cf1f2eeabf
git-svn-id: http://svn.cacert.org/CAcert/Policies@1894 14b1bab8-4ef6-0310-b690-991c95c89dfd
314 lines
8.5 KiB
HTML
314 lines
8.5 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
|
|
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
|
|
<title>Configuration-Control Specification - work-in-progress</title>
|
|
|
|
<style type="text/css"> <!-- only for WIP -->
|
|
<!--
|
|
body {
|
|
font-family : verdana, helvetica, arial, sans-serif;
|
|
}
|
|
|
|
th {
|
|
text-align : left;
|
|
}
|
|
|
|
.q {
|
|
color : green;
|
|
font-weight: bold;
|
|
text-align: center;
|
|
font-style:italic;
|
|
}
|
|
|
|
.error {
|
|
color : red;
|
|
font-weight: bold;
|
|
text-align: center;
|
|
font-style:italic;
|
|
}
|
|
|
|
.change {
|
|
color : blue;
|
|
font-weight: bold;
|
|
}
|
|
.strike {
|
|
color : blue;
|
|
text-decoration:line-through;
|
|
}
|
|
|
|
a:hover {
|
|
color : gray;
|
|
}
|
|
-->
|
|
</style>
|
|
|
|
</head>
|
|
<body lang="en-GB">
|
|
|
|
<h1> Configuration-Control Specification </h1>
|
|
|
|
<!-- Absolute URL because the policies are located absolutely. -->
|
|
<table width="100%">
|
|
<tr>
|
|
<td>
|
|
Creation Date : 20091214<br />
|
|
Editor: Iang<br />
|
|
Status: 20100426 <i>WIP</i> <br />
|
|
</td><td align="right">
|
|
<a href="//www.cacert.org/policy/PolicyOnPolicy.html"><img src="Images/cacert-wip.png" alt="CCS Status - work-in-progress" height="31" width="88" style="border-style: none;" /></a>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<h3 id="s1"> 1. Introduction </h3>
|
|
|
|
<!-- This section from A.1.a through A.1.c -->
|
|
|
|
<p>
|
|
The Configuration-Control Specification (CCS COD2) controls and tracks those documents, processes and assets which are critical to the business, security and governance of the CAcert operations.
|
|
</p>
|
|
|
|
<p>
|
|
This document is the procedure for CCS.
|
|
This document itself is a component of the CCS,
|
|
see §2.
|
|
<!-- A.1.c The configuration-control specification controls its own revision process. -->
|
|
All other documentation and process specified within
|
|
is derivative and is ruled by the CCS.
|
|
</p>
|
|
|
|
<p>
|
|
CCS is formated, inspired and designed to meet the needs of
|
|
<span class="change">
|
|
David Ross Criteria -
|
|
<a href="http://rossde.com/CA_review/">Certificate Authority Review Checklist</a>
|
|
- section A.1
|
|
(
|
|
</span>
|
|
DRC-A.1
|
|
<span class="change">)</span>.
|
|
CCS may be seen as the index to systems audit under DRC.
|
|
</p>
|
|
|
|
<h3 id="s2"> 2 Documents </h3>
|
|
|
|
<!-- A.1.c-h: The configuration-control specification controls the revision process for the CCS,CP,CPS,PP,SP,R/L/O -->
|
|
|
|
<h4 id="s2.1">2.1 Controlled Document List </h4>
|
|
|
|
<p>
|
|
This CCS creates a list of Primary or "root" documents known as Policies.
|
|
Primary documents may authorise other secondary documents
|
|
into the list, or "practices" outside the list.
|
|
</p>
|
|
|
|
<p>
|
|
The controlled documents list
|
|
contains numbers, locations and versions of all controlled documents.
|
|
The list is part of this CCS, and is located at
|
|
<a href="//svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">
|
|
svn.cacert.org/CAcert/Policies/ControlledDocumentList.html</a>
|
|
Policy Officer is to manage the list.
