diff options
-rw-r--r-- | .gitignore | 0 | ||||
-rw-r--r-- | .ssh/authorized_keys | 3 | ||||
-rw-r--r-- | about.mdwn | 20 | ||||
-rw-r--r-- | best_practices.mdwn | 93 | ||||
-rw-r--r-- | header_background.jpg | bin | 0 -> 94756 bytes | |||
-rw-r--r-- | ikiwiki.setup | 430 | ||||
-rw-r--r-- | index.mdwn | 12 | ||||
-rw-r--r-- | pcp28c3.pdf | bin | 0 -> 99407 bytes | |||
-rw-r--r-- | policy-signed.txt | 192 | ||||
-rw-r--r-- | policy.mdwn | 184 | ||||
-rw-r--r-- | sidebar.mdwn | 4 | ||||
-rw-r--r-- | style.css | 798 | ||||
-rw-r--r-- | test.mdwm | 1 | ||||
-rw-r--r-- | users/anarcat.mdwn | 1 | ||||
-rw-r--r-- | users/maxigas.mdwn | 1 |
15 files changed, 1739 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/.gitignore diff --git a/.ssh/authorized_keys b/.ssh/authorized_keys new file mode 100644 index 0000000..97ce66d --- /dev/null +++ b/.ssh/authorized_keys @@ -0,0 +1,3 @@ +command="iki-git-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,no-user-rc ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxz1ZGPnMN96NZ9etiV7IFWi0dV8qW+RJWt1h2ODkVG0t5+tW6EvBnDsyWy1by043M8Au15f0fwOydas6PvAHQP1aB7i002DmTkqtN70Z04K6GUKQqfOuZwM3/9lEoNIZrPMmIBmncgiVZ5I9S1HLwAwh1/2hYYr7DVDAkXvdibbpLgQ7DyJqPPwkYRug9rvE67pFcmR0E4Tfv4Xs/kSYLatSQbWR8WlzQCEahhIqPmpwfaAbFlJtqZsl59zo2XuJFxsZ1MMCWTryUYzOZP3M9zUD+yNW9Z+AmqGa/1B5vtpOEefiGWwaP18IV2mu9OoUvNlVQdtUc4+IxIZkLwRBWQ== +command="iki-git-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,no-user-rc ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCla1XNOsgJit+OjQjsQSFC/tnix5ZHpHzgQCL/RrnS9h5vPSxE/QcoMsXDq9n5O05bmjgm038/pU7SWYWlRBNAAxZMSHITekC4+421cWK+VqhoIrsT8euOiuGyhEcIWNLlL/Ht9GamiOawmRC9Tl6wcNvroBch7E3jB0eN78/RArqURGFZToY1Eu5uS1ISJr2oq/6ZzrCGNk7oyqvDOKtnRgHNEN+8Ct3BrF6gbEb9EPFwBiV5fCwImr41M+HGoVFo0UUqPitqIvebJOY3Olz4wwzWTnuYlD3jOaS414IaeEojA+JaWFPqPcd8auaRrwBPk8SdKU/Ib7QssGqGIZFv +command="iki-git-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,no-user-rc ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtpX3qQrUeQma4zhNEDNtFc0VioJQSYLxrxd5CmgqqqUT3mHJPeZgihEsmOLNSWK7gjSfdFvR+ktRKZbTYGX0Jn9JRV5giye7LyTYlhuBmnf/53kBOorbO6Uf5wLVjvu0GzuowFPwN9pObHZM1H6iG4Jf+vMol4HXQm/Ezw1LjKevdIajKZjECWWQeCCmk9ePoPAL9KQ0VDCmiXPpCcYlnnXyH5XOQ7mvNyeNmQEWPwcZqpe5+tYmSq24l5jS0mrsp9PX82l5dwCgxrcKBWvaVOtSWl0ntT8QsVHtkomEGRDuElXIOJ3QowH4vk96h4rWqdT8/ZhJFENFF6dDMcW0t diff --git a/about.mdwn b/about.mdwn new file mode 100644 index 0000000..f32ba8d --- /dev/null +++ b/about.mdwn @@ -0,0 +1,20 @@ +# About + +The initial version of the "Providers' Commitment to Privacy" (PCP) +policy was drawn up by an international group of participants. +Discussion was English-language based and took place over approximately +3 years using face-to-face and (encrypted) virtual communication. The +resulting, consensus-based document is available on this website. + +## Contact + +Comments and queries about the policy can be mailed to +pcp@nothingtohide.is - there is another [OpenGPG +key](http://keys.mayfirst.org/pks/lookup?op=get&search=0x77D95A9012B3EEDA) +associated with this address. You can use it to send us encrypted email: + + pub 4096R/12B3EEDA 2011-12-17 + Key fingerprint = 93A3 28B9 CF38 200F AF0A 67F2 77D9 5A90 12B3 EEDA + uid Providers Commitment for Privacy (schleuder list) <pcp@nothingtohide.is> + sub 4928R/C5DC29F5 2011-12-17 + diff --git a/best_practices.mdwn b/best_practices.mdwn new file mode 100644 index 0000000..a05b339 --- /dev/null +++ b/best_practices.mdwn @@ -0,0 +1,93 @@ +# Appendix: Best practices references + +[[!toc levels=3 startlevel=2]] + +*This appendix contains the text of the policy with specific best + practices added below relevant sections. It is a work in + progress. Please help expand!* + +Obviously, every security/privacy level requires that you keep your +software up to date to the current knowledge of security issues. + +## Mail + +* [IPs in headers](http://riseuplabs.org/privacy/postfix/) the user's home IP address should not appear in any email headers. *level 2* + * if it does appear, users must be informed about this *level 1* perhaps use server IP instead of localhost for [riseup hack](http://riseuplabs.org/privacy/postfix/) + +* The connection between the server and the user is always encrypted. *level 2* +* optional unencrypted communication between user and server are visibly marked as insecure *level 1* +* [StartTLS-postfix](http://metatron.sh/kmw/Transformers/PostfixCacertVerifyHowto) or [StartTLS-exim](http://aland.burngreave.net/archives/2009/12/30/index.html#e2009-12-30T16_26_49.txt) starttls with other compliant servers’, certs verified against cacert/... *level 1* +* [StartTLS-exim](http://aland.burngreave.net/archives/2009/12/30/index.html#e2009-12-30T16_26_49.txt) tls is required with other compliant servers’, certs verified with fingerprint *level 2* + +## Webmail + +* Secure connections: only encrypted connections between the server and the user *level 2* +* Optional unencrypted connections are visibly marked as insecure *level 1* +* Session cookies: all sessions must be stored as cookies. Session IDs cannot be in the URL. *level 2* +* IPs in headers: the user's home IP address does not appear in any email headers. *level 2* +* IPs in headers: if the user's home IP address remains in the email headers, then this fact is visibly marked as insecure. *level 1* +* Due to the fact that client-side scripting, such as Javascript, can reveal the client IP address (this is why users of Tor typically disable it), Webmail must be functional without it. *level 3* +* session data is deleted off the server within five minutes after logout or session expiration *level 2* +* the session ID algorithm and cookies do not use or store users' IP addresses, neither in plain text or some garbled form; sessions are not restricted to IP addresses (since this would prevent access with anonymity tools such as Tor). *level 3* + + +## Hosting + +* root access to hosting services is always encrypted *level 1* +* access to hosting services is encrypted by default (non-encrypted is allowed) *level 1* +* access to hosting services is always encrypted *level 2* +* access to hosting services is accessible via a hidden tor service or a tor exit enclave *level 3* + +## Certificates and keys for encrypted stream-based services + +* Private keys are only stored encrypted *Level 2* +* Private keys are only stored encrypted and off-site *Level 3* +* Stream-based communication uses only a well-established set of cryptographic parameters (ciphers, message digests, asymmetric encryption algorithms, etc). See best practices documents for details. *Level 1* + +If you are using mod_ssl with apache and an RSA key for the server, somebody tentatively suggests: +<code>SSLCipherSuite TLSv1:!MD5:!EXP:!LOW:!NULL:!MEDIUM:!ADH:!DSS</code> + +## Filesystems and Storage + +* swap is encrypted *level 2* +* swap is encrypted with a random key on boot *level 3* +* the operating system and its configuration is encrypted with a strong passphrase: minimum 20 characters, including special characters, mixed case letters and digits *level 2* +* User data that is not publicly accessible is encrypted. This includes mails, databases, list archives, restricted websites and others. The encryption passphrase contains at least 20 characters, including special characters, mixed case letters and digits. *level 1* + + +## Logging + +* Logs containing user identifiable information are stored encrypted or only in memory. Otherwise the