diff options
| -rw-r--r-- | .ssh/authorized_keys | 3 | ||||
| -rw-r--r-- | about.mdwn | 20 | ||||
| -rw-r--r-- | best_practices.mdwn | 144 | ||||
| -rw-r--r-- | best_practices_es.mdwn | 103 | ||||
| -rw-r--r-- | header_background.jpg | bin | 0 -> 94756 bytes | |||
| -rw-r--r-- | hello | 0 | ||||
| -rw-r--r-- | ikiwiki.setup | 430 | ||||
| -rw-r--r-- | index.mdwn | 13 | ||||
| -rw-r--r-- | pcp28c3.pdf | bin | 0 -> 99407 bytes | |||
| -rw-r--r-- | policy-signed.txt | 192 | ||||
| -rw-r--r-- | policy.mdwn | 185 | ||||
| -rw-r--r-- | policy_es.mdwn | 169 | ||||
| -rw-r--r-- | sidebar.mdwn | 4 | ||||
| -rw-r--r-- | style.css | 798 | ||||
| -rw-r--r-- | test.mdwm | 1 | ||||
| -rw-r--r-- | users/anarcat.mdwn | 1 | ||||
| -rw-r--r-- | users/maxigas.mdwn | 1 |
17 files changed, 2064 insertions, 0 deletions
diff --git a/.ssh/authorized_keys b/.ssh/authorized_keys new file mode 100644 index 0000000..97ce66d --- /dev/null +++ b/.ssh/authorized_keys @@ -0,0 +1,3 @@ +command="iki-git-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,no-user-rc ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxz1ZGPnMN96NZ9etiV7IFWi0dV8qW+RJWt1h2ODkVG0t5+tW6EvBnDsyWy1by043M8Au15f0fwOydas6PvAHQP1aB7i002DmTkqtN70Z04K6GUKQqfOuZwM3/9lEoNIZrPMmIBmncgiVZ5I9S1HLwAwh1/2hYYr7DVDAkXvdibbpLgQ7DyJqPPwkYRug9rvE67pFcmR0E4Tfv4Xs/kSYLatSQbWR8WlzQCEahhIqPmpwfaAbFlJtqZsl59zo2XuJFxsZ1MMCWTryUYzOZP3M9zUD+yNW9Z+AmqGa/1B5vtpOEefiGWwaP18IV2mu9OoUvNlVQdtUc4+IxIZkLwRBWQ== +command="iki-git-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,no-user-rc ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCla1XNOsgJit+OjQjsQSFC/tnix5ZHpHzgQCL/RrnS9h5vPSxE/QcoMsXDq9n5O05bmjgm038/pU7SWYWlRBNAAxZMSHITekC4+421cWK+VqhoIrsT8euOiuGyhEcIWNLlL/Ht9GamiOawmRC9Tl6wcNvroBch7E3jB0eN78/RArqURGFZToY1Eu5uS1ISJr2oq/6ZzrCGNk7oyqvDOKtnRgHNEN+8Ct3BrF6gbEb9EPFwBiV5fCwImr41M+HGoVFo0UUqPitqIvebJOY3Olz4wwzWTnuYlD3jOaS414IaeEojA+JaWFPqPcd8auaRrwBPk8SdKU/Ib7QssGqGIZFv +command="iki-git-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,no-user-rc ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtpX3qQrUeQma4zhNEDNtFc0VioJQSYLxrxd5CmgqqqUT3mHJPeZgihEsmOLNSWK7gjSfdFvR+ktRKZbTYGX0Jn9JRV5giye7LyTYlhuBmnf/53kBOorbO6Uf5wLVjvu0GzuowFPwN9pObHZM1H6iG4Jf+vMol4HXQm/Ezw1LjKevdIajKZjECWWQeCCmk9ePoPAL9KQ0VDCmiXPpCcYlnnXyH5XOQ7mvNyeNmQEWPwcZqpe5+tYmSq24l5jS0mrsp9PX82l5dwCgxrcKBWvaVOtSWl0ntT8QsVHtkomEGRDuElXIOJ3QowH4vk96h4rWqdT8/ZhJFENFF6dDMcW0t diff --git a/about.mdwn b/about.mdwn new file mode 100644 index 0000000..5db7cfc --- /dev/null +++ b/about.mdwn @@ -0,0 +1,20 @@ +# About + +The initial version of the "Providers' Commitment to Privacy" (PCP) +policy was drawn up by an international group of participants. +Discussion was English-language based and took place over approximately +3 years using face-to-face and (encrypted) virtual communication. The +resulting, consensus-based document is available on this website. + +## Contact + +Comments and queries about the policy can be mailed to +pcp@lists.tachanka.org - there is another [OpenGPG +key](http://keys.mayfirst.org/pks/lookup?op=get&search=0x77D95A9012B3EEDA) +associated with this address. You can use it to send us encrypted email: + +pub 4096R/0xE5C7B674AC07077F 2013-04-03 + Key fingerprint = A1D1 ACCE 2B7C 608E 5830 39BB E5C7 B674 AC07 077F +uid PCP (schleuder list) <pcp@lists.tachanka.org> +sub 4928R/0x6AEF09BF684D2452 2013-04-03 + diff --git a/best_practices.mdwn b/best_practices.mdwn new file mode 100644 index 0000000..b9605c5 --- /dev/null +++ b/best_practices.mdwn @@ -0,0 +1,144 @@ +# Appendix: Best practices references + +Translations: [[Castellano|best practices_es]] + +Spanish version: https://pad.puscii.nl/p/Practice-es +Portuguese version: https://pad.puscii.nl/p/Practice-pt + +*This appendix contains the text of the policy with specific best practices added below relevant sections. It is a work in progress. Please help expand!* + +Obviously, every security/privacy level requires that you keep your software up to date to the current knowledge of security issues. + +## Mail + +### Exim + +#### Level 1 + +##### [StartTLS-exim](http://aland.burngreave.net/archives/2009/12/30/index.html#e2009-12-30T16_26_49.txt) starttls with other compliant servers’, certs verified against cacert/… + +### If the server adds the IP address of a user sending a mail through its service anywhere in the email, the user is informed about this. + +### The connections between the user and the server are always encrypted. + +### Use StartTLS to exchange mails with other servers whenever available. + +## The server must have its own SSL certificate signed by one of a given set of certificate authorities. See best practices documents for details. + +#### Level 2 + +##### [StartTLS-exim](http://aland.burngreave.net/archives/2009/12/30/index.html#e2009-12-30T16_26_49.txt) tls is required with other compliant servers’, certs verified with fingerprint + +### Postfix + +#### Level 1 + +##### If the server adds the IP address of a user sending a mail through its service anywhere in the email, the user is informed about this. + +Not a matter of server configuration: you should use your communication channels to pass this information to your existing users (e.g. newsletter, announcement mailing list). New users should be informed as part of the account signup process. You may additionally explain this on your website. + +##### The connections between the user and the server are always encrypted. + +* Server Side: [Configure