reviewed against DRC, added "Data"

git-svn-id: http://svn.cacert.org/CAcert/Policies@1872 14b1bab8-4ef6-0310-b690-991c95c89dfd
14 years ago · 69873bc39f
parent 33a71c1774
commit 69873bc39f
1 changed files with 70 additions and 34 deletions
--- a/ConfigurationControlSpecification.html
+++ b/ConfigurationControlSpecification.html
@ -1,11 +1,12 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
-                      "http://www.w3.org/TR/html4/loose.dtd">
-<html>
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+	"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
 <title>Configuration-Control Specification - work-in-progress</title>

-<style type="text/css">
+<style type="text/css">  <!-- only for WIP -->
 <!--
 body {
        font-family : verdana, helvetica, arial, sans-serif;
@ -46,14 +47,19 @@ a:hover {
 <h1> Configuration-Control Specification </h1>

 <!-- Absolute URL because the policies are located absolutely. -->
-<a href="//www.cacert.org/policy/PolicyOnPolicy.php"><img align="right" src="Images/cacert-wip.png" alt="Configuration-Control Specification Status == work-in-progress" border="0"></a><p>
-Creation date: 20091214<br>
-Editor: Iang<br>
-Status: 20100407 <i>WIP </i><br><br>
-
-
-
-<h3> <a name="h1">1</a> <a name="Introduction"> Introduction </a> </h3>
+<table width="100%">
+ <tr>
+  <td>
+   Creation Date : 20091214<br />
+   Editor: Iang<br />
+   Status: 20100420 <i>WIP</i> <br />
+  </td><td align="right">
+   <a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="Images/cacert-draft.png" alt="CCS Status - work-in-progress" height="31" width="88" style="border-style: none;" /></a>
+  </td>
+ </tr>
+</table>
+
+<h3> <a name="s1">1</a> <a name="Introduction"> Introduction </a> </h3>

 <!-- This section from A.1.a through A.1.c -->

@ -76,11 +82,11 @@ DRC-A.1.
 CCS may be seen as the index to systems audit under DRC.
 </p>

-<h3> <a name="h2">2</a> <a name="Documents"> Documents </a> </h3>
+<h3> <a name="s2">2</a> <a name="Documents"> Documents </a> </h3>

 <!-- A.1.c-h: The configuration-control specification controls the revision process for the CCS,CP,CPS,PP,SP,R/L/O  -->

-<h4> <a name="h2.1">2.1</a> <a name="doc_list"> Controlled Document List </a> </h4>
+<h4> <a name="s2.1">2.1</a> <a name="doc_list"> Controlled Document List </a> </h4>

 <p>
 This CCS creates a list of Primary or "root" documents known as Policies.
@ -101,7 +107,7 @@ wiki.cacert.org/PolicyDecisions</a>.
 <!-- See A.1.k, logging of documents. -->
 </p>

-<h4> <a name="h2.2">2.2</a> <a name="doc_change"> Change </a> </h4>
+<h4> <a name="s2.2">2.2</a> <a name="doc_change"> Change </a> </h4>


 <p>
@ -134,27 +140,27 @@ documents of higher status (DRAFT or POLICY).
 Copies should be eliminated where not being worked on.
 </p>

-<h4> <a name="h2.3">2.3</a> <a name="doc_control"> Control </a> </h4>
+<h4> <a name="s2.3">2.3</a> <a name="doc_control"> Control </a> </h4>

 <p>
 CAcert policies are required to be owned / transferred to CAcert. See PoP 6.2. 
 </p>

-<h3> <a name="h3">3</a> <a name="Hardware"> Hardware </a> </h3>
+<h3> <a name="s3">3</a> <a name="Hardware"> Hardware </a> </h3>

 <!-- This section from A.1.j -->

-<h4> <a name="h3.1">3.1</a> <a name="hard_list"> Controlled Hardware List </a> </h4>
+<h4> <a name="s3.1">3.1</a> <a name="hard_list"> Controlled Hardware List </a> </h4>

 <p>
 Critical systems are defined by Security Policy.
 </p>

-<h4> <a name="h3.2">3.2</a> <a name="hard_change"> Change </a> </h4>
+<h4> <a name="s3.2">3.2</a> <a name="hard_change"> Change </a> </h4>

 <p> See Security Policy.  </p>

-<h4> <a name="h3.3">3.3</a> <a name="hard_control"> Control </a> </h4>
+<h4> <a name="s3.3">3.3</a> <a name="hard_control"> Control </a> </h4>

 <p>
 Control of Hardware is the ultimate responsibility of the Board of CAcert Inc.
@ -165,9 +171,9 @@ The ownership responsibility is delegated by agreement to Oophaga.
 </p>