users are informed about this. *level 1* +* Logs contain no user identifiable information. *level 3* + +Apache logs have no IP addresses: [mod_removeip](http://riseuplabs.org/privacy/apache/) + +Under Debian with Apache2: + +<code> +apt-get install libapache2-mod-removeip +a2enmod removeip +/etc/init.d/apache2 force-reload +</code> + +* Logs containing information about non-individual user activities are stored encrypted or only in memory. *level 1* +* Logs contain no information about non-individual user activities. *level 2* +* System logs (not related to user activities) is stored encrypted or only in memory. *level 2* + +Comes with "Filesystem and Storage Level 2" + +* System logs (not related to user activities) are not stored. *level 3* + + +## Users + +* Advise users about good passwords and polices. For example: Never send them in clear text, never telling a password to anyone, etc. See [best practices](practices) for some good password strength information that can be used for this purpose. *level 1* +* Force users to use strong passwords by making the system impose a defined password policy. *level 2* +* Shell Sandbox: shell accounts for users only in vservers, separate boxes, or similar sandboxes. No end user should should have a login on a server that provides sensitive services. *level 2* +* Shell accounts isolated from other users: each user shell account exists in a chrooted environment that has no visibility into other user's environments (files, processes, etc.). *level 3* + +## Evaluation of policy compliance + +* yearly periodic self-evaluation: manually checking at least every twelve months that requirements supposed to be achieved actually are. *level 1* +* semi-yearly self-evaluation: manually checking at least every six months that requirements supposed to be achieved actually are. *level 2* +* quarterly self-evaluation: manually checking at least every three months that requirements supposed to be achieved actually are. *level 3* diff --git a/header_background.jpg b/header_background.jpg Binary files differnew file mode 100644 index 0000000..f1d2872 --- /dev/null +++ b/header_background.jpg diff --git a/ikiwiki.setup b/ikiwiki.setup new file mode 100644 index 0000000..aa88182 --- /dev/null +++ b/ikiwiki.setup @@ -0,0 +1,430 @@ +# IkiWiki::Setup::Yaml - YAML formatted setup file +# +# Setup file for ikiwiki. +# +# Passing this to ikiwiki --setup will make ikiwiki generate +# wrappers and build the wiki. +# +# Remember to re-run ikiwiki --setup any time you edit this file. +# +# name of the wiki +wikiname: Providers' Commitment for Privacy +# contact email for wiki +adminemail: root@localhost +# users who are wiki admins +adminuser: + - https://id.koumbit.net/anarcat +# users who are banned from the wiki +banned_users: [] +# where the source of the wiki is located +srcdir: /home/a-policy/source +# where to build the wiki +destdir: /home/a-policy/public_html +# base url to the wiki +url: http://policy.anarcat.ath.cx +# url to the ikiwiki.cgi +cgiurl: http://policy.anarcat.ath.cx/ikiwiki.cgi +# filename of cgi wrapper to generate +cgi_wrapper: /var/www/a-policy/ikiwiki.cgi +# mode for cgi_wrapper (can safely be made suid) +cgi_wrappermode: 0755 +# rcs backend to use +rcs: git +# plugins to add to the default configuration +add_plugins: + - goodstuff + - websetup + - 404 + - ikiwikihosting + - recentchangesdiff + - theme + - prettydate + - version + - headinganchors + - editdiff + - format + - relativedate + - sortnaturally + - branchable + - sidebar +# plugins to disable +disable_plugins: + - search +# additional directory to search for template files +templatedir: /usr/share/ikiwiki/templates +# base wiki source location +underlaydir: /usr/share/ikiwiki/basewiki +# display verbose messages? +#verbose: 1 +# log to syslog? +syslog: 1 +# create output files named page/index.html? +usedirs: 1 +# use '!'-prefixed preprocessor directives? +prefix_directives: 1 +# use page/index.mdwn source files +indexpages: 0 +# enable Discussion pages? +discussion: 1 +# name of Discussion pages +discussionpage: Discussion +# generate HTML5? +html5: 0 +# only send cookies over SSL connections? +sslcookie: 0 +# extension to use for new pages +default_pageext: mdwn +# extension to use for html files +htmlext: html +# strftime format string to display date +timeformat: '%c' +# UTF-8 locale to use +#locale: en_US.UTF-8 +# put user pages below specified page +userdir: users +# how many backlinks to show before hiding excess (0 to show all) +numbacklinks: 10 +# attempt to hardlink source files? (optimisation for large files) +hardlink: 1 +# force ikiwiki to use a particular umask +#umask: 022 +# group for wrappers to run in +#wrappergroup: ikiwiki +# extra library and plugin directory +libdir: /home/a-policy/.ikiwiki +# environment variables +ENV: + TMPDIR: /home/a-policy/tmp +# time zone name +timezone: GMT +# regexp of normally excluded files to include +#include: '^\.htaccess$' +# regexp of files that should be skipped +#exclude: '^(*\.private|Makefile)$' +# specifies the characters that are allowed in source filenames +wiki_file_chars: '-[:alnum:]+/.:_' +# allow symlinks in the path leading to the srcdir (potentially insecure) +allow_symlinks_before_srcdir: 0 + +###################################################################### +# core plugins +# (branchable, editpage, git, gitpush, htmlscrubber, ikiwikihosting, +# inline, link, meta, parentlinks) +###################################################################### + +# branchable plugin +# Allow anyone to branch, check out, and copy this site? +branchable: 1 +# Allow anyone to git push verified changes to this site? +anonpush: 0 +# Display "Branchable" link on action bar? +branchable_action: 1 + +# git plugin +# git hook to generate +git_wrapper: /home/a-policy/source.git/hooks/post-update +# shell command for git_wrapper to run, in the background +#git_wrapper_background_command: git push github +# mode for git_wrapper (can safely be made suid) +git_wrappermode: 6755 +# git pre-receive hook to generate +#git_test_receive_wrapper: /git/wiki.git/hooks/pre-receive +# unix users whose commits should be checked by the pre-receive hook +untrusted_committers: + - ikiwiki-anon +# gitweb url to show file history ([[file]] substituted) +#historyurl: 'http://git.example.com/gitweb.cgi?p=wiki.git;a=history;f=[[file]];hb=HEAD' +# gitweb url to show a diff ([[file]], [[sha1_to]], [[sha1_from]], [[sha1_commit]], and [[sha1_parent]] substituted) +#diffurl: 'http://git.example.com/gitweb.cgi?p=wiki.git;a=blobdiff;f=[[file]];h=[[sha1_to]];hp=[[sha1_from]];hb=[[sha1_commit]];hpb=[[sha1_parent]]' +# where to pull and push changes (set to empty string to disable) +gitorigin_branch: origin +# branch that the wiki is stored in +gitmaster_branch: master + +# gitpush plugin +# git repository urls that changes are pushed to +#git_push_to: [] + +# htmlscrubber plugin +# PageSpec specifying pages not to scrub +#htmlscrubber_skip: '!