some semantic tweaks

git-svn-id: http://svn.cacert.org/CAcert/Policies@1897 14b1bab8-4ef6-0310-b690-991c95c89dfd
2010-05-11 05:51:48 +00:00 · 2010-05-11 05:51:48 +00:00 · a30a60d192
commit a30a60d192
parent a47ed49998
1 changed files with 39 additions and 16 deletions
--- a/SecurityPolicy.html
+++ b/SecurityPolicy.html
@ -48,6 +48,7 @@ a:hover {
 <body lang="en-GB">
 <ul class="change">
 <li> 20100511: Introduced "Board" term, tightened "approval" semantics, s/wiped/erased/, slight semantic tweaks. </li>
 <li> 20100502: Made 7.3 blank, "refer to SM" </li>
 <li> 20100424: tidied up 9.4 </li>
 <li> 20100422: added 9.3.2 notification requirement. </li>
@ -95,7 +96,9 @@ These systems include:
     Source code (changes and patches) 
 </li></ol>
 <p>
-Board may add additional components into the Security Manual.
+<span class="strike">Board</span>
 <span class="change">The Committee of CAcert, Inc. (hereafter, "Board")</span>
 may add additional components into the Security Manual.
 </p>
 <h4 id="s1.1.1">1.1.1. Covered Personnel </h4>
@ -304,7 +307,10 @@ are inventoried upon acquisition and tracked in their use.
 <p>
 New storage media (whether disk or removable) shall be
-securely wiped and reformatted before use.
+securely
 <span class="strike">wiped</span>
 <span class="change">erased</span>
 and reformatted before use.
 </p>
 <h4 id="s2.2.3.2">2.2.3.2 Storage </h4>
@ -312,7 +318,10 @@ securely wiped and reformatted before use.
 <p>
 Removable media shall be securely stored at all times,
 including when not in use.
-Drives that are kept for reuse are wiped securely before storage.
+Drives that are kept for reuse are 
 <span class="strike">wiped</span>
 <span class="change">erased</span>
 securely before storage.
 Reuse can only be within critical systems.
 </p>
@ -596,8 +605,9 @@ authorisations on the below access control lists
 <p>
-All changes of personnel
+All changes of personnel to the above lists are
-to the above lists are approved by the Board of CAcert.
+<span class="change">subject to Board approval.</span>
 <span class="strike">approved by the Board of CAcert.</span>
 </p>
 <h4 id="s3.4.3"> 3.4.3. Authentication </h4>
@ -886,7 +896,7 @@ Board must have a basic plan to recover.
 <h3 id="s6.4"> 6.4.  Key Persons List </h3>
 <p>
-Board must maintain a key persons List with all the
+Board must maintain a Key Persons List with all the
 contact information needed.
 See &sect;10.1.
 The list shall be accessible even if CAcert's
@ -906,7 +916,9 @@ for the security and maintenance of the code.
 <p>
 The source code is under CCS.
-Additions to the team are approved by Board.
+Additions to the team are
 <span class="change">subject to Board approval.</span>
 <span class="strike">approved by the Board.</span>
 See &sect;3.4.2.
 </p>
@ -1042,7 +1054,9 @@ See &sect;3.3.
 <p>
 The software interface gives features to Support Engineer.
 Access to the special features is under tight control.
-Additions to the team are approved by Board,
+Additions to the team are
 <span class="change">subject to Board approval,</span>
 <span class="strike">approved by the Board,</span>
 and the software features are under CCS.
 See &sect;3.4.2.
 </p>
@ -1246,8 +1260,14 @@ All conflicts of interest should be examined.
 It is the responsibility of all individuals to
 observe and report on security issues.
 All of CAcert observes all where possible.
-It is the responsibility of each individual to resolve it satisfactorily,
+It is the responsibility of each individual to resolve
-or to ensure that it is reported fully.
+<span class="strike">it</span>
 <span class="change">issues</span>
 satisfactorily,
 or to ensure that
 <span class="strike">it is</span>
 <span class="change">they are</span>
 reported fully.
 </p>
 <p>
@ -1285,14 +1305,17 @@ especially of new team members.
 <h4 id="s9.2.1"> 9.2.1.  Root Key generation</h4>
 <p>
-Root keys are generated only on instruction from the Board.
+Root keys are generated only on instruction from <span class="strike">the</span> Board.
 They must be generated to a fully documented and reviewed procedure.
 The procedure must include:
 </p>
 <ul>
   <li> Use of hardware built securely for the purpose
-        only and cleaned/wiped/destroyed immediately afterwards. </li>
+        only and cleaned/
 <span class="strike">wiped</span>
 <span class="change">erased</span>
 /destroyed immediately afterwards. </li>
   <li> Dual control over all phases, including by Board. </li>
   <li> Strong collection of primary entropy, separated from use of entropy. </li>
   <li> Test cycles of the process on the day. </li>
@ -1327,7 +1350,7 @@ Recovery must only be conducted under Arbitrator authority.
 <h4 id="s9.3.1"> 9.3.1.  Responsibility</h4>
 <p>
-The Board is responsible to the Community to manage
+<span class="strike">the</span> Board is responsible to the Community to manage
 the CA at the executive level.
 </p>
@ -1355,8 +1378,8 @@ and becomes your authority to act.
 Components may be outsourced.
 <span class="strike">
 Team leaders may outsource non-critical components
-on notifying the Board.
+on notifying <span class="strike">the</span> Board.
-Critical components must be approved by the Board.
+Critical components must be approved by <span class="strike">the</span> Board.
 </span>
 Any outsourcing arrangements must be documented.
 All arrangements must be:
@ -1388,7 +1411,7 @@ All arrangements must be:
 <p>
 Contracts should be written with the above in mind.
 <span class="change">
-Outsourcing of critical components must be approved by the Board.
+Outsourcing of critical components must be approved by <span class="strike">the</span> Board.
 </span>
 </p>