-<h3> <a name="h4">4</a> <a name="Software"> Software </a> </h3>
+<h3> <a name="s4">4</a> <a name="Software"> Software </a> </h3>
 <!-- A.1.i: The configuration-control specification controls changes to software involved in: certs; data; comms to public -->
-<h4> <a name="h4.1">4.1</a> <a name="hard_list"> Controlled Software List </a> </h4>
+<h4> <a name="s4.1">4.1</a> <a name="hard_list"> Controlled Software List </a> </h4>

 <p>
 Critical software is defined by Security Policy.
@ -181,11 +187,11 @@ Critical software is defined by Security Policy.
 <li> What is far more problematic is the failure to do CCA & Challenge notification.
 </ul>

-<h4> <a name="h4.2">4.2</a> <a name="soft_change"> Change </a> </h4>
+<h4> <a name="s4.2">4.2</a> <a name="soft_change"> Change </a> </h4>

 <p> See Security Policy.  </p>

-<h4> <a name="h4.3">4.3</a> <a name="soft_control"> Control </a> </h4>
+<h4> <a name="s4.3">4.3</a> <a name="soft_control"> Control </a> </h4>

 <p>
 CAcert owns its code, or requires control over open source code in use
@ -219,43 +225,73 @@ and a registry of software under approved open source licences.



-<h3> <a name="h5">5</a> <a name="Certs"> Certificates </a> </h3>
+<h3> <a name="s5">5</a> <a name="Certs"> Certificates </a> </h3>

 <!-- This section from A.1.b -->

 <p> This section applies to Root and Sub-root certificates, not to End-entity (subscriber, member) certificates. </p>

-<h4> <a name="h5.1">5.1</a> <a name="certs_list"> Certificates List </a> </h4>
+<h4> <a name="s5.1">5.1</a> <a name="certs_list"> Certificates List </a> </h4>

 <p> Certificates (Root and sub-root) are to be listed in the CPS.  </p>

-<h4> <a name="h5.2">5.2</a> <a name="logs_change"> Changes </a> </h4>
+<h4> <a name="s5.2">5.2</a> <a name="logs_change"> Changes </a> </h4>

 <p>
-Creation of Certificates
+Creation and handling of Certificates
 is controlled by Security Policy.
 Usage of Certificates
-is controlled by both Security Policy and Certification Practice Statement.
+is controlled by Certification Practice Statement.
 </p>

-<h4> <a name="h5.3">5.3</a> <a name="logs_archive"> Archive </a> </h4>
+<h4> <a name="s5.3">5.3</a> <a name="logs_archive"> Archive </a> </h4>

 <p> See Security Policy. </p>

-<h3> <a name="h6">6</a> <a name="Logs"> Logs </a> </h3>
+<h3> <a name="s6">6</a> <a name="Logs"> Logs </a> </h3>

 <!-- This section from A.1.k -->

-<h4> <a name="h6.1">6.1</a> <a name="logs_list"> Controlled Logs List </a> </h4>
+<h4> <a name="s6.1">6.1</a> <a name="logs_list"> Controlled Logs List </a> </h4>

 <p> Logs are defined by Security Policy.  </p>

-<h4> <a name="h6.2">6.2</a> <a name="logs_change"> Changes </a> </h4>
+<h4> <a name="s6.2">6.2</a> <a name="logs_change"> Changes </a> </h4>

 <p> Changes to Hardware, Software and Root Certificates are logged according to Security Policy.  </p>

-<h4> <a name="h6.3">6.3</a> <a name="logs_archive"> Archive </a> </h4>
+<h4> <a name="s6.3">6.3</a> <a name="logs_archive"> Archive </a> </h4>

 <p> See Security Policy.  </p>

+<h3> <a name="s7">7</a> <a name="data"> Data </a> </h3>
+
+<!-- This section from A.1.i-j, bullets 2,3 -->
+
+<h4> <a name="s7.1">7.1</a> <a name="data_list"> Types of Data </a> </h4>
+
+<p>
+Types of critical member data is defined by Assurance Policy.
+</p>
+
+<h4> <a name="s7.2">7.2</a> <a name="data_change"> Changes </a> </h4>
+
+<p>
+Changes and access to critical member data
+is as defined under Assurance Policy,
+CAcert Community Agreement and
+Dispute Resolution Policy.
+Implementation of
+collection and storage of critical member data
+(user interface software and databases)
+is defined by Security Policy.
+</p>
+
+<h4> <a name="s7.3">7.3</a> <a name="data_archive"> Archive </a> </h4>
+
+<p> Data retention is controlled by Security Policy and CAcert Community Agreement.  </p>
+
+<p>
+  <a href="http://validator.w3.org/check?uri=referer"><img src="Images/valid-xhtml11-blue" alt="Valid XHTML 1.1" height="31" width="88" style="border-style: none;" /></a>
+</p>
 </body></html>