*/Discussion' + +# ikiwikihosting plugin +# list of urls that alias to the main url +#urlalias: [] +# openid of primary site owner +owner: https://id.koumbit.net/ +# optional hostname of site this one was branched from +#parent: '' +# internal hostname of this site +hostname: policy.anarcat.ath.cx +# site creation datestamp +created: 1324138932 +# how many days to retain logs +#log_period: 7 +# disable IPv6? +ipv6_disabled: 0 + +# inline plugin +# enable rss feeds by default? +rss: 1 +# enable atom feeds by default? +atom: 1 +# allow rss feeds to be used? +#allowrss: 0 +# allow atom feeds to be used? +#allowatom: 0 +# urls to ping (using XML-RPC) on feed update +pingurl: [] + +###################################################################### +# auth plugins +# (anonok, blogspam, httpauth, lockedit, moderatedcomments, +# opendiscussion, openid, passwordauth, signinedit) +###################################################################### + +# anonok plugin +# PageSpec to limit which pages anonymous users can edit +#anonok_pagespec: '*/discussion' + +# blogspam plugin +# PageSpec of pages to check for spam +#blogspam_pagespec: postcomment(*) +# options to send to blogspam server +#blogspam_options: 'blacklist=1.2.3.4,blacklist=8.7.6.5,max-links=10' +# blogspam server XML-RPC url +#blogspam_server: '' + +# httpauth plugin +# url to redirect to when authentication is needed +#cgiauthurl: http://example.com/wiki/auth/ikiwiki.cgi +# PageSpec of pages where only httpauth will be used for authentication +#httpauth_pagespec: '!*/Discussion' + +# lockedit plugin +# PageSpec controlling which pages are locked +#locked_pages: '!*/Discussion' + +# moderatedcomments plugin +# PageSpec matching users or comment locations to moderate +#moderate_pagespec: '*' + +# openid plugin +# url pattern of openid realm (default is cgiurl) +openid_realm: http://*.orangeseeds.org/ +# url to ikiwiki cgi to use for openid authentication (default is cgiurl) +openid_cgiurl: http://policy.anarcat.ath.cx/ikiwiki.cgi + +# passwordauth plugin +# a password that must be entered when signing up for an account +#account_creation_password: s3cr1t +# cost of generating a password using Authen::Passphrase::BlowfishCrypt +#password_cost: 8 + +###################################################################### +# format plugins +# (creole, highlight, hnb, html, mdwn, otl, po, rawhtml, rst, textile, +# txt) +###################################################################### + +# highlight plugin +# types of source files to syntax highlight +#tohighlight: .c .h .cpp .pl .py Makefile:make +# location of highlight's filetypes.conf +filetypes_conf: /etc/highlight/filetypes.conf +# location of highlight's langDefs directory +langdefdir: /usr/share/highlight/langDefs/ + +# mdwn plugin +# enable multimarkdown features? +multimarkdown: 1 + +# po plugin +# master language (non-PO files) +#po_master_language: en|English +# slave languages (translated via PO files) format: ll|Langname +#po_slave_languages: +# - fr|Français +# - es|Español +# - de|Deutsch +# PageSpec controlling which pages are translatable +po_translatable_pages: '' +# internal linking behavior (default/current/negotiated) +po_link_to: default + +###################################################################### +# misc plugins +# (filecheck) +###################################################################### + +###################################################################### +# web plugins +# (404, attachment, comments, editdiff, edittemplate, google, goto, +# mirrorlist, repolist, search, theme, userlist, websetup, wmd) +###################################################################### + +# attachment plugin +# enhanced PageSpec specifying what attachments are allowed +#allowed_attachments: virusfree() and mimetype(image/*) and maxsize(50kb) +# virus checker program (reads STDIN, returns nonzero if virus found) +#virus_checker: clamdscan - + +# comments plugin +# PageSpec of pages where comments are allowed +comments_pagespec: '' +# PageSpec of pages where posting new comments is not allowed +comments_closed_pagespec: '' +# Base name for comments, e.g. "comment_" for pages like "sandbox/comment_12" +comments_pagename: comment_ +# Interpret directives in comments? +#comments_allowdirectives: 0 +# Allow anonymous commenters to set an author name? +#comments_allowauthor: 0 +# commit comments to the VCS +comments_commit: 1 + +# mirrorlist plugin +# list of mirrors +#mirrorlist: {} + +# repolist plugin +# URIs of repositories containing the wiki's source +repositories: + - ssh://a-policy@policy.anarcat.ath.cx/ + - git://policy.anarcat.ath.cx/ + +# search plugin +# path to the omega cgi program +omega_cgi: /usr/lib/cgi-bin/omega/omega + +# theme plugin +# name of theme to enable +theme: pcp + +# websetup plugin +# list of plugins that cannot be enabled/disabled via the web interface +websetup_force_plugins: + - httpauth + - openid + - mdwn + - wmd + - aggregate +# list of additional setup field keys to treat as unsafe +websetup_unsafe: + - url + - cgiurl + - verbose + - syslog + - usedirs + - prefix_directives + - indexpages + - repositories +# show unsafe settings, read-only, in web interface? +websetup_show_unsafe: 0 + +###################################################################### +# widget plugins +# (calendar, color, conditional, cutpaste, date, format, fortune, +# graphviz, haiku, headinganchors, img, linkmap, listdirectives, map, +# more, orphans, pagecount, pagestats, poll, polygen, postsparkline, +# progress, shortcut, sparkline, table, template, teximg, toc, toggle, +# version) +###################################################################### + +# calendar plugin +# base of the archives hierarchy +#archivebase: archives +# PageSpec of pages to include in the archives; used by ikiwiki-calendar command +#archive_pagespec: page(posts/*) and !*/Discussion + +# listdirectives plugin +# directory in srcdir that contains directive descriptions +directive_description_dir: ikiwiki/directive + +# teximg plugin +# Should teximg use dvipng to render, or dvips and convert? +#teximg_dvipng: '' +# LaTeX prefix for teximg plugin +#teximg_prefix: | +# \documentclass{article} +# \usepackage[utf8]{inputenc} +# \usepackage{amsmath} +# \usepackage{amsfonts} +# \usepackage{amssymb} +# \pagestyle{empty} +# \begin{document} +# LaTeX postfix for teximg plugin +#teximg_postfix: '\end{document}' + +###################################################################### +# other plugins +# (aggregate, autoindex, brokenlinks, camelcase, ddate, embed, favicon, +# flattr, goodstuff, htmlbalance, localstyle, missingsite, pagetemplate, +# parked, pingee, pinger, prettydate, recentchanges, recentchangesdiff, +# relativedate, rsync, sidebar, smiley, sortnaturally, tag, +# testpagespec, transient, typography, underlay) +###################################################################### + +# aggregate plugin +# enable aggregation to internal pages? +aggregateinternal: 1 +# allow aggregation to be triggered via the web? +#aggregate_webtrigger: 0 +# cookie control +cookiejar: + file: /home/a-policy/.ikiwiki/cookies + +# autoindex plugin +# commit autocreated index pages +autoindex_commit: 1 + +# camelcase plugin +# list of words to not turn into links +#camelcase_ignore: [] + +# flattr plugin +# userid or user name to use by default for Flattr buttons +#flattr_userid: joeyh + +# parked plugin +# An optional message explaining why this site is parked. +#parked_message: '' + +# pinger plugin +# how many seconds to try pinging before timing out +#pinger_timeout: 15 + +# prettydate plugin +# format to use to display date +prettydateformat: '%X, %B %o, %Y' + +# recentchanges plugin +# name of the recentchanges page +recentchangespage: recentchanges +# number of changes to track +recentchangesnum: 100 + +# rsync plugin +# command to run to sync