|
|
Policy Officer is to log the changes at
|
|
<a href="//wiki.cacert.org/PolicyDecisions">
|
|
wiki.cacert.org/PolicyDecisions</a>.
|
|
<!-- See A.1.k, logging of documents. -->
|
|
</p>
|
|
|
|
<h4 id="s2.2">2.2 Change </h4>
|
|
|
|
|
|
<p>
|
|
Change to the documents is as specified by
|
|
Policy on Policy (PoP).
|
|
</p>
|
|
|
|
<p class="q"> The following would possibly be better off in PoP (when a change cycle comes around), or a practices manual. </p>
|
|
|
|
<p>
|
|
Policies in effect (DRAFT and POLICY status) are to be under change control.
|
|
Fully approved documents (POLICY status)
|
|
are published on the CAcert website at
|
|
<a href="//www.cacert.org/policy/">
|
|
www.cacert.org/policy/</a>
|
|
in plain HTML format,
|
|
under the same control as critical source code
|
|
under Security Policy (SP).
|
|
Pre-final work (DRAFT status) and working documents (work-in-progress status)
|
|
are made available on community-controlled version management systems
|
|
(rooted at Subversion:
|
|
<a href="//svn.cacert.org/CAcert/Policies">
|
|
svn.cacert.org/CAcert/Policies</a>
|
|
wiki:
|
|
<a href="//wiki.cacert.org/PolicyDrafts">
|
|
wiki.cacert.org/PolicyDrafts</a>).
|
|
Documents of lower status (work-in-progress or DRAFT)
|
|
must not be confusable with
|
|
documents of higher status (DRAFT or POLICY).
|
|
Copies should be eliminated where not being worked on.
|
|
</p>
|
|
|
|
<h4 id="s2.3">2.3 Control </h4>
|
|
|
|
<p>
|
|
CAcert policies are required to be owned / transferred to CAcert. See PoP 6.2.
|
|
</p>
|
|
|
|
<h3 id="s3"> 3 Hardware </h3>
|
|
|
|
<!-- This section from A.1.j -->
|
|
|
|
<h4 id="s3.1">3.1 Controlled Hardware List </h4>
|
|
|
|
<p>
|
|
Critical systems are defined by Security Policy.
|
|
</p>
|
|
|
|
<h4 id="s3.2">3.2 Change </h4>
|
|
|
|
<p> See Security Policy. </p>
|
|
|
|
<h4 id="s3.3">3.3 Control </h4>
|
|
|
|
<p class="change">
|
|
Security Policy places executive responsibility for Hardware with the Board of CAcert Inc.
|
|
Access is delegated to Access Engineers (SP 2) and Systems Administrators (SP 3).
|
|
Legal ownership may be delegated by agreement to other organisations (SP 9.4).
|
|
</p>
|
|
|
|
<p class="strike">
|
|
Control of Hardware is the ultimate responsibility of the Board of CAcert Inc.
|
|
The responsibility for acts with hardware is delegated
|
|
to Access Engineers and Systems Administrators as per
|
|
Security Policy.
|
|
The ownership responsibility is delegated by agreement to Oophaga.
|
|
</p>
|
|
|
|
|
|
<h3 id="s4"> 4 Software </h3>
|
|
<!-- A.1.i: The configuration-control specification controls changes to software involved in: certs; data; comms to public -->
|
|
<h4 id="s4.1">4.1 Controlled Software List </h4>
|
|
|
|
<p>
|
|
Critical software is defined by Security Policy.
|
|
</p>
|
|
|
|
<ul class="q">
|
|
<li>One thing that is not so well covered by CAcert is the last bullet point of A.1.i</li>
|
|
<li>"communicating with subscribers and with the general public."</li>
|
|
<li>website is under SP; maillists,blogs,etc are not.</li>
|
|
<li>as community has deliberately gone this direction, I suggest we argue it that way.</li>
|
|
<li> What is far more problematic is the failure to do CCA & Challenge notification.</li>
|
|
</ul>
|
|
|
|
<h4 id="s4.2">4.2 Change </h4>
|
|
|
|
<p> See Security Policy. </p>
|
|
|
|
<h4 id="s4.3">4.3 Control </h4>
|
|
|
|
<p>
|
|
CAcert owns its code, or requires control over open source code in use
|
|
by means of an approved free and open licence.
