cacert/cacert-policies
9
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

CCS goes to DRAFT by p20100426 including all BLUE changes.

Browse source 
git-svn-id: http://svn.cacert.org/CAcert/Policies@1902 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
Ian Grigg 2010-05-17 00:17:32 +00:00
parent e3e373f3a1
commit 98640e55f8
1 changed files with 27 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

89
ConfigurationControlSpecification.html
View file

@ -56,9 +56,9 @@ a:hover {
<td> <td>
Creation Date : 20091214<br /> Creation Date : 20091214<br />
Editor: Iang<br /> Editor: Iang<br />
Status: 20100426 <i>WIP</i> <br /> Status: <strong>DRAFT</strong> <a href="https://wiki.cacert.org/PolicyDecisions#p20100426">p20100426</a> <br />
</td><td align="right"> </td><td align="right">
<a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="Images/cacert-wip.png" alt="CCS Status - work-in-progress" height="31" width="88" style="border-style: none;" /></a> <a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="Images/cacert-draft.png" alt="CCS Status - DRAFT - p20100426" height="31" width="88" style="border-style: none;" /></a>
</td> </td>
</tr> </tr>
</table> </table>
@ -82,14 +82,9 @@ is derivative and is ruled by the CCS.
<p> <p>
CCS is formated, inspired and designed to meet the needs of CCS is formated, inspired and designed to meet the needs of
<span class="change">
David Ross Criteria - David Ross Criteria -
<a href="http://rossde.com/CA_review/">Certificate Authority Review Checklist</a> <a href="http://rossde.com/CA_review/">Certificate Authority Review Checklist</a>
- section A.1 - section A.1 (DRC-A.1)
(
</span>
DRC-A.1
<span class="change">)</span>.
CCS may be seen as the index to systems audit under DRC. CCS may be seen as the index to systems audit under DRC.
</p> </p>
@ -101,8 +96,7 @@ CCS may be seen as the index to systems audit under DRC.
<p> <p>
This CCS creates a This CCS creates a
<span class="strike">list</span> Controlled Document List (CDL)
<span class="change">Controlled Document List (CDL)</span>
of Primary or "root" documents known as Policies. of Primary or "root" documents known as Policies.
Primary documents may authorise other secondary documents Primary documents may authorise other secondary documents
into the CDL, or "practices" outside the list. into the CDL, or "practices" outside the list.
@ -110,57 +104,22 @@ into the CDL, or "practices" outside the list.
<p> <p>
The Controlled Document List The Controlled Document List
contains numbers, locations and contains numbers, locations and status
<span class="strike">versions</span>
<span class="change">status</span>
of all controlled documents. of all controlled documents.
The list is part of this CCS. The list is part of this CCS.
</p> </p>
<p class="strike">
The list is part of this CCS, and is located at
<a href="//svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">
svn.cacert.org/CAcert/Policies/ControlledDocumentList.html</a>.
Policy Officer is to manage the list.
Policy Officer is to log the changes at
<a href="//wiki.cacert.org/PolicyDecisions">
wiki.cacert.org/PolicyDecisions</a>.
<!-- See A.1.k, logging of documents. --> <!-- See A.1.k, logging of documents. -->
</p>
<h4 id="s2.2">2.2 Change </h4> <h4 id="s2.2">2.2 Change </h4>
<p> <p>
Change to the documents Change to the documents
<span class="change"></span> is as specified by is as specified by
Policy on Policy (PoP). Policy on Policy (PoP).
<span class="change">Policy Officer is to manage the CDL.</span> Policy Officer is to manage the
</p> <a href="//svn.cacert.org/Policies/ControlledDocumentList.html">CDL</a>.
<p class="q"> The following is now found in a WIP set of changes to PoP. </p>
<p class="strike">
Policies in effect (DRAFT and POLICY status) are to be under change control.
Fully approved documents (POLICY status)
are published on the CAcert website at
<a href="//www.cacert.org/policy/">
www.cacert.org/policy/</a>
in plain HTML format,
under the same control as critical source code
under Security Policy (SP).
Pre-final work (DRAFT status) and working documents (work-in-progress status)
are made available on community-controlled version management systems
(rooted at Subversion:
<a href="//svn.cacert.org/CAcert/Policies">