updated pages +#rsync_command: rsync -qa --delete . user@host:/path/to/docroot/ + +# sidebar plugin +# show sidebar page on all pages? +global_sidebars: 1 + +# tag plugin +# parent page tags are located under +#tagbase: tag +# autocreate new tag pages? +#tag_autocreate: 1 +# commit autocreated tag pages +tag_autocreate_commit: 1 + +# typography plugin +# Text::Typography attributes value +#typographyattributes: 3 + +# underlay plugin +# extra underlay directories to add +#add_underlays: +# - /home/a-policy/wiki.underlay diff --git a/index.mdwn b/index.mdwn new file mode 100644 index 0000000..6af773e --- /dev/null +++ b/index.mdwn @@ -0,0 +1,12 @@ +# PCP Policy + +Welcome to the website of Providers' Commitment for Privacy (PCP) +policy. You can find the following information here: + + * The [[policy]] text + * Suggestions for [[best practices|Best Practices]] + * [[Contact information|About]] + * Presentation [[slides|pcp28c3.pdf]] from [[28C3|http://events.ccc.de/congress/2011/wiki/Welcome]] + +---- +This wiki is powered by [[ikiwiki]]. diff --git a/pcp28c3.pdf b/pcp28c3.pdf Binary files differnew file mode 100644 index 0000000..0fbb285 --- /dev/null +++ b/pcp28c3.pdf diff --git a/policy-signed.txt b/policy-signed.txt new file mode 100644 index 0000000..25f966e --- /dev/null +++ b/policy-signed.txt @@ -0,0 +1,192 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +Providers' Commitment for Privacy: Version 1.0 + + 1. Preamble + 2. Description of the security levels + 1. Short overview of level 1 + 2. Short overview of level 2 + 3. Short overview of level 3 + 3. Modules + 1. What to do in case of fire? + 2. Mail + 3. Webmail + 4. Certificates and keys for encrypted stream-based services + 5. Filesystems and Storage + 6. Logs + 7. Users + 8. Evaluation of policy compliance + +Preamble + +This document contains many social and technical issues, that should lead to a more secure handling of private user data. + +In light of the increased surveillance and repression measures established by many governments in the first decade of this millennium, it is now even more necessary to improve users' understanding and awareness of privacy matters, as well as the privacy levels offered by tech collectives and groups. + +With this draft, we are trying to create more transparency for our users. This document states what users can expect from the tech collectives and groups that signed it, in terms of the use of encryption, logging of ip's and data storage. + +Another reason to write this document is to encourage a privacy/security awareness amongst us. This draft can be used to put pressure on sysadmins, collectives and groups to do the right thing. In order to reduce the work involved, the signing tech collectives and groups share knowledge and write down standards that can be implemented by other tech collectives and groups. + +This being said, beware: + + 1. The fact that a tech collective or group signed this document is not a guarantee in itself; as a user you should have a trust relationship with the tech collective or group based on personal relations, not on signatures. Your data can only be as secure as the human beings who maintain the server it is stored on. + 2. There is no such thing as a perfectly secure server! Human mistakes and software bugs can disclose your data, reveal your identity, send you to jail and kill your kitten. + 3. Nothing that your preferred tech collective or group does will be enough to protect you from intense directed scrutiny from a powerful organization. If you suspect you are the target of special surveillance, you need to take your own privacy into your own hands. + +Description of the security levels + +The computer is to the information industry roughly what the central power station is to the electrical industry. -- Peter Drucker + +There is no such thing as service that is both perfectly secure and one that fully protects the end-user's privacy. The policy defined below thus is designed to enumerate different levels of security and privacy. Each tech collective should try to reach the highest possible level. Even at the highest defined level, the ideal setup may be somewhere beyond what is proposed in this document. In many cases it will be impossible to fulfill some points due to various problems: technical, social, resources, etc. The levels defined are intended to make it easier for users of services to understand, and as a result, make better decisions about the security and privacy of their data. They also should serve as guidelines for sysadmins who need an overview of the various aspects involved in these important issues and some of the goals that they should strive to attain. + +The policy defines three levels of security and privacy. The first level (level 1) contains basic requirements for services, its defined as less secure and providing less privacy assurances than “level 2”. Fulfilling the requirements of the highest level (level 3) will be the most challenging to implement for the technical collectives and will, in most cases, protect users’ data better. The following descriptions of the levels are meant to give a short overview of the key differences between each. Please refer to the specific list of requirements for more details. Yet beware, the higher the level, the harder it is to achieve or verify for the user. +Short overview of level 1 + + * Connections to all services are encrypted by default. If a non-encrypted alternative connection is offered, then this must be marked visibly to warn users. + * Mail sent through the service can possibly include user identifiable information (e.g. the IP address of the originating host). + * Only data that is not already publicly accessible has to be stored encrypted (e.g. user private data) + * It is possible that user identifiable logs are stored without encryption. + * Compliance with the policy is reviewed by the administrators at least once in a year. + +Short overview of level 2 + + * Connections between users and the services they use are always encrypted. + * Mails contain no user identifiable information. + * No user identifiable information are stored in logs. + * The operating system of the service and its configuration are only stored encrypted. + * Compliance with the policy is reviewed by the administrators at least once within six months. + +Short overview of level 3 + + * All services are also available as hidden Tor services. + * No logs are stored. + * Compliance with the policy is reviewed by the administrators at least once within three months. + +Modules + +Obviously, every security/privacy level requires that you keep your software up to date to the current knowledge of security issues. +What to do in case of fire? +Level 1 + + * Make sure to have means of communication to users when the server goes down. This can be an alternative communication channel (e.g. external mail, phone, ...) or an off-site status web page. + +Mail +Level 1 + + * If the server adds the IP address of a user sending a mail through its service anywhere in the email, the user is informed about this. + * The connections between the user and the server are always encrypted. + * Use StartTLS to exchange mails with other servers whenever available. + * The server must have its own SSL certificate signed by one of a given set of certificate authorities. See best practices documents for details. + +Level 2 + + * The server doesn't add the