Subject: Policy-Discussion
List archive
- From: Philipp Gühring <pg AT futureware.at>
- To: Lambert.Hofstra AT ins.com, "Policy-Discussion" <cacert-policy AT lists.cacert.org>
- Subject: Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification
- Date: Mon, 20 Feb 2006 10:49:17 +0100
- List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
- List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
- Organization: Futureware 2001
Hi Lambert,
Thanks for your feedback!
> I just read this email, and have a question, so I did not reply to the
> mailinglist.
Ok, I hope you don´t mind that I send the reply to the mailinglist.
> Am I correct, when I read your email as: "please comment on what I propose
> as the 'CONFIGURATION CONTROL SPECIFICATIONS' for changes to the CACert
> core system"?
Yes.
> If so, my first responses are:
> 1) full responsibility for both approval and implementation of changes
> (HW/SW) are combined in one person ==> not really "industry best practice",
> I would suggest have this split into two persons
Yes. You are fully right, it would be best practice to have that split into
two persons. The problem is just that we don´t have two persons available
locally.
> 2) hardware changes are
> not document ==> not acceptable, you will need a approval process and full
> logging.
I am planning to change that policy as soon as we have enough capacities to
fulfill it.
> 3) root certificates are the responsibility of the administrator
> ==> not acceptable, you'd need a certificate change ceremony for all
> changes, with at least two separate key administrators who need to be
> present, and key components (for backup) under control of at least two
> other key custodians.
Yes. All three changes demand more ressources than we currently have.
Keep in mind that CAcert is geographically spread around the whole world.
Our trusted core team are currently 4 people, one in Australia, one in
Brazil,
one in France and one in Austria. That´s quite contrary to a normal company,
having all people in the same place.
> You'd need more detail, and more procedures.
Can you go into detail?
> Is this the type of feedback you are looking for?
Yes. Exactly.
Especially that you only mentioned the points, where I expected the feedback,
and that you didn´t had any specific problems with the rest.
Best regards,
Philipp Gühring
- [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/18/2006
- <Possible follow-up(s)>
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Ian G, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Lambert.Hofstra, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Peter Williams, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Duane, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Duane, 02/20/2006
Archive powered by MHonArc 2.6.16.