Postfix to use X.509 certificate](http://koti.kapsi.fi/ptk/postfix/postfix-tls-cacert.shtml) retrieved on Apr 3 2013 +* Client side: Kindly ask your provider for documentation :) + +##### Use (Start)TLS to exchange mails with other servers whenever available + +## The server must have its own X.509 certificate signed by one of a given set of certificate authorities. + +There are many problems with the X.509 ecosystem, partly explained here: http://lair.fifthhorseman.net/~dkg/tls-centralization/ + +Depending on how well your users understand X.509-certifcates, we recommend 4 different scenarios: + +a. Commercial Cert. Authority: usually costs money, but users do not get confused because their mail clients are shipped with commercial root certificates, so there will be no warning messages about untrusted certificate chains. Doesn't necessarily increase the connection security if the adversary can issue certificates because a certificate authority has gone rogue or is a state, for example. See the [Security Section on wikipedia](https://en.wikipedia.org/wiki/X.509#Security) for more details. + +b. CaCert: Users still need to validate and install CaCert's root certificates because it's not included in any mail client. But they might already have done that step for other providers. There is also a Debian package which makes it easy for Debian/Ubuntu users to install it. + +c. Self Signed certificates/Own Authority: con: not included in the default mail user clients of your users. They have to install the (root-)certificates. If they don't use certificate pinning and have other commercial authorities still installed you win nothing but confusion. You risk to teach your users into bypassing security warning messages. If properly applied by your collective of crypto-ninjas, it *can* be more secure. + +d. Monkeysphere: You can use openPGP keys (certifications) to authenticate services. This is technically an excellent solution, albeit not really supported in popular software. If you have power users, we recommend trying it out. More information on http://monkeysphere.info/ + +### Level 2 + +#### The server doesn't add the IP address of a user sending a mail through its service anywhere in the email. + +* [IPs in headers]( https://we.riseup.net/debian/mail#postfix ) + +#### TLS is required with other level 2 compliant servers. Certificates are verified with fingerprint. +An equivalent solution is to implement an IPsec link between relevant collectives which makes it unnecessary to use TLS. +In order to implement this, you need to know the up-to-date fingerprints of the certificates of the groups that you plan to cooperate with in this way. There are many ways to do this, but it depends too much on social and technical context so we will not detail them here, only state that it is a requirement. Pinning those fingerprints and updating them when changed can be a hassle (unless an automated and secure protocol and implementation for this purpose becomes available). +[Postfix TLS README](http://www.postfix.org/TLS_README.html ) + +### Level 3 + +#### Mail is also available as a hidden Tor service. +https://www.torproject.org/docs/tor-hidden-service.html.en adapt to the needs of a mailserver. +Client: [torbirdy](https://trac.torproject.org/projects/tor/wiki/torbirdy) is a useful Thunderbird extension to make use of such a hidden service. + +## Filesystems and Storage + +### Level 1 + +* User data that is not publicly accessible is stored encrypted, using a strong passphrase. See best practices documents for details. This includes mails, databases, list archives, restricted websites and others. +In GNU/Linux, cryptsetup: +* How to set up an encrypted filesystem in several easy steps? http://www.debian-administration.org/articles/469 +* Setting up an encrypted Debian system http://madduck.net/docs/cryptdisk/ + +### Level 2 + +* Swap is stored encrypted. +For this you can use said cryptsetup too. +* The operating system and its configuration is stored encrypted with a strong passphrase. See best practices documents for details. +Today you can use many OS installers that achieve this: Ubuntu alternative text installer? +Don't rely on hard drives that promote encryption on the disklayer, they are often not properly implemented or come with backdoors for example + +### Level 3 + +* Swap is encrypted with a random key on boot. +* Create an encrypted swap area http://www.microhowto.info/howto/create_an_encrypted_swap_area.html +https://we.riseup.net/debian/encrypted-swap +http://linux.die.net/man/5/crypttab -> section "swap" + +# Older best practices + +## Mail + +* [IPs in headers](http://riseuplabs.org/privacy/postfix/) the user's home IP address should not appear in any email headers. *level 2* + * if it does appear, users must be informed about this *level 1* perhaps use server IP instead of localhost for [riseup hack](http://riseuplabs.org/privacy/postfix/) + +* The connection between the server and the user is always encrypted. *level 2* +* optional unencrypted communication between user and server are visibly marked as insecure *level 1* +* [StartTLS-postfix](http://metatron.sh/kmw/Transformers/PostfixCacertVerifyHowto) or [StartTLS-exim](http://aland.burngreave.net/archives/2009/12/30/index.html#e2009-12-30T16_26_49.txt) starttls with other compliant servers’, certs verified against cacert/... *level 1* +* [StartTLS-exim](http://aland.burngreave.net/archives/2009/12/30/index.html#e2009-12-30T16_26_49.txt) tls