IP address of a user sending a mail through its service anywhere in the email. + * TLS is required with other level 2 compliant servers. Certificates are verified with fingerprint. + +Level 3 + + * Mail is also available as an enclaved hidden Tor service. + +Webmail +Level 1 + + * The connections between the server and the user are always encrypted. + * If the user's IP address appears in the email headers, this fact is visibly marked as insecure. + +Level 2 + + * All sessions must be stored as cookies. Session IDs cannot be in the URL. + * The user's IP address does not appear in any email headers. + +Level 3 + + * Due to the fact that client-side scripting, such as Javascript, can reveal the user's IP address (this is why users of Tor typically disable it), Webmail is functional without it. + * The session ID algorithm and cookies do not use or store the user's IP address, neither in plain text or some garbled form. Sessions are not restricted to IP addresses (since this would prevent access with anonymity tools such as Tor). + * Webmail is also available as an enclaved hidden Tor service. + +Certificates and keys for encrypted stream-based services +Level 1 + + * Stream-based communication uses only a well-established set of cryptographic parameters (ciphers, message digests, asymmetric encryption algorithms, etc). See best practices documents for details. + +Level 2 + + * Private keys are only stored encrypted. + +Level 3 + + * Private keys are only stored encrypted and off-site. + +Filesystems and Storage +Level 1 + + * User data that is not publicly accessible is stored encrypted, using a strong passphrase. See best practices documents for details. This includes mails, databases, list archives, restricted websites and others. + +Level 2 + + * Swap is stored encrypted. + * The operating system and its configuration is stored encrypted with a strong passphrase. See best practices documents for details. + +Level 3 + + * Swap is encrypted with a random key on boot. + +Logs +Level 1 + + * Logs are stored encrypted or only in memory. + +Level 2 + + * Logs are anonymized and contain no information that can identify user activities. + +Level 3 + + * No logs of any kind are stored. + +Users +Level 1 + + * Users are advised about good passwords and polices. See best practices documents for details. + +Level 2 + + * Users are forced to use strong passwords, as measured by a generally accepted password strength algorithm. See best practices documents for details. + * Shell accounts for users are only in vservers, separate boxes, or similar sandboxes. No end user have a login on a server that provides sensitive services. See best practices documents for details. + +Level 3 + + * Shell accounts are isolated from other users: each user's shell account exists in a chrooted environment that has no visibility into other user's environments (files, processes, etc.). + +Evaluation of policy compliance +Level 1 + + * Yearly periodic self-evaluation: checking at least every twelve months that requirements supposed to be achieved actually are. + +Level 2 + + * Semi-yearly self-evaluation: checking at least every six months that requirements supposed to be achieved actually are. + +Level 3 + + * Quarterly self-evaluation: checking at least every three months that requirements supposed to be achieved actually are. + + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.10 (GNU/Linux) + +iQIcBAEBAgAGBQJO+m5gAAoJEIvA5znQZFhDrFEQALgM/fg4rc+Jw78/c0kjFT3P +IA2kOqWRdKQDA0fxr+S5fzpMOhTYxQjWCOGQq+l6VtPr5nBOXvYhX/r7Wg8VJde6 +GZqZIaBPPZGq6cNa7p5lhN4NKmARu9x5JYVE3PCEGQALvellgNAbrIuMcYp6UIJZ +fFVPJrYiMBpVDpF1mauv4UK4UBRKPo+DzFHZverbFvnBZ4CE5QUSTEa0LHFyrTxX +E5vwIX6m6EEVBzdUtHZD9WOM6mOiGgRT6LOHy2NPy+YERvGUUQyb2PqTzxgnBzWB +Cqfh6Ki0f9ZVlt5ctr83EUmd5h3DwfZH1rKaCRKZ0tw/wsP1aA6BkHhhH4VP1uov +5UTjpRmVbs9evqy+aiO+BRCXdJK0/eZv4wWaK/j4D3aDaZ4Vhotw8i/+A+xB5GF0 +tjrGGO+7XfaQYTtz1aeTMMmrfJBTYO0Bzs8jH1kY41NYy36lMaxGGgf0wNS+IuP/ +n1oaf8VD4MBxPjR1lEIXBtUq/OYSWr69UsKniFmsTXqx4U35geVQugpKT+ILfeHX +NHeF4Tnsz3siIy4FpMLOcCYbihf+LAJm8/HyukODEdrb7dkjlyT9ivE7rH2GA+uc +eb1NIfBveYHu2o+WbENHKqXFNVO+p6kw3vfR4Le98pGVhrOPMiFfmfe9SrhRq8Yb +wn3EbWa/UcVhXGnUQgoV +=HQyf +-----END PGP SIGNATURE----- diff --git a/policy.mdwn b/policy.mdwn new file mode 100644 index 0000000..6369ee8 --- /dev/null +++ b/policy.mdwn @@ -0,0 +1,184 @@ + +__Providers' Commitment for Privacy: _Version 1.0___ + +[[!toc levels=2]] + + +# Preamble + +This document contains many social and technical issues, that should lead to a more secure handling of private user data. + +In light of the increased surveillance and repression measures established by many governments in the first decade of this millennium, it is now even more necessary to improve users' understanding and awareness of privacy matters, as well as the privacy levels offered by tech collectives and groups. + +With this draft, we are trying to create more transparency for our users. This document states what users can expect from the tech collectives and groups that signed it, in terms of the use of encryption, logging of ip's and data storage. + +Another reason to write this document is to encourage a privacy/security awareness amongst us. This draft can be used to put pressure on sysadmins, collectives and groups to do the right thing. In order to reduce the work involved, the signing tech collectives and groups share knowledge and write down standards that can be implemented by other tech collectives and groups. + +This being said, beware: + + 1. The fact that a tech collective or group signed this document is not a guarantee in itself; as a user you should have a trust relationship with the tech collective or group based on personal relations, not on signatures. Your data can only be as secure as the human beings who maintain the server it is stored on. + 2. There is no such thing as a perfectly secure server! Human mistakes and software bugs can disclose your data, reveal your identity, send you to jail and kill your kitten. + 3. Nothing that your preferred tech collective or group does will be enough to protect you from intense directed scrutiny from a powerful organization. If you suspect you are the target of special surveillance, you need to take your own privacy into your own hands. + + +# Description of the security levels + +_The computer is to the information industry roughly what the +central power station is to the electrical industry. + -- Peter Drucker_ + +There is no such thing as service that is both perfectly secure and one that fully protects the end-user's privacy. The policy defined below thus is designed to enumerate different levels of security and privacy. Each tech collective should try to reach the highest possible level. Even at the highest defined level, the ideal setup may be somewhere beyond what is proposed in this document. In many cases it will be impossible to fulfill some points due to various problems: technical, social, resources, etc. The levels defined are intended to make it easier for users of services to understand, and as a result, make better decisions about the security and privacy of their data. They also should serve as guidelines for sysadmins who need an overview of the various aspects involved in these important issues and some of the goals that they should strive to attain. + +The policy defines three levels of security and privacy. The first level (level 1) contains basic requirements for