|
|
Such code must be identified and managed by Software Assessment.
|
|
</p>
|
|
|
|
<p>
|
|
Developers transfer full rights to CAcert
|
|
(in a similar fashion to documents),
|
|
or organise their contributions under a
|
|
proper free and open source code regime,
|
|
as approved by Board.
|
|
Where code is published
|
|
(beyond scope of this document)
|
|
care must be taken not to infringe licence conditions.
|
|
For example, mingling issues with GPL.
|
|
</p>
|
|
|
|
<p>
|
|
The Software Assessment Team Leader
|
|
maintains a registry of assignments
|
|
of title or full licence,
|
|
and a registry of software under approved open source licences.
|
|
</p>
|
|
|
|
<ul class="q">
|
|
<li> What about translingo and voting? </li>
|
|
<li> See <a href="https://lists.cacert.org/wws/arc/cacert-sysadm/2010-02/msg00008.html">thread</a> </li>
|
|
</ul>
|
|
|
|
|
|
|
|
<h3 id="s5"> 5 Certificates </h3>
|
|
|
|
<!-- This section from A.1.b -->
|
|
|
|
<p> This section applies to Root and Sub-root certificates, not to End-entity (subscriber, member) certificates. </p>
|
|
|
|
<h4 id="s5.1">5.1 Certificates List </h4>
|
|
|
|
<p> Certificates (Root and sub-root) are to be listed in the CPS. </p>
|
|
|
|
<h4 id="s5.2">5.2 Changes </h4>
|
|
|
|
<p>
|
|
Creation and handling of Certificates
|
|
is controlled by Security Policy.
|
|
Usage of Certificates
|
|
is controlled by Certification Practice Statement.
|
|
</p>
|
|
|
|
<h4 id="s5.3">5.3 Archive </h4>
|
|
|
|
<p> See Security Policy. </p>
|
|
|
|
<h3 id="s6"> 6 Logs </h3>
|
|
|
|
<!-- This section from A.1.k -->
|
|
|
|
<h4 id="s6.1">6.1 Controlled Logs List </h4>
|
|
|
|
<p> Logs are defined by Security Policy. </p>
|
|
|
|
<h4 id="s6.2">6.2 Changes </h4>
|
|
|
|
<p> Changes to Hardware, Software and Root Certificates are logged according to Security Policy. </p>
|
|
|
|
<h4 id="s6.3">6.3 Archive </h4>
|
|
|
|
<p> See Security Policy. </p>
|
|
|
|
<h3 id="s7"> 7 Data </h3>
|
|
|
|
<!-- This section from A.1.i-j, bullets 2,3 -->
|
|
|
|
<h4 id="s7.1">7.1 Types of Data </h4>
|
|
|
|
<p>
|
|
Types of critical member data is defined by Assurance Policy.
|
|
</p>
|
|
|
|
<h4 id="s7.2">7.2 Changes </h4>
|
|
|
|
<p>
|
|
Changes and access to critical member data
|
|
is as defined under Assurance Policy,
|
|
CAcert Community Agreement and
|
|
Dispute Resolution Policy.
|
|
Implementation of
|
|
collection and storage of critical member data
|
|
(user interface software and databases)
|
|
is defined by Security Policy.
|
|
</p>
|
|
|
|
<h4 id="s7.3">7.3 Archive </h4>
|
|
|
|
<p> Data retention is controlled by Security Policy and CAcert Community Agreement. </p>
|
|
|
|
<p>
|
|
<a href="http://validator.w3.org/check?uri=referer"><img src="Images/valid-xhtml11-blue" alt="Valid XHTML 1.1" height="31" width="88" style="border-style: none;" /></a>
|
|
</p>
|
|
</body></html>
|