From 418fd6f8f32277c3eba87fce39e7c1b3279306f3 Mon Sep 17 00:00:00 2001
From: Ian Grigg
Security Policy for CAcert Systems
-
Creation date: 20090216
-Status: work-in-progress, to DRAFT 20090327
+Status: DRAFT 20090327
1. INTRODUCTION
@@ -456,11 +456,9 @@ until approved by the Software Assessment Team.
- Requests to systems administration for ad hoc queries over the database for business or similar purposes must be approved by the Arbitrator. -
-All changes - -of personnel - +All changes of personnel to the above lists are approved by the Board of CAcert.
@@ -612,8 +607,7 @@ and reported in regular summaries to the Board of CAcert.-All sensitive events should be logged - reliably . +All sensitive events should be logged reliably. Logs should be deleted after an appropriate amount of time as documented in the Security Manual.
@@ -1187,7 +1181,6 @@ especially of new team members.Root keys are generated only on instruction from the Board. They must be generated to a fully documented and reviewed procedure. @@ -1203,7 +1196,6 @@ The procedure must include:
In concrete terms, - confidentiality or secrecy may be maintained only under a defined method in policy, or under the oversight of the Arbitrator (which itself is under DRP). - The exception itself must not be secret or confidential. All secrets and confidentials are reviewable under Arbitration, and may be reversed.