 Controlled Document List </h4>
This CCS creates a list of Primary or "root" documents known as Policies.
Primary documents may authorise other secondary documents
into the list, or "practices" outside the list.
The controlled documents list
contains numbers, locations and versions of all controlled documents.
The list is part of this CCS, and is located at
<a href="//"></a>
Policy Officer is to manage the list.
Policy Officer is to log the changes at
<a href="//"></a>.
<!-- See A.1.k, logging of documents. -->
<h4 id="s2.2">2.2 Change </h4>
Change to the documents is as specified by
Policy on Policy (PoP).
<p class="q"> The following would possibly be better off in PoP (when a change cycle comes around), or a practices manual. </p>
Policies in effect (DRAFT and POLICY status) are to be under change control.
Fully approved documents (POLICY status)
are published on the CAcert website at
<a href="//"></a>
in plain HTML format,
under the same control as critical source code
under Security Policy (SP).
Pre-final work (DRAFT status) and working documents (work-in-progress status)
are made available on community-controlled version management systems
(rooted at Subversion:
<a href="//"></a>
<a href="//"></a>).
Documents of lower status (work-in-progress or DRAFT)
must not be confusable with
documents of higher status (DRAFT or POLICY).
Copies should be eliminated where not being worked on.
<h4 id="s2.3">2.3 Control </h4>
CAcert policies are required to be owned / transferred to CAcert. See PoP 6.2.
<h3 id="s3"> 3 Hardware </h3>
<!-- This section from A.1.j -->
<h4 id="s3.1">3.1 Controlled Hardware List </h4>
Critical systems are defined by Security Policy.
<h4 id="s3.2">3.2 Change </h4>
<p> See Security Policy. </p>
<h4 id="s3.3">3.3 Control </h4>
<p class="change">
Security Policy places executive responsibility for Hardware with the Board of CAcert Inc.
Access is delegated to Access Engineers (SP 2) and Systems Administrators (SP 3).
Legal ownership may be delegated by agreement to other organisations (SP 9.4).
<p class="strike">
Control of Hardware is the ultimate responsibility of the Board of CAcert Inc.
The responsibility for acts with hardware is delegated
to Access Engineers and Systems Administrators as per
Security Policy.
The ownership responsibility is delegated by agreement to Oophaga.
<h3 id="s4"> 4 Software </h3>
<!-- A.1.i: The configuration-control specification controls changes to software involved in: certs; data; comms to public -->
<h4 id="s4.1">4.1 Controlled Software List </h4>
Critical software is defined by Security Policy.
<ul class="q">
<li>One thing that is not so well covered by CAcert is the last bullet point of A.1.i</li>
<li>"communicating with subscribers and with the general public."</li>
<li>website is under SP; maillists,blogs,etc are not.</li>
<li>as community has deliberately gone this direction, I suggest we argue it that way.</li>
<li> What is far more problematic is the failure to do CCA &amp; Challenge notification.</li>
<h4 id="s4.2">4.2 Change </h4>
<p> See Security Policy. </p>
<h4 id="s4.3">4.3 Control </h4>
CAcert owns its code, or requires control over open source code in use
by means of an approved free and open licence.
Such code must be identified and managed by Software Assessment.
Developers transfer full rights to CAcert
(in a similar fashion to documents),
or organise their contributions under a
proper free and open source code regime,
as approved by Board.
Where code is published
(beyond scope of this document)
care must be taken not to infringe licence conditions.
For example, mingling issues with GPL.
The Software Assessment Team Leader
maintains a registry of assignments
of title or full licence,
and a registry of software under approved open source licences.
<ul class="q">
<li> What about translingo and voting? </li>
<li> See <a href="">thread</a> </li>
<h3 id="s5"> 5 Certificates </h3>
<!-- This section from A.1.b -->
<p> This section applies to Root and Sub-root certificates, not to End-entity (subscriber, member) certificates. </p>
<h4 id="s5.1">5.1 Certificates List </h4>
<p> Certificates (Root and sub-root) are to be listed in the CPS. </p>
<h4 id="s5.2">5.2 Changes </h4>
Creation and handling of Certificates
is controlled by Security Policy.
Usage of Certificates
is controlled by Certification Practice Statement.
<h4 id="s5.3">5.3 Archive </h4>
<p> See Security Policy. </p>
<h3 id="s6"> 6 Logs </h3>
<!-- This section from A.1.k -->
<h4 id="s6.1">6.1 Controlled Logs List </h4>
<p> Logs are defined by Security Policy. </p>
<h4 id="s6.2">6.2 Changes </h4>
<p> Changes to Hardware, Software and Root Certificates are logged according to Security Policy. </p>
<h4 id="s6.3">6.3 Archive </h4>
<p> See Security Policy. </p>
<h3 id="s7"> 7 Data </h3>
<!-- This section from A.1.i-j, bullets 2,3 -->
<h4 id="s7.1">7.1 Types of Data </h4>
Types of critical member data is defined by Assurance Policy.
<h4 id="s7.2">7.2 Changes </h4>
Changes and access to critical member data
is as defined under Assurance Policy,
CAcert Community Agreement and
Dispute Resolution Policy.
Implementation of
collection and storage of critical member data
(user interface software and databases)
is defined by Security Policy.
<h4 id="s7.3">7.3 Archive </h4>
<p> Data retention is controlled by Security Policy and CAcert Community Agreement. </p>
<a href=""><img src="Images/valid-xhtml11-blue" alt="Valid XHTML 1.1" height="31" width="88" style="border-style: none;" /></a>