is required with other compliant servers’, certs verified with fingerprint *level 2* + +## Certificates and keys for encrypted stream-based services + +* Private keys are only stored encrypted *Level 2* +* Private keys are only stored encrypted and off-site *Level 3* +* Stream-based communication uses only a well-established set of cryptographic parameters (ciphers, message digests, asymmetric encryption algorithms, etc). See best practices documents for details. *Level 1* + +If you are using mod_ssl with apache and an RSA key for the server, somebody tentatively suggests: +<code>SSLCipherSuite TLSv1:!MD5:!EXP:!LOW:!NULL:!MEDIUM:!ADH:!DSS</code> + +## Logging + +* Logs containing user identifiable information are stored encrypted or only in memory. Otherwise the users are informed about this. *level 1* +* Logs contain no user identifiable information. *level 3* + +Apache logs have no IP addresses: [mod_removeip](http://riseuplabs.org/privacy/apache/) + +Under Debian with Apache2: + +<code> +apt-get install libapache2-mod-removeip +a2enmod removeip +/etc/init.d/apache2 force-reload +</code> + +* Logs containing information about non-individual user activities are stored encrypted or only in memory. *level 1* +* Logs contain no information about non-individual user activities. *level 2* +* System logs (not related to user activities) is stored encrypted or only in memory. *level 2* + +Comes with "Filesystem and Storage Level 2" + +* System logs (not related to user activities) are not stored. *level 3* diff --git a/best_practices_es.mdwn b/best_practices_es.mdwn new file mode 100644 index 0000000..25faa62 --- /dev/null +++ b/best_practices_es.mdwn @@ -0,0 +1,103 @@ +# Best Practises Workshop 3. April 2013 + +## Correo electronico + +### Exim + +#### Nivel 1 + +##### [StartTLS-exim](http://aland.burngreave.net/archives/2009/12/30/index.html#e2009-12-30T16_26_.txt) starttls (funciona con otros servidores compatibles), verificacin de certificados (con/contra?) cacert/ + +### Si el servidor registra la direccin IP de cualquier usuaria que enve un correo a travs de su servicio en cualquier lugar del correo, la usuaria es informada acerca de ello. + +### Las conexiones entre las personas usuarias y el servidor estan siempre encriptadas. + +### Utiliza StartTLS para intercambiar correos con otros servidores siempre que sea posible. +## El servidor tiene que contar con su propio certificado SSL firmado por uno o varias autoridades certificadas. Para ms detalles mirate el documento de buenas practicas. + +#### Nivel 2 + +##### [StartTLS-exim](http://aland.burngreave.net/archives/2009/12/30/index.html#e2009-12-30T16_26_49.txt) Se requiere TLS para los servidores compatibles, certificados verificados con fingerprints (huellas digitales). + +### Postfix + +#### Nivell 1 + +##### Si el servidor aade/registra la direccin IP de cualquiera persona usuaria enviando un correo a travs de su servicio en cualquier lugar del correo, la usuaria es informada acerca de ello. + +No se trata de un tema de configuracin: Deberas usar tus canales de comunicacin transmitir informacin a tu base de usuarias (por ejemplo un boletn de noticias, lista de correo para difusin). Nuevas usuarias deberan ser informadascomo parte del proceso de registro. Puedes adicionalmente explicarlo en tu pagina web. + +##### Las conexiones entre las usuarias y el servidor siempre estan encriptadas. + +* Del lado servidor: [Configura Postfix para usar el certificado X.509](http://koti.kapsi.fi/ptk/postfix/postfix-tls-cacert.shtml) recuperada el 3 de Abril de 2013 +* Del lado cliente: Pregunta amablemente a tu proveedor la documentacin :) + +##### Utiliza StartTLS para intercambiar correos con otros servidores siempre que sea posible. + +## El servidor tiene que contar con su propio certificado X.509 firmado por una o varias entidades certificadoras. + +Existen varios problemas con el ecosistema X.509, estos son parcialmente descritos [aqui](http://lair.fifthhorseman.net/~dkg/tls-centralization/) + +Dependiendo de cuanto vuestras usuarias entienden de certificados X.509, recomendamos 4 scenarios dieferentes: + +a. **Autoridad certificadora comercial**: generalmente cuesta dinero pero las usuarias no se confunden porque sus clientes de correo no vienen acompaados de certificados raiz comercial, de esta manera no habrn mas mensajes acerca de cadenas de certificados no confiables. No aumenta necesariamente la seguridad si el adversario puede generar certificaods porque una entidad certificadora se ha vuelto por ejemplo corrupta o es directamente un estado. Para ms detalles lean [X.509 en wikipedia](https://es.wikipedia.org/wiki/X.509). + +b. **CaCert**: Las usuarias deben instalar y validar certificados raz de CaCert'sporque no vienen incluidos en ningn cliente de correo. Pero al ser un certificado comn puede que ya venga instalado en otros servicios. Tambin existe un paquete debian que hace facil a las usuarias de Debian/ubuntu instalarselo. + +c. **Certificados auto firmados / Autoridad propia**: No vienen instalados por defecto en los clientes de correo de las usuarias. Tienen que instalar certificados raiz. Si no usan certificado pinning (?) y tienen otras autoridades certificadoras comerciales instaladas solo se generar confusin. Puede que fomentes que las usuarias no lean los mensajes de seguridad. Si correctamente utilizado por su grupo de crypto-ninjas, "puede" resultar ms seguro. + +d. **Monkeysphere**: Puedes usar llaves libres PGP (certificaciones) para autentificar. Esta es una execelente solucin a nivel tecnico, aunque no es soportada por el software mas popular. Si cuentas con usuarias potentes, te recomendamos intentar usarla. Puedes encontrar ms informacin [aqui](http://monkeysphere.info/) + +### Nivel 2 + +#### El servidor no aade la direccin de lxs usuarixs que envian correos a traves del servidor en ninguna parte del correo. + +* [IPs en los headers](https://we.riseup.net/debian/mail#postfix) + +#### Se requiere TLS para servidores compatibles tambin con nivel 2. Los certificados se verifican con la huella (fingerprint). + +Una solucin equivalente seria implemenar una unin IPsec entre colectivos reelevantes que hace innecesario el uso de TLS. + +Para poder implementar esto, debes tener al da los fingerprints de los certificados de los grupos con los que quieres cooperar. Hay muchas formas de hacer esto, pero depende muchsimo del contexto tcnico y social, as que no las detallaremos aqu ms all decomentar que es unrequerimiento. Mantener una lista de estos fingerprints, verificar las conexiones y actualizarlos cuando cambian puede ser engorroso (hasta que alguien implemente un protocolo automatizado y seguro para este propsito). + + * [Postfix TLS README](http://www.postfix.org/TLS_README.html ) + +### Nivel 3 + +#### El correo esta tambin disponible como un sevicio Tor oculto. + +[Torproject: Tor Hidden Service documentation]https://www.torproject.org/docs/tor-hidden-service.html.en → adaptado a las necesidades del servidor de correo. + +**Cliente**: [torbirdy](https://trac.torproject.org/projects/tor/wiki/torbirdy) es una extensin de Thunderbird para poder usar algunos servicios ocultos. + +## Sistema de ficheros y almacenamiento + +### Nivel 1 + + * Los datos de lxs usuarixs que no son de acceso pblico se guardan encriptados, usando una contrasea fuerte. Mira en los documentos de buenas prcticas para ms detalles. Esto incluye correos, bases de datos, listas de archivos, sitios webs restringidos y otros.. + +En GNU/Linux, cryptsetup: + + * Como configurar un sistema de ficheros en unos pocos pasos http://www.debian-administration.org/articles/469 + * Configurar un sistema Debian encryptado. http://madduck.net/docs/cryptdisk/ + +### Nivel 2 + +* La Swap se guarda encriptada. + +Para esto puedes tambin puedes usar "said cryptsetup". + +* El sistema operativo y la configuracin se guarda con una contrasea fuerte de encriptacion . Mira en los documentos de mejores prcticas para ms detalles. + +Hoy en dia se pueden usar diferentes instaladores "OS" que logran esto: El instalador modo texto alternativo de Ubuntu? + +No confiar en discos duros que promueven encriptacion en la ("disklayer") capa del disco, a menudo no estan bien implementados o vienen, por ejemplo con puertas traseras + +### Nivel 3 + +* La Swap esta encriptada con una llave nueva cada vez que se inicia la mquina +* Crear una area swap encriptada: + + [Microhowto:Create an encrypted ways area](http://www.microhowto.info/howto/create_an_encrypted_swap_area.html) + + [Riseup: Encrypted Swap](https://we.riseup.net/debian/encrypted-swap) + + [Crypttab manual](http://linux.die.net/man/5/crypttab) -> ir a seccin "swap" + diff --git a/header_background.jpg b/header_background.jpg Binary files differnew file mode 100644 index 0000000..f1d2872 --- /dev/null +++ b/header_background.jpg diff --git a/ikiwiki.setup b/ikiwiki.setup new file mode 100644 index 0000000..aa88182 --- /dev/null +++ b/ikiwiki.setup @@ -0,0 +1,430 @@ +# IkiWiki::Setup::Yaml - YAML formatted setup file +# +# Setup file for ikiwiki. +# +# Passing this to ikiwiki --setup will make ikiwiki generate +# wrappers and build the wiki. +# +# Remember to re-run ikiwiki --setup any time you edit this file. +# +# name of the wiki +wikiname: Providers' Commitment for Privacy +# contact email for wiki +adminemail: root@localhost +# users who are wiki admins +adminuser: + - https://id.koumbit.net/anarcat +# users who are banned from the wiki +banned_users: [] +# where the source of the wiki is located +srcdir: /home/a-policy/source +# where to build the wiki +destdir: /home/a-policy/public_html +# base url to the wiki +url: http://policy.anarcat.ath.cx +# url to the ikiwiki.cgi +cgiurl: http://policy.anarcat.ath.cx/ikiwiki.cgi +# filename of cgi wrapper to generate +cgi_wrapper: /var/www/a-policy/ikiwiki.cgi +# mode for cgi_wrapper (can safely be made suid) +cgi_wrappermode: 0755 +# rcs backend to use +rcs: git +# plugins to add to the default configuration +add_plugins: + - goodstuff + - websetup + - 404 + - ikiwikihosting + - recentchangesdiff + - theme + - prettydate + - version + - headinganchors + - editdiff + - format + - relativedate + - sortnaturally + - branchable + - sidebar +# plugins to disable +disable_plugins: + - search +# additional directory to search for template files +templatedir: /usr/share/ikiwiki/templates +# base wiki source location +underlaydir: /usr/share/ikiwiki/basewiki +# display verbose messages? +#verbose: 1 +# log to syslog? +syslog: 1 +# create output files named page/index.html? +usedirs: 1 +# use '!'