services, its defined as less secure and providing less privacy assurances than “level 2”. Fulfilling the requirements of the highest level (level 3) will be the most challenging to implement for the technical collectives and will, in most cases, protect users’ data better. The following descriptions of the levels are meant to give a short overview of the key differences between each. Please refer to the specific list of requirements for more details. Yet beware, the higher the level, the harder it is to achieve or verify for the user. + + +## Short overview of _level 1_ +* Connections to all services are encrypted by default. If a non-encrypted alternative connection is offered, then this must be marked visibly to warn users. +* Mail sent through the service can possibly include user identifiable information (e.g. the IP address of the originating host). +* Only data that is not already publicly accessible has to be stored encrypted (e.g. user private data) +* It is possible that user identifiable logs are stored without encryption. +* Compliance with the policy is reviewed by the administrators at least once in a year. + +## Short overview of _level 2_ +* Connections between users and the services they use are always encrypted. +* Mails contain no user identifiable information. +* No user identifiable information are stored in logs. +* The operating system of the service and its configuration are only stored encrypted. +* Compliance with the policy is reviewed by the administrators at least once within six months. + +## Short overview of _level 3_ +* All services are also available as hidden Tor services. +* No logs are stored. +* Compliance with the policy is reviewed by the administrators at least once within three months. + + +# Modules + +Obviously, every security/privacy level requires that you keep your software up to date to the current knowledge of security issues. + + +## What to do in case of fire? + +### Level 1 + +* Make sure to have means of communication to users when the server goes down. This can be an alternative communication channel (e.g. external mail, phone, ...) or an off-site status web page. + +## Mail + +### Level 1 + +* If the server adds the IP address of a user sending a mail through its service anywhere in the email, the user is informed about this. +* The connections between the user and the server are always encrypted. +* Use StartTLS to exchange mails with other servers whenever available. +* The server must have its own SSL certificate signed by one of a given set of certificate authorities. See best practices documents for details. + +### Level 2 + +* The server doesn't add the IP address of a user sending a mail through its service anywhere in the email. +* TLS is required with other level 2 compliant servers. Certificates are verified with fingerprint. + +### Level 3 + +* Mail is also available as an enclaved hidden Tor service. + +## Webmail + +### Level 1 + +* The connections between the server and the user are always encrypted. +* If the user's IP address appears in the email headers, this fact is visibly marked as insecure. + +### Level 2 + +* All sessions must be stored as cookies. Session IDs cannot be in the URL. +* The user's IP address does not appear in any email headers. + +### Level 3 + +* Due to the fact that client-side scripting, such as Javascript, can reveal the user's IP address (this is why users of Tor typically disable it), Webmail is functional without it. +* The session ID algorithm and cookies do not use or store the user's IP address, neither in plain text or some garbled form. Sessions are not restricted to IP addresses (since this would prevent access with anonymity tools such as Tor). +* Webmail is also available as an enclaved hidden Tor service. + +## Certificates and keys for encrypted stream-based services + +### Level 1 + +* Stream-based communication uses only a well-established set of cryptographic parameters (ciphers, message digests, asymmetric encryption algorithms, etc). See best practices documents for details. + +### Level 2 + +* Private keys are only stored encrypted. + +### Level 3 + +* Private keys are only stored encrypted and off-site. + +## Filesystems and Storage + +### Level 1 + +* User data that is not publicly accessible is stored encrypted, using a strong passphrase. See best practices documents for details. This includes mails, databases, list archives, restricted websites and others. + +### Level 2 + +* Swap is stored encrypted. +* The operating system and its configuration is stored encrypted with a strong passphrase. See best practices documents for details. + +### Level 3 + +* Swap is encrypted with a random key on boot. + +## Logs + +### Level 1 + +* Logs are stored encrypted or only in memory. + +### Level 2 + +* Logs are anonymized and contain no information that can identify user activities. + +### Level 3 + +* No logs of any kind are stored. + +## Users + +### Level 1 + +* Users are advised about good passwords and polices. See best practices documents for details. + +### Level 2 + +* Users are forced to use strong passwords, as measured by a generally accepted password strength algorithm. See best practices documents for details. +* Shell accounts for users are only in vservers, separate boxes, or similar sandboxes. No end user have a login on a server that provides sensitive services. See best practices documents for details. + +### Level 3 + +* Shell accounts are isolated from other users: each user's shell account exists in a chrooted environment that has no visibility into other user's environments (files, processes, etc.). + +## Evaluation of policy compliance + +### Level 1 + +* Yearly periodic self-evaluation: checking at least every twelve months that requirements supposed to be achieved actually are. + +### Level 2 + +* Semi-yearly self-evaluation: checking at least every six months that requirements supposed to be achieved actually are. + +### Level 3 + +* Quarterly self-evaluation: checking at least every three months that requirements supposed to be achieved actually are. + +## Verification + +The current version of the policy is signed with an OpenGPG key +([keyserver](https://keys.mayfirst.org/pks/lookup?op=get&search=0xCE8BA23183EC5CB69760E02F8BC0E739D0645843)). Key +details are as follows: + + pub 4096R/D0645843 2011-12-28 [expires: 2013-01-31] + Key fingerprint = CE8B A231 83EC 5CB6 9760 E02F 8BC0 E739 D064 5843 + uid Providers Commitment for Privacy + +The signed file is [[here|policy-signed.txt]]. diff --git a/sidebar.mdwn b/sidebar.mdwn new file mode 100644 index 0000000..e5effa9 --- /dev/null +++ b/sidebar.mdwn @@ -0,0 +1,4 @@ +* [Home](/) +* [[Policy]] +* [[Best Practices]] +* [[About]] diff --git a/style.css b/style.css new file mode 100644 index 0000000..48db1d1 --- /dev/null +++ b/style.css @@ -0,0 +1,798 @@ +/* ikiwiki style sheet */ + +/* PCP Theme */ + +/* Note that instead of modifying this style sheet, you can instead edit + * local.css and use it to override or change settings in this one. + */ + +/* html5 compat */ +article, +header, +footer, +nav { + display: block; +} + +#content { + margin-left: 1em; + min-height: 300px; +} + +#content p { + line-height: 1.3em; + margin-left: 2em; +} +#content li { + line-height: 1.5em; + margin-left: 2em; +} + +.header { + padding-top: 0.5em; + margin: 0; + font-size: 22px; + font-weight: bold; + line-height: 1em; + display: block; +} + +.inlineheader .author { + margin: 0; + font-size: 18px; + font-weight: bold; + display: block; +} + +.actions ul { + width: 100%; + margin: 0; + padding: 6px .4em; + height: 1em; + list-style-type: none; +} +.actions li { + display: inline; + padding: .2em; +} + +#otherlanguages ul { + margin: 0; + padding: 6px; + list-style-type: none; +} +#otherlanguages li { + display: inline; + padding: .2em .4em; +} +.pageheader #otherlanguages { + border-bottom: 1px solid #000; +} + +.inlinecontent { + margin-top: .4em; +} + +.pagefooter, +.inlinefooter, +.comments { + clear: both; +} + +#footer { + border-top: 1px solid #000; +} + +#pageinfo { + margin: 1em ; + margin-top: 0.5em; +} + +.tags { + margin-top: 1em; +} + +.inlinepage .tags { + display: inline; +} + +.mapparent { + text-decoration: none; +} + +.img caption { + font-size: 80%; + caption-side: bottom; + text-align: center; +} + +img.img { + margin: 0.5ex; +} + +.align-left { + float:left; +} + +.align-right { + float:right; +} + +#backlinks { + margin-top: 0em; +} + +#searchform { + display: inline; + float: right; +} + +#editcontent { + width: 98%; +} + +.editcontentdiv { + width: auto; + overflow: auto; +} + +img { + border-style: none; +} + +pre { + overflow: auto; +} + +div.recentchanges { + border-style: solid; + border-width: 1px; + overflow: auto; + width: auto; + clear: none; + background: #eee; + color: black !important; +} +.recentchanges .metadata { + padding: 0px 0.5em; +} +.recentchanges .changelog { + font-style: italic; + clear: both; + display: block; + padding: 1px 2px; + background: white !important; + color: black !important; +} +.recentchanges .desc { + display: none; +} +.recentchanges .diff { + display: none; +} +.recentchanges .committer { + float: left; + margin: 0; + width: 40%; +} +.recentchanges .committype { + float: left; + margin: 0; + width: 5%; + font-size: small; +} +.recentchanges .changedate { + float: left; + margin: 0; + width: 35%; + font-size: small; +} +.recentchanges .pagelinks { + float: right; + margin: 0; + width: 60%; +} + +#blogform { + padding: 10px 10px; + border: 1px solid #aaa; + background: #eee; + color: black !important; + width: auto; + overflow: auto; +} + +.inlinepage { + padding: 10px 10px; + border: 1px solid #aaa; + overflow: auto; +} + +.pagedate, +.pagelicense, +.pagecopyright { + font-style: italic; + font-size: 0.8em; + display: block; + margin-top: 1em; + padding-bottom: 0.5em; +} + +.error { + color: #C00; +} + +.sidebar { + position: absolute; + width: 14em; + right: 0em; + float: right; + margin-left: 0; + margin-bottom: 1em; + margin-top: 1em; + margin-right: 1em; + padding-top: .4em; + padding-left: .6em; + padding-right: 0em; + padding-bottom: 1em; + background: #bababa; + border: .1em solid black; + color: black !important; +} + +.sidebar ul { + margin-top: 0.5em; +} + +.sidebar li { + font-weight: bold; +} + +.sidebar h1 { + margin-top: 0em; + margin-left: 0em; + padding-bottom: 0; + margin-bottom: 0; + font-size: 1.2em; +} + +hr.poll { + height: 10pt; + color: white !important; + background: #eee; + border: 2px solid black; +} +div.poll { + margin-top: 1ex; + margin-bottom: 1ex; + padding: 1ex 1ex; + border: 1px solid #aaa; +} + +span.color { + padding: 2px; +} + +.comment-header, +.microblog-header { + font-style: italic; + margin-top: .3em; +} +.comment .author, +.microblog .author { + font-weight: bold; +} +.comment-subject { + font-weight: bold; +} +.comment { + border: 1px solid #aaa; + padding: 3px; +} + +div.progress { + margin-top: 1ex; + margin-bottom: 1ex; + border: 1px solid #888; + width: 400px; + background: #eee; + color: black !important; + padding: 1px; +} +div.progress-done { + background: #ea6 !important; + color: black !important; + text-align: center; + padding: 1px; +} + +/* things to hide in printouts */ +@media print { + .actions { display: none; } + .tags { display: none; } + .feedbutton { display: none; } + #searchform { display: none; } + #blogform { display: none; } + #backlinks { display: none; } +} + +/* infobox template */ +.infobox { + float: right; + margin-left: 2ex; + margin-top: 1ex; + margin-bottom: 1ex; + padding: 1ex 1ex; + border: 1px solid #aaa; + background: white; + color: black !important; +} + +/* notebox template */ +.notebox { + display: none; + float: right; + margin-left: 2ex; + margin-top: 1ex; + margin-bottom: 1ex; + padding: 1ex 1ex; + border: 1px solid #aaa; + width: 25%; + background: white; + color: black !important; +} + +/* popup template and backlinks hiding */ +.popup { + border-bottom: 1px dotted #366; + color: #366; +} +.popup .balloon, +.popup .paren, +.popup .expand { + display: none; +} +.popup:hover .balloon, +.popup:focus .balloon { + position: absolute; + display: inline; + margin: 1em 0 0 -2em; + padding: 0.625em; + border: 2px solid; + background-color: #dee; + color: black; +} + +/* form styling */ +fieldset { + margin: 1ex 0; + border: 1px solid black; +} +legend { + padding: 0 1ex; +} +.fb_submit { + float: left; + margin: 2px 0; +} +label.block { + display: block; +} +label.inline { + display: inline; +} +input#openid_identifier { + background: url(wikiicons/openidlogin-bg.gif) no-repeat; + background-color: #fff; + background-position: 0 50%; + color: #000; + padding-left: 18px; +} +input#searchbox { + background: url(wikiicons/search-bg.gif) no-repeat; + background-color: #fff; + background-position: 100% 50%; + color: #000; + padding-right: 16px; +} +/* invalid form fields */ +.fb_invalid { + color: red; + background: white !important; +} +/* required form fields */ +.fb_required { + font-weight: bold; +} + +/* highlight plugin */ +pre.hl { color:#000000; background-color:#ffffff; } +.hl.num { color:#2928ff; } +.hl.esc { color:#ff00ff; } +.hl.str { color:#ff0000; } +.hl.dstr { color:#818100; } +.hl.slc { color:#838183; font-style:italic; } +.hl.com { color:#838183; font-style:italic; } +.hl.dir { color:#008200; } +.hl.sym { color:#000000; } +.hl.line { color:#555555; } +.hl.mark { background-color:#ffffbb; } +.hl.kwa { color:#000000; font-weight:bold; } +.hl.kwb { color:#830000; } +.hl.kwc { color:#000000; font-weight:bold; } +.hl.kwd { color:#010181; } + +/* calendar plugin */ +.month-calendar-day-this-day, +.year-calendar-this-month { + background-color: #eee; +} +.month-calendar-day-head, +.month-calendar-day-nolink, +.month-calendar-day-link, +.month-calendar-day-this-day, +.month-calendar-day-future { + text-align: right; +} +.month-calendar-arrow A:link, +.year-calendar-arrow A:link, +.month-calendar-arrow A:visited, +.year-calendar-arrow A:visited { + text-decoration: none; + font-weight: normal; + font-size: 150%; +} + +/* outlines */ +li.L1 { list-style: upper-roman; } +li.L2 { list-style: decimal; } +li.L3 { list-style: lower-alpha; } +li.L4 { list-style: disc; } +li.L5 { list-style: square; } +li.L6 { list-style: circle; } +li.L7 { list-style: lower-roman; } +li.L8 { list-style: upper-alpha; } + +/* tag cloud */ +.pagecloud { + display: none; + float: right; + width: 30%; + text-align: center; + padding: 10px 10px; + border: 1px solid #aaa; + background: #eee; + color: black !important; +} +.smallestPC { font-size: 70%; } +.smallPC { font-size: 85%; } +.normalPC { font-size: 100%; } +.bigPC { font-size: 115%; } +.biggestPC { font-size: 130%; } + +/* orange feed button */ +.feedbutton { + background: #ff6600; + color: white !important; + border-left: 1px solid #cc9966; + border-top: 1px solid #ccaa99; + border-right: 