From 418fd6f8f32277c3eba87fce39e7c1b3279306f3 Mon Sep 17 00:00:00 2001
From: Ian Grigg <iang@cacert.org>
Date: Sat, 28 Mar 2009 01:04:26 +0000
Subject: [PATCH] to DRAFT, 11 Ayes counted

git-svn-id: http://svn.cacert.org/CAcert/Policies@1240 14b1bab8-4ef6-0310-b690-991c95c89dfd
---
 SecurityPolicy.html | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/SecurityPolicy.html b/SecurityPolicy.html
index 2a0c1bd..49842cf 100644
--- a/SecurityPolicy.html
+++ b/SecurityPolicy.html
@@ -8,10 +8,10 @@
 <body lang="en-GB">
 
 <h1>Security Policy for CAcert Systems</h1>
-<p><a href="PolicyOnPolicy.html"><img src="Images/cacert-wip.png" alt="CAcert Security Policy Status == wip" border="0"></a>
+<p><a href="PolicyOnPolicy.html"><img src="Images/cacert-draft.png" alt="CAcert Security Policy Status == wip" border="0"></a>
 <br>
 Creation date: 20090216<br>
-Status: <i>work-in-progress</i>, to DRAFT 20090327
+Status: <b>DRAFT 20090327</b>
 </p>
 
 <h2><a name="1">1.</a> INTRODUCTION</h2>
@@ -456,11 +456,9 @@ until approved by the Software Assessment Team.
 </p>
 
 <p>
-<B>
 Requests to systems administration for ad hoc queries
 over the database for business or similar purposes
 must be approved by the Arbitrator.
-</B>
 </p>
 
 <h3><a name="3.4"> 3.4.</a> Access control </h3>
@@ -528,10 +526,7 @@ authorisations on the below access control lists
 
 
 <p>
-All changes
-<B>
-of personnel
-</B>
+All changes of personnel
 to the above lists are approved by the Board of CAcert.
 </p>
 
@@ -612,8 +607,7 @@ and reported in regular summaries to the Board of CAcert.
 <h4> <a name="4.2.1">4.2.1.</a> Coverage </h4>
 
 <p>
-All sensitive events should be logged
-<B> reliably </B>.
+All sensitive events should be logged reliably.
 Logs should be deleted after an appropriate amount of time
 as documented in the Security Manual.
 </p>
@@ -1187,7 +1181,6 @@ especially of new team members.
 
 <h4> <a name="9.2.1"> 9.2.1. </a> Root Key generation</h4>
 
-<B>
 <p>
 Root keys are generated only on instruction from the Board.
 They must be generated to a fully documented and reviewed procedure.
@@ -1203,7 +1196,6 @@ The procedure must include:
    <li> Documentation of each step as it happens against the procedure. </li>
    <li> Confirmation by each participant over the process and the results.  </li>
 </ul>
-</B>
 
 <h4> <a name="9.2.2"> 9.2.2. </a> Backup and escrow</h4>
 
@@ -1303,20 +1295,16 @@ of open disclosure wherever possible.
 See <a href="https://svn.cacert.org/CAcert/principles.html">
 Principles</a>.
 This is not a statement of politics but a statement of security;
-<B>
 if a security issue can only be sustained
-</B>
 under some confidentiality or secrecy, then find another way.
 </p>
 
 <p>
 In concrete terms,
-<B>
 confidentiality or secrecy may be maintained only
 under a defined method in policy,
 or under the oversight of the Arbitrator
 (which itself is under DRP).
-</B>
 The exception itself must not be secret or confidential.
 All secrets and confidentials are reviewable under Arbitration,
 and may be reversed.