svn.cacert.org/CAcert/Policies</a>
wiki:
<a href="//wiki.cacert.org/PolicyDrafts">
wiki.cacert.org/PolicyDrafts</a>).
Documents of lower status (work-in-progress or DRAFT)
must not be confusable with
documents of higher status (DRAFT or POLICY).
Copies should be eliminated where not being worked on.
</p> </p>
<h4 id="s2.3">2.3 Control </h4> <h4 id="s2.3">2.3 Control </h4>
@ -185,21 +144,12 @@ Critical systems are defined by Security Policy.
<h4 id="s3.3">3.3 Control </h4> <h4 id="s3.3">3.3 Control </h4>
<p class="change"> <p>
Security Policy places executive responsibility for Hardware with the Board of CAcert Inc. Security Policy places executive responsibility for Hardware with the Board of CAcert Inc.
Access is delegated to Access Engineers (SP 2) and Systems Administrators (SP 3). Access is delegated to Access Engineers (SP 2) and Systems Administrators (SP 3).
Legal ownership may be delegated by agreement to other organisations (SP 9.4). Legal ownership may be delegated by agreement to other organisations (SP 9.4).
</p> </p>
<p class="strike">
Control of Hardware is the ultimate responsibility of the Board of CAcert Inc.
The responsibility for acts with hardware is delegated
to Access Engineers and Systems Administrators as per
Security Policy.
The ownership responsibility is delegated by agreement to Oophaga.
</p>
<h3 id="s4"> 4 Software </h3> <h3 id="s4"> 4 Software </h3>
<!-- A.1.i: The configuration-control specification controls changes to software involved in: certs; data; comms to public --> <!-- A.1.i: The configuration-control specification controls changes to software involved in: certs; data; comms to public -->
<h4 id="s4.1">4.1 Controlled Software List </h4> <h4 id="s4.1">4.1 Controlled Software List </h4>
@ -208,13 +158,18 @@ The ownership responsibility is delegated by agreement to Oophaga.
Critical software is defined by Security Policy. Critical software is defined by Security Policy.
</p> </p>
<!--
<ul class="q"> <ul class="q">
<li> Following are questions for exec + audit, not policy.
<li>One thing that is not so well covered by CAcert is the last bullet point of A.1.i</li> <li>One thing that is not so well covered by CAcert is the last bullet point of A.1.i</li>
<li>"communicating with subscribers and with the general public."</li> <li>"communicating with subscribers and with the general public."</li>
<li>website is under SP; maillists,blogs,etc are not.</li> <li>website is under SP; maillists,blogs,etc are not.</li>
<li>as community has deliberately gone this direction, I suggest we argue it that way.</li> <li>as community has deliberately gone this direction, I suggest we argue it that way.</li>
<li> What is far more problematic is the failure to do CCA &amp; Challenge notification.</li> <li> What is far more problematic is the failure to do CCA &amp; Challenge notification.</li>
<li> What about translingo and voting? </li>
<li> See <a href="https://lists.cacert.org/wws/arc/cacert-sysadm/2010-02/msg00008.html">thread</a> </li>
</ul> </ul>
-->
<h4 id="s4.2">4.2 Change </h4> <h4 id="s4.2">4.2 Change </h4>
@ -247,13 +202,6 @@ of title or full licence,
and a registry of software under approved open source licences. and a registry of software under approved open source licences.
</p> </p>
<ul class="q">
<li> What about translingo and voting? </li>
<li> See <a href="https://lists.cacert.org/wws/arc/cacert-sysadm/2010-02/msg00008.html">thread</a> </li>
</ul>
<h3 id="s5"> 5 Certificates </h3> <h3 id="s5"> 5 Certificates </h3>
<!-- This section from A.1.b --> <!-- This section from A.1.b -->
@ -318,9 +266,12 @@ is defined by Security Policy.
<h4 id="s7.3">7.3 Archive </h4> <h4 id="s7.3">7.3 Archive </h4>
<p> Data retention is controlled by Security Policy and CAcert Community Agreement. </p>
<p> <p>
<a href="http://validator.w3.org/check?uri=referer"><img src="Images/valid-xhtml11-blue" alt="Valid XHTML 1.1" height="31" width="88" style="border-style: none;" /></a> Data retention is controlled by Security Policy and CAcert Community Agreement.
</p> </p>
<p class="q">
<a href="http://validator.w3.org/check?uri=referer"><img src="Images/valid-xhtml11-blue" id="graphics2" alt="Valid XHTML 1.1" style="float: right; border-width: 0" height="33" width="90" /></a>
</p>
</body></html> </body></html>