1px solid #993300; + border-bottom: 1px solid #331100; + padding: 0px 0.5em 0px 0.5em; + font-family: sans-serif; + font-weight: bold; + font-size: small; + text-decoration: none; + margin-top: 1em; +} +.feedbutton:hover { + color: white !important; + background: #ff9900; +} + +/* openid selector */ +#openid_choice { + display: none; +} +#openid_input_area { + clear: both; + padding: 10px; +} +#openid_btns, #openid_btns br { + clear: both; +} +#openid_highlight { + background-color: black; + float: left; +} +.openid_large_btn { + padding: 1em 1.5em; + border: 1px solid #DDD; + margin: 3px; + float: left; +} +.openid_small_btn { + padding: 4px 4px; + border: 1px solid #DDD; + margin: 3px; + float: left; +} +a.openid_large_btn:focus { + outline: none; +} +a.openid_large_btn:focus { + -moz-outline-style: none; +} +.openid_selected { + border: 4px solid #DDD; +} +/* bzed theme for ikiwiki + * + * Copyright (C) 2010 Bernd Zeimetz + * Licensed under same license as ikiwiki: GPL v2 or later + * + * Parts of this file are based on the awesome YUI, + * these parts will stay under the BSD license, + * but you're free to apply the GPLv2 to them, of course. + */ + + + +/* ------------------------------------------------------------------------------------------------- +Based on reset-fonts-grids.css from yui. +Copyright (c) 2008, Yahoo! Inc. All rights reserved. +Code licensed under the BSD License: +http://developer.yahoo.net/yui/license.txt +version: 2.5.1 +*/ +body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,legend,p,blockquote,th,td{margin:0;padding:0;} +table{border-collapse:collapse;border-spacing:0;} +img{border:0;} +address,caption,cite,code,dfn,em,strong,th,var{font-style:normal;font-weight:normal;} +li{list-style:none;} +caption,th{text-align:left;} +h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;} +q:before,q:after{content:'';} +abbr,acronym {border:0;font-variant:normal;} +sup {vertical-align:text-top;} +sub {vertical-align:text-bottom;} +input,textarea,select{font-family:inherit;font-size: 13px;font-weight:normal;} +input,textarea,select{font-size:100%;} +legend{color:#000;} +body {font:13px Verdana,Lucida,Helvetica,Arial,sans-serif;} +table {font-size:inherit;font:100%;} +pre,code,kbd,samp,tt{font-family:monospace;} + + +body{text-align:left;} +.inlinefooter{clear:both;} + + +/* #doc3{margin:auto 10px;width:auto;} */ + + +/* ------------------------------------------------------------------------------------------------ + * Taken from base.css, part of YUI's CSS Foundation + * Copyright (c) 2008, Yahoo! Inc. All rights reserved. + * Code licensed under the BSD License: + * http://developer.yahoo.net/yui/license.txt + * version: 2.5.1 +*/ +h1 { + /*18px via YUI Fonts CSS foundation*/ + font-size:138.5%; +} +h2 { + /*16px via YUI Fonts CSS foundation*/ + margin-left: 0.8em; + font-size:123.1%; +} +h3 { + /*14px via YUI Fonts CSS foundation*/ + margin-left: 1.5em; + font-size:108%; +} +h1,h2,h3,h4,h5,h6,strong { + /*bringing boldness back to headers and the strong element*/ + font-weight:bold; +} + +abbr,acronym { + /*indicating to users that more info is available */ + border-bottom:1px dotted #000; + cursor:help; +} +em { + /*bringing italics back to the em element*/ + font-style:italic; +} +blockquote,ul,ol,dl { + /*giving blockquotes and lists room to breath*/ + margin:1em; +} +ol,ul,dl { + /*bringing lists on to the page with breathing room */ + margin-left:2em; +} +ol li { + /*giving OL's LIs generated numbers*/ + list-style: decimal outside; +} +ul li { + /*giving UL's LIs generated disc markers*/ + list-style: disc outside; +} +dl dd { + /*giving UL's LIs generated numbers*/ + margin-left:1em; +} +th,td { + /*borders and padding to make the table readable*/ + border:1px solid #000; + padding:.5em; +} +th { + /*distinguishing table headers from data cells*/ + font-weight:bold; + text-align:center; +} +caption { + /*coordinated margin to match cell's padding*/ + margin-bottom:.5em; + /*centered so it doesn't blend in to other content*/ + text-align:center; +} +p,fieldset,table,pre { + /*so things don't run into each other*/ + margin-bottom:1em; +} + +#searchbox { + width:21.5em; +} + + +/* ------------------------------------------------------------------------------------------------ + * All CSS below is + * Copyright (C) 2010 Bernd Zeimetz + * Licensed under same license as ikiwiki: GPL v2 or later */ + +.page, .pageheader, #content, #comments, .inlinepage, .recentchanges, .pageheader .actions ul { + border: none; +} + +html, body { + color:#000; + background-color: #353D40; +} + +body { + padding: 0; + margin: 0; +} + +.page { + position: relative; + margin:auto; + text-align:left; + width:auto; + min-width:750px; + max-width:1200px; + background: #ddd; +} +.pageheader { + position: relative; + background-image: url('header_background.jpg'); + background-repeat: repeat-x; + height: 100px; + padding-left: 1em; + padding-right: 1em; + padding-bottom: 1em; + padding-top: 1.2em; +} + +.pageheader .header { + text-align: top; + clear: both; +} + +.pageheader .header form { + padding: 0em 0em 0em 0em; + float: right; + margin-top: 0.5em; +} + +.pageheader .header .title, .pageheader .header .parentlinks, + .inlinepage .inlineheader, + h1, h2, h3, h4, h5, h6 { + margin-top: 1em; + font-weight: bold; +} + +.parentlinks,.title, .actions ul li { + background-color: rgba(85,100,115,0.7); +} + +.pageheader .header .title, .pageheader .header .parentlinks, .pageheader .actions ul li, .pageheader .header span { + padding: 0.25em 0.25em 0.25em 0.25em; + opacity: 1; + color: #FFF; +} + +.pageheader .header span a, .pageheader .actions ul li a, .pageheader .header .parentlinks a { + color: white; + text-decoration: none; + opacity: 1; +} + +.pageheader .actions { + float: right; + position: absolute; + text-align: right; + vertical-align: bottom; + clear: both; + bottom: 1em; + right: 2em; +} + + + +#pagebody { + position:static; + padding-right: 1em; + padding-bottom: 2em; + margin-right: 17em; + clear: none; +} + +#content a, #comments a, .sidebar a, .pagefooter a { + color: #215470; + text-decoration: none; + font-weight: bold; +} + +.sidebar .menu { + margin-left: 1em; +} + + +.inlinepage, .recentchanges, div.recentchanges { + clear: none !important; + margin-bottom: 2em; +} + +.inlinefooter { + border-top: 1px dotted #315485; +} + +.inlinefooter .pagedate, .inlinefooter .tags { + display: inline; + clear: none; + margin-right: 2em; +} + +.calendar .month-calendar th, .calendar .month-calendar td { + padding: 0.22em; +} + +@media print { + .sidebar, .page .pageheader .header .parentlinks { + content:"."; + display:block; + height:0; + visibility:hidden; + } + .page { + padding: 1em 1em 1em 1em; + } + .pageheader .header span a, .pageheader .actions ul li a, .pageheader .header .parentlinks a { + color #315485; + } + #content, #comments, #pagebody { + margin-right: 0; + *margin-right: 0; + border-right: none; + } + +} + diff --git a/test.mdwm b/test.mdwm new file mode 100644 index 0000000..a042389 --- /dev/null +++ b/test.mdwm @@ -0,0 +1 @@ +hello world! diff --git a/users/anarcat.mdwn b/users/anarcat.mdwn new file mode 100644 index 0000000..dbc75f0 --- /dev/null +++ b/users/anarcat.mdwn @@ -0,0 +1 @@ +see <https://wiki.koumbit.net/TheAnarcat> diff --git a/users/maxigas.mdwn b/users/maxigas.mdwn new file mode 100644 index 0000000..a042389 --- /dev/null +++ b/users/maxigas.mdwn @@ -0,0 +1 @@ +hello world! |