== Introduction == The Configuration Control Specification covers and directs those documents and processes which are critical to the business, security and governance of the CAcert operations. Overall responsibility for change resides with the Board of CAcert, Inc. This document is the procedure for CCS. This document itself is part of the CCS. Detailed and minor issues are documented on the Board's page (http://www.cacert.org/index.php?id=8) and identified below as (*). == Configuration Control Specification for Documents == This Specification covers the following documents: * This Configuration Control Specification * Certificate policy (This is currently part of the Certification practice statement) * Certification practice statement * Subscriber privacy policy * Security manual * Declarations of risks and liability (This is currently part of the Certification practice statement) Approval process: The drafts of the documents are made available on a publically accessible version management system. (Currently: Subversion on http://www2.futureware.at/svn/sourcerer/CAcert/ ) Changes to all those documents are integrated by the editor (*). Changes are reviewed on the public CAcert Policy Mailinglist: http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy with the subject tag "[CHANGE-REVIEW]" and period of review set as "no less than 3 days". Changed versions are approved and published by the Board or a designated Approval Committee (*). Approved versions are published on the CAcert website, and versioned in an internal version control system. == Configuration Control Specification for Software == The system administrator is responsible for changes to any kind of software. The system administrator watches and tracks the newsfeed of patches from distributors of software. CAcert uses the stable branch of any distribution, and applies patches when deemed necessary. All software installations and updates are logged in the system administrator's logfile. Software changes should be checked and approved by a second system administrator. If another administrator is not available, the check is generally deferred. == Configuration Control Specification for Hardware == The system administrator is responsible for changes to any of CAcert's hardware. Changes to the hardware do not need to be formally documented but are logged in the system administrator's logfile. Hardware changes should be checked and approved by a second system administrator. If another administrator is not available, the check is generally deferred. == Configuration Control Specification for Root Certificates == The system administrator is responsible for enacting changes to any of CAcert's root certificates. Decision for new root certificates is generally driven by the Board. == Emergency Actions == Emergency actions may be directed by an Arbitrator under the rules of Dispute Resolution. The system administrator may undertake emergency action in the short term but then immediately files a dispute to have an Arbitrator ratify the actions taken.