-prefixed preprocessor directives? +prefix_directives: 1 +# use page/index.mdwn source files +indexpages: 0 +# enable Discussion pages? +discussion: 1 +# name of Discussion pages +discussionpage: Discussion +# generate HTML5? +html5: 0 +# only send cookies over SSL connections? +sslcookie: 0 +# extension to use for new pages +default_pageext: mdwn +# extension to use for html files +htmlext: html +# strftime format string to display date +timeformat: '%c' +# UTF-8 locale to use +#locale: en_US.UTF-8 +# put user pages below specified page +userdir: users +# how many backlinks to show before hiding excess (0 to show all) +numbacklinks: 10 +# attempt to hardlink source files? (optimisation for large files) +hardlink: 1 +# force ikiwiki to use a particular umask +#umask: 022 +# group for wrappers to run in +#wrappergroup: ikiwiki +# extra library and plugin directory +libdir: /home/a-policy/.ikiwiki +# environment variables +ENV: + TMPDIR: /home/a-policy/tmp +# time zone name +timezone: GMT +# regexp of normally excluded files to include +#include: '^\.htaccess$' +# regexp of files that should be skipped +#exclude: '^(*\.private|Makefile)$' +# specifies the characters that are allowed in source filenames +wiki_file_chars: '-[:alnum:]+/.:_' +# allow symlinks in the path leading to the srcdir (potentially insecure) +allow_symlinks_before_srcdir: 0 + +###################################################################### +# core plugins +# (branchable, editpage, git, gitpush, htmlscrubber, ikiwikihosting, +# inline, link, meta, parentlinks) +###################################################################### + +# branchable plugin +# Allow anyone to branch, check out, and copy this site? +branchable: 1 +# Allow anyone to git push verified changes to this site? +anonpush: 0 +# Display "Branchable" link on action bar? +branchable_action: 1 + +# git plugin +# git hook to generate +git_wrapper: /home/a-policy/source.git/hooks/post-update +# shell command for git_wrapper to run, in the background +#git_wrapper_background_command: git push github +# mode for git_wrapper (can safely be made suid) +git_wrappermode: 6755 +# git pre-receive hook to generate +#git_test_receive_wrapper: /git/wiki.git/hooks/pre-receive +# unix users whose commits should be checked by the pre-receive hook +untrusted_committers: + - ikiwiki-anon +# gitweb url to show file history ([[file]] substituted) +#historyurl: 'http://git.example.com/gitweb.cgi?p=wiki.git;a=history;f=[[file]];hb=HEAD' +# gitweb url to show a diff ([[file]], [[sha1_to]], [[sha1_from]], [[sha1_commit]], and [[sha1_parent]] substituted) +#diffurl: 'http://git.example.com/gitweb.cgi?p=wiki.git;a=blobdiff;f=[[file]];h=[[sha1_to]];hp=[[sha1_from]];hb=[[sha1_commit]];hpb=[[sha1_parent]]' +# where to pull and push changes (set to empty string to disable) +gitorigin_branch: origin +# branch that the wiki is stored in +gitmaster_branch: master + +# gitpush plugin +# git repository urls that changes are pushed to +#git_push_to: [] + +# htmlscrubber plugin +# PageSpec specifying pages not to scrub +#htmlscrubber_skip: '!*/Discussion' + +# ikiwikihosting plugin +# list of urls that alias to the main url +#urlalias: [] +# openid of primary site owner +owner: https://id.koumbit.net/ +# optional hostname of site this one was branched from +#parent: '' +# internal hostname of this site +hostname: policy.anarcat.ath.cx +# site creation datestamp +created: 1324138932 +# how many days to retain logs +#log_period: 7 +# disable IPv6? +ipv6_disabled: 0 + +# inline plugin +# enable rss feeds by default? +rss: 1 +# enable atom feeds by default? +atom: 1 +# allow rss feeds to be used? +#allowrss: 0 +# allow atom feeds to be used? +#allowatom: 0 +# urls to ping (using XML-RPC) on feed update +pingurl: [] + +###################################################################### +# auth plugins +# (anonok, blogspam, httpauth, lockedit, moderatedcomments, +# opendiscussion, openid, passwordauth, signinedit) +###################################################################### + +# anonok plugin +# PageSpec to limit which pages anonymous users can edit +#anonok_pagespec: '*/discussion' + +# blogspam plugin +# PageSpec of pages to check for spam +#blogspam_pagespec: postcomment(*) +# options to send to blogspam server +#blogspam_options: 'blacklist=1.2.3.4,blacklist=8.7.6.5,max-links=10' +# blogspam server XML-RPC url +#blogspam_server: '' + +# httpauth plugin +# url to redirect to when authentication is needed +#cgiauthurl: http://example.com/wiki/auth/ikiwiki.cgi +# PageSpec of pages where only httpauth will be used for authentication +#httpauth_pagespec: '!*/Discussion' + +# lockedit plugin +# PageSpec controlling which pages are locked +#locked_pages: '!*/Discussion' + +# moderatedcomments plugin +# PageSpec matching users or comment locations to moderate +#moderate_pagespec: '*' + +# openid plugin +# url pattern of openid realm (default is cgiurl) +openid_realm: http://*.orangeseeds.org/ +# url to ikiwiki cgi to use for openid authentication (default is cgiurl) +openid_cgiurl: http://policy.anarcat.ath.cx/ikiwiki.cgi + +# passwordauth plugin +# a password that must be entered when signing up for an account +#account_creation_password: s3cr1t +# cost of generating a password using Authen::Passphrase::BlowfishCrypt +#password_cost: 8 + +###################################################################### +# format plugins +# (creole, highlight, hnb, html, mdwn, otl, po, rawhtml, rst, textile, +# txt) +###################################################################### + +# highlight plugin +# types of source files to syntax highlight +#tohighlight: .c .h .cpp .pl .py Makefile:make +# location of highlight's filetypes.conf +filetypes_conf: /etc/highlight/filetypes.conf +# location of highlight's langDefs directory +langdefdir: /usr/share/highlight/langDefs/ + +# mdwn plugin +# enable multimarkdown features? +multimarkdown: 1 + +# po plugin +# master language (non-PO files) +#po_master_language: en|English +# slave languages (translated via PO files) format: ll|Langname +#po_slave_languages: +# - fr|Français +# - es|Español +# - de|Deutsch +# PageSpec controlling which pages are translatable +po_translatable_pages: '' +# internal linking behavior (default/current/negotiated) +po_link_to: default + +###################################################################### +# misc plugins +# (filecheck) +###################################################################### + +###################################################################### +# web plugins +# (404, attachment, comments, editdiff, edittemplate, google, goto, +# mirrorlist, repolist, search, theme, userlist, websetup, wmd) +###################################################################### + +# attachment plugin +# enhanced PageSpec specifying what attachments are allowed +#allowed_attachments: virusfree() and mimetype(image/*) and maxsize(50kb) +# virus checker program (reads STDIN, returns nonzero if virus found) +#virus_checker: clamdscan - + +# comments plugin +# PageSpec of pages where comments are allowed +comments_pagespec: '' +# PageSpec of pages where posting new comments is not allowed +comments_closed_pagespec: '' +# Base name for comments, e.g. "comment_" for pages like "sandbox/comment_12" +comments_pagename: comment_ +# Interpret directives in comments? +#comments_allowdirectives: 0 +# Allow anonymous commenters to set an author name? +#comments_allowauthor: 0 +# commit comments to the VCS +comments_commit: 1 + +# mirrorlist plugin +# list of mirrors +#mirrorlist: {} + +# repolist plugin +# URIs of repositories containing the wiki's source +repositories: + - ssh://a-policy@policy.anarcat.ath.cx/ + - git://policy.anarcat.ath.cx/ + +# search plugin +# path to the omega cgi program +omega_cgi: /usr/lib/cgi-bin/omega/omega + +# theme plugin +# name of theme to enable +theme: pcp + +# websetup plugin +# list of plugins that cannot be enabled/disabled via the web interface +websetup_force_plugins: + - httpauth + - openid + - mdwn + - wmd + - aggregate +# list of additional setup field keys to treat as unsafe +websetup_unsafe: + - url + - cgiurl + - verbose + - syslog + - usedirs + - prefix_directives + - indexpages + - repositories +# show unsafe settings, read-only, in web interface? +websetup_show_unsafe: 0 + +###################################################################### +# widget plugins +# (calendar, color, conditional, cutpaste, date, format, fortune, +# graphviz, haiku, headinganchors, img, linkmap, listdirectives, map, +# more, orphans, pagecount, pagestats, poll, polygen, postsparkline, +# progress, shortcut, sparkline, table, template, teximg, toc, toggle, +# version) +###################################################################### + +# calendar plugin +# base of the archives hierarchy +#archivebase: archives +# PageSpec of pages to include in the archives; used by ikiwiki-calendar command +#archive_pagespec: page(posts/*) and !*/Discussion + +# listdirectives plugin +# directory in srcdir that contains directive descriptions +directive_description_dir: ikiwiki/directive + +# teximg plugin +# Should teximg use dvipng to render, or dvips and convert? +#teximg_dvipng: '' +# LaTeX prefix for teximg plugin +#teximg_prefix: | +# \documentclass{article} +# \usepackage[utf8]{inputenc} +# \usepackage{amsmath} +# \usepackage{amsfonts} +# \usepackage{amssymb} +# \pagestyle{empty} +# \begin{document} +# LaTeX postfix for teximg plugin +#teximg_postfix: '\end{document}' + +###################################################################### +# other plugins +# (aggregate, autoindex, brokenlinks, camelcase, ddate, embed, favicon, +# flattr, goodstuff, htmlbalance, localstyle, missingsite, pagetemplate, +# parked, pingee, pinger, prettydate, recentchanges, recentchangesdiff, +# relativedate, rsync, sidebar, smiley, sortnaturally, tag, +# testpagespec, transient, typography, underlay) +###################################################################### + +# aggregate plugin +# enable aggregation to internal pages? +aggregateinternal: 1 +# allow aggregation to be triggered via the web? +#aggregate_webtrigger: 0 +# cookie control +cookiejar: + file: /home/a-policy/.ikiwiki/cookies + +# autoindex plugin +# commit autocreated index pages +autoindex_commit: 1 + +# camelcase plugin +# list of words to not turn into links +#camelcase_ignore: [] + +# flattr plugin +# userid or user name to use by default for Flattr buttons +#flattr_userid: joeyh + +# parked plugin +# An optional message explaining why this site is parked. +#parked_message: '' + +# pinger plugin +# how many seconds to try pinging before timing out +#pinger_timeout: 15 + +# prettydate plugin +# format to use to display date +prettydateformat: '%X, %B %o, %Y' + +# recentchanges plugin +# name of the recentchanges page +recentchangespage: recentchanges +# number of changes to track +recentchangesnum: 100 + +# rsync plugin +# command to run to sync updated pages +#rsync_command: rsync -qa --delete . user@host:/path/to/docroot/ + +# sidebar plugin +# show sidebar page on all pages? +global_sidebars: 1 + +# tag plugin +# parent page tags are located under +#tagbase: tag +# autocreate new tag pages? +#tag_autocreate: 1 +# commit autocreated tag pages +tag_autocreate_commit: 1 + +# typography plugin +# Text::Typography attributes value +#typographyattributes: 3 + +# underlay plugin +# extra underlay directories to add +#add_underlays: +# - /home/a-policy/wiki.underlay diff --git a/index.mdwn b/index.mdwn new file mode 100644 index 0000000..a5098cb --- /dev/null +++ b/index.mdwn @@ -0,0 +1,13 @@ +# PCP Policy + +Welcome to the website of Providers' Commitment for Privacy (PCP) +policy. You can find the following information here: + + * The [[policy]] text + * Suggestions for [[best practices|Best Practices]] + * [[Contact information|About]] + * Presentation [[slides|pcp28c3.pdf]] from [[28C3|http://events.ccc.de/congress/2011/wiki/Welcome]] + * Clone the website: "git clone git://git.sarava.org/policy.git" + +---- +Wiki powered by [[ikiwiki]]. diff --git a/pcp28c3.pdf b/pcp28c3.pdf Binary files differnew file mode 100644 index 0000000..0fbb285 --- /dev/null +++ b/pcp28c3.pdf diff --git a/policy-signed.txt b/policy-signed.txt new file mode 100644 index 0000000..25f966e --- /dev/null +++ b/policy-signed.txt @@ -0,0 +1,192 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +Providers' Commitment for Privacy: Version 1.0 + + 1. Preamble + 2. Description of the security levels + 1. Short overview of level 1 + 2. Short overview of level 2 + 3. Short overview of level 3 + 3. Modules + 1. What to do in case of fire? + 2. Mail + 3. Webmail + 4. Certificates and keys for encrypted stream-based services + 5. Filesystems and Storage + 6. Logs + 7. Users + 8. Evaluation of policy compliance + +Preamble + +This document contains many social and technical issues, that should lead to a more secure handling of private user data. + +In light of the increased surveillance and repression measures established by many governments in the first decade of this millennium, it is now even more necessary to improve users' understanding and awareness of privacy matters, as well as the privacy levels offered by tech collectives and groups. + +With this draft, we are trying to create more transparency for our users. This document states what users can expect from the tech collectives and groups that signed it, in terms of the use of encryption, logging of ip's and data storage. + +Another reason to write this document is to encourage a privacy/security awareness amongst us. This draft can be used to put pressure on sysadmins, collectives and groups to do the right thing. In order to reduce the work involved, the signing tech collectives and groups share knowledge and write down standards that can be implemented by other tech collectives and groups. + +This being said, beware: + + 1. The fact that a tech collective or group signed this document is not a guarantee in itself; as a user you should have a trust relationship with the tech collective or group based on personal relations, not on signatures. Your data can only be as secure as the human beings who maintain the server it is stored on. + 2. There is no such thing as a perfectly secure server! Human mistakes and software bugs can disclose your data, reveal your identity, send you to jail and kill your kitten. + 3. Nothing that your preferred tech collective or group does will be enough to protect you from intense directed scrutiny from a powerful organization. If you suspect you are the target of special surveillance, you need to take your own privacy into your own hands. + +Description of the security levels + +The computer is to the information industry roughly what the central power station is to the electrical industry. -- Peter Drucker + +There is no such thing as service that is both perfectly secure and one that fully protects the end-user's privacy. The policy defined below thus is designed to enumerate different levels of security and privacy. Each tech collective should try to reach the highest possible level. Even at the highest defined level, the ideal setup may be somewhere beyond what is proposed in this document. In many cases it will be impossible to fulfill some points due to various problems: technical, social, resources, etc. The levels defined are intended to make it easier for users of services to understand, and as a result, make better decisions about the security and privacy of their data. They also should serve as guidelines for sysadmins who need an overview of the various aspects involved in these important issues and some of the goals that they should strive to attain. + +The policy defines three levels of security and privacy. The first level (level 1) contains basic requirements for services, its defined as less secure and providing less privacy assurances than “level 2”. Fulfilling the requirements of the highest level (level 3) will be the most challenging to implement for the technical collectives and will, in most cases, protect users’ data better. The following descriptions of the levels are meant to give a short overview of the key differences between each. Please refer to the specific list of requirements for more details. Yet beware, the higher the level, the harder it is to achieve or verify for the user. +Short overview of level 1 + + * Connections to all services are encrypted by default. If a non-encrypted alternative connection is offered, then this must be marked visibly to warn users. + * Mail sent through the service can possibly include user identifiable information (e.g. the IP address of the originating host). + * Only data that is not already publicly accessible has to be stored encrypted (e.g. user private data) + * It is possible that user identifiable logs are stored without encryption. + * Compliance with the policy is reviewed by the administrators at least once in a year. + +Short overview of level 2 + + * Connections between users and the services they use are always encrypted. + * Mails contain no user identifiable information. + * No user identifiable information are stored in logs. + * The operating system of the service and its configuration are only stored encrypted. + * Compliance with the policy is reviewed by the administrators at least once within six months. + +Short overview of level 3 + + * All services are also available as hidden Tor services. + * No logs are stored. + * Compliance with the policy is reviewed by the administrators at least once within three months. + +Modules + +Obviously, every security/privacy level requires that you keep your software up to date to the current knowledge of security issues. +What to do in case of fire? +Level 1 + + * Make sure to have means of communication to users when the server goes down. This can be an alternative communication channel (e.g. external mail, phone, ...) or an off-site status web page. + +Mail +Level 1 + + * If the server adds the IP address of a user sending a mail through its service anywhere in the email, the user is informed about this. + * The connections between the user and the server are always encrypted. + * Use StartTLS to exchange mails with other servers whenever available. + * The server must have its own SSL certificate signed by one of a given set of certificate authorities. See best practices documents for details. + +Level 2 + + * The server doesn't add the IP address of a user sending a mail through its service anywhere in the email. + * TLS is required with other level 2 compliant servers. Certificates are verified with fingerprint. + +Level 3 + + * Mail is also available as an enclaved hidden Tor service. + +Webmail +Level 1 + + * The connections between the server and the user are always encrypted. + * If the user's IP address appears in the email headers, this fact is visibly marked as insecure. + +Level 2 + + * All sessions must be stored as cookies. Session IDs cannot be in the URL. + * The user's IP address does not appear in any email headers. + +Level 3 + + * Due to the fact that client-side scripting, such as Javascript, can reveal the user's IP address (this is why users of Tor typically disable it), Webmail is functional without it. + * The session ID algorithm and cookies do not use or store the user's IP address, neither in plain text or some garbled form. Sessions are not restricted to IP addresses (since this would prevent access with anonymity tools such as Tor). + * Webmail is also available as an enclaved hidden Tor service. + +Certificates and keys for encrypted stream-based services +Level 1 + + * Stream-based communication uses only a well-established set of cryptographic parameters (ciphers, message digests, asymmetric encryption algorithms, etc). See best practices documents for details. + +Level 2 + + * Private keys are only stored encrypted. + +Level 3 + + * Private keys are only stored encrypted and off-site. + +Filesystems and Storage +Level 1 + + * User data that is not publicly accessible is stored encrypted, using a strong passphrase. See best practices documents for details. This includes mails, databases, list archives, restricted websites and others. + +Level 2 + + * Swap is stored encrypted. + * The operating system and its configuration is stored encrypted with a strong passphrase. See best practices documents for details. + +Level 3 + + * Swap is encrypted with a random key on boot. + +Logs +Level 1 + + * Logs are stored encrypted or only in memory. + +Level 2 + + * Logs are anonymized and contain no information that can identify user activities. + +Level 3 + + * No logs of any kind are stored. + +Users +Level 1 + + * Users are advised about good passwords and polices. See best practices documents for details. + +Level 2 + + * Users are forced to use strong passwords, as measured by a generally accepted password strength algorithm. See best practices documents for details. + * Shell accounts for users are only in vservers, separate boxes, or similar sandboxes. No end user have a login on a server that provides sensitive services. See best practices documents for details. + +Level 3 + + * Shell accounts are isolated from other users: each user's shell account exists in a chrooted environment that has no visibility into other user's environments (files, processes, etc.). + +Evaluation of policy compliance +Level 1 + + * Yearly periodic self-evaluation: checking at least every twelve months that requirements supposed to be achieved actually are. + +Level 2 + + * Semi-yearly self-evaluation: checking at least every six months that requirements supposed to be achieved actually are. + +Level 3 + + * Quarterly self-evaluation: checking at least every three months that requirements supposed to be achieved actually are. + + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.10 (GNU/Linux) + +iQIcBAEBAgAGBQJO+m5gAAoJEIvA5znQZFhDrFEQALgM/fg4rc+Jw78/c0kjFT3P +IA2kOqWRdKQDA0fxr+S5fzpMOhTYxQjWCOGQq+l6VtPr5nBOXvYhX/r7Wg8VJde6 +GZqZIaBPPZGq6cNa7p5lhN4NKmARu9x5JYVE3PCEGQALvellgNAbrIuMcYp6UIJZ +fFVPJrYiMBpVDpF1mauv4UK4UBRKPo+DzFHZverbFvnBZ4CