Security Policy for CAcert Systems

CAcert Security Policy Status == wip
Creation date: 2009-02-16
Status: work-in-progress

1. Introduction

1.1. Motivation and Scope

This Security Manual sets out required procedures for the secure operation of the CAcert critical computer systems. These systems include:

  1. Physical hardware mounting the logical services
  2. Webserver + database (core server(s))
  3. Signing service (signing server)
  4. Support interface
  5. Source code (changes and patches)

1.1.1. Effected Personnel

These roles and teams are effected:

1.1.2. Out of Scope

Non-critical systems are not covered by this manual, but may be guided by it, and impacted where they are found within the security context. Architecture is out of scope, see CPS#6.2.

1.2. Principles

Important principles of this Security Manual are:

Each task or asset is covered by a variety of protections deriving from the above principles.

1.3. Definition of Terms

Systems Administrator
A Member who manages a critial system, and has access to security-sensitive functions or data.

1.4. Version control

1.4.1. The Security Policy Document

This Security Policy is part of the configuration-control specification for audit purposes (DRC). It is under the control of Policy on Policy for version purposes.

This policy document says what is done, rather than how to do it.

1.4.2. The Security Manual (Practices) Document

This Policy explicitly defers detailed security practices to the Security Manual ("SM"), The SM says how things are done. As practices are things that vary from time to time, including between each event of practice, the SM is under the direct control of the Systems Administration team. It is located and version-controlled on the CAcert wiki.

1.4.3. The Security Procedures

The Systems Administration team may from time to time explicitly defer single, cohesive components of the security practices into separate procedures documents. Each procedure should be managed in a wiki page under their control, probably at SystemAdministrationProcedures. Each procedure must be referenced explicitly in the Security Manual.


This is the end of the Security Policy.

Valid HTML 4.01