reviewed against DRC, added "Data"

git-svn-id: 14b1bab8-4ef6-0310-b690-991c95c89dfd
Ian Grigg 14 years ago
parent 33a71c1774
commit 69873bc39f

@ -1,11 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
<?xml version="1.0" encoding="utf-8"?>
<html xmlns="">
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
<title>Configuration-Control Specification - work-in-progress</title>
<style type="text/css">
<style type="text/css"> <!-- only for WIP -->
body {
font-family : verdana, helvetica, arial, sans-serif;
@ -46,14 +47,19 @@ a:hover {
<h1> Configuration-Control Specification </h1>
<!-- Absolute URL because the policies are located absolutely. -->
<a href="//"><img align="right" src="Images/cacert-wip.png" alt="Configuration-Control Specification Status == work-in-progress" border="0"></a><p>
Creation date: 20091214<br>
Editor: Iang<br>
Status: 20100407 <i>WIP </i><br><br>
<h3> <a name="h1">1</a> <a name="Introduction"> Introduction </a> </h3>
<table width="100%">
Creation Date : 20091214<br />
Editor: Iang<br />
Status: 20100420 <i>WIP</i> <br />
</td><td align="right">
<a href="//"><img src="Images/cacert-draft.png" alt="CCS Status - work-in-progress" height="31" width="88" style="border-style: none;" /></a>
<h3> <a name="s1">1</a> <a name="Introduction"> Introduction </a> </h3>
<!-- This section from A.1.a through A.1.c -->
@ -76,11 +82,11 @@ DRC-A.1.
CCS may be seen as the index to systems audit under DRC.
<h3> <a name="h2">2</a> <a name="Documents"> Documents </a> </h3>
<h3> <a name="s2">2</a> <a name="Documents"> Documents </a> </h3>
<!-- A.1.c-h: The configuration-control specification controls the revision process for the CCS,CP,CPS,PP,SP,R/L/O -->
<h4> <a name="h2.1">2.1</a> <a name="doc_list"> Controlled Document List </a> </h4>
<h4> <a name="s2.1">2.1</a> <a name="doc_list"> Controlled Document List </a> </h4>
This CCS creates a list of Primary or "root" documents known as Policies.
@ -101,7 +107,7 @@</a>.
<!-- See A.1.k, logging of documents. -->
<h4> <a name="h2.2">2.2</a> <a name="doc_change"> Change </a> </h4>
<h4> <a name="s2.2">2.2</a> <a name="doc_change"> Change </a> </h4>
@ -134,27 +140,27 @@ documents of higher status (DRAFT or POLICY).
Copies should be eliminated where not being worked on.
<h4> <a name="h2.3">2.3</a> <a name="doc_control"> Control </a> </h4>
<h4> <a name="s2.3">2.3</a> <a name="doc_control"> Control </a> </h4>
CAcert policies are required to be owned / transferred to CAcert. See PoP 6.2.
<h3> <a name="h3">3</a> <a name="Hardware"> Hardware </a> </h3>
<h3> <a name="s3">3</a> <a name="Hardware"> Hardware </a> </h3>
<!-- This section from A.1.j -->
<h4> <a name="h3.1">3.1</a> <a name="hard_list"> Controlled Hardware List </a> </h4>
<h4> <a name="s3.1">3.1</a> <a name="hard_list"> Controlled Hardware List </a> </h4>
Critical systems are defined by Security Policy.
<h4> <a name="h3.2">3.2</a> <a name="hard_change"> Change </a> </h4>
<h4> <a name="s3.2">3.2</a> <a name="hard_change"> Change </a> </h4>
<p> See Security Policy. </p>
<h4> <a name="h3.3">3.3</a> <a name="hard_control"> Control </a> </h4>
<h4> <a name="s3.3">3.3</a> <a name="hard_control"> Control </a> </h4>
Control of Hardware is the ultimate responsibility of the Board of CAcert Inc.
@ -165,9 +171,9 @@ The ownership responsibility is delegated by agreement to Oophaga.
<h3> <a name="h4">4</a> <a name="Software"> Software </a> </h3>
<h3> <a name="s4">4</a> <a name="Software"> Software </a> </h3>
<!-- A.1.i: The configuration-control specification controls changes to software involved in: certs; data; comms to public -->
<h4> <a name="h4.1">4.1</a> <a name="hard_list"> Controlled Software List </a> </h4>
<h4> <a name="s4.1">4.1</a> <a name="hard_list"> Controlled Software List </a> </h4>
Critical software is defined by Security Policy.
@ -181,11 +187,11 @@ Critical software is defined by Security Policy.
<li> What is far more problematic is the failure to do CCA & Challenge notification.
<h4> <a name="h4.2">4.2</a> <a name="soft_change"> Change </a> </h4>
<h4> <a name="s4.2">4.2</a> <a name="soft_change"> Change </a> </h4>
<p> See Security Policy. </p>
<h4> <a name="h4.3">4.3</a> <a name="soft_control"> Control </a> </h4>
<h4> <a name="s4.3">4.3</a> <a name="soft_control"> Control </a> </h4>
CAcert owns its code, or requires control over open source code in use
@ -219,43 +225,73 @@ and a registry of software under approved open source licences.
<h3> <a name="h5">5</a> <a name="Certs"> Certificates </a> </h3>
<h3> <a name="s5">5</a> <a name="Certs"> Certificates </a> </h3>
<!-- This section from A.1.b -->
<p> This section applies to Root and Sub-root certificates, not to End-entity (subscriber, member) certificates. </p>
<h4> <a name="h5.1">5.1</a> <a name="certs_list"> Certificates List </a> </h4>
<h4> <a name="s5.1">5.1</a> <a name="certs_list"> Certificates List </a> </h4>
<p> Certificates (Root and sub-root) are to be listed in the CPS. </p>
<h4> <a name="h5.2">5.2</a> <a name="logs_change"> Changes </a> </h4>
<h4> <a name="s5.2">5.2</a> <a name="logs_change"> Changes </a> </h4>
Creation of Certificates
Creation and handling of Certificates
is controlled by Security Policy.
Usage of Certificates
is controlled by both Security Policy and Certification Practice Statement.
is controlled by Certification Practice Statement.
<h4> <a name="h5.3">5.3</a> <a name="logs_archive"> Archive </a> </h4>
<h4> <a name="s5.3">5.3</a> <a name="logs_archive"> Archive </a> </h4>
<p> See Security Policy. </p>
<h3> <a name="h6">6</a> <a name="Logs"> Logs </a> </h3>
<h3> <a name="s6">6</a> <a name="Logs"> Logs </a> </h3>
<!-- This section from A.1.k -->
<h4> <a name="h6.1">6.1</a> <a name="logs_list"> Controlled Logs List </a> </h4>
<h4> <a name="s6.1">6.1</a> <a name="logs_list"> Controlled Logs List </a> </h4>
<p> Logs are defined by Security Policy. </p>
<h4> <a name="h6.2">6.2</a> <a name="logs_change"> Changes </a> </h4>
<h4> <a name="s6.2">6.2</a> <a name="logs_change"> Changes </a> </h4>
<p> Changes to Hardware, Software and Root Certificates are logged according to Security Policy. </p>
<h4> <a name="h6.3">6.3</a> <a name="logs_archive"> Archive </a> </h4>
<h4> <a name="s6.3">6.3</a> <a name="logs_archive"> Archive </a> </h4>
<p> See Security Policy. </p>
<h3> <a name="s7">7</a> <a name="data"> Data </a> </h3>
<!-- This section from A.1.i-j, bullets 2,3 -->
<h4> <a name="s7.1">7.1</a> <a name="data_list"> Types of Data </a> </h4>
Types of critical member data is defined by Assurance Policy.
<h4> <a name="s7.2">7.2</a> <a name="data_change"> Changes </a> </h4>
Changes and access to critical member data
is as defined under Assurance Policy,
CAcert Community Agreement and
Dispute Resolution Policy.
Implementation of
collection and storage of critical member data
(user interface software and databases)
is defined by Security Policy.
<h4> <a name="s7.3">7.3</a> <a name="data_archive"> Archive </a> </h4>
<p> Data retention is controlled by Security Policy and CAcert Community Agreement. </p>
<a href=""><img src="Images/valid-xhtml11-blue" alt="Valid XHTML 1.1" height="31" width="88" style="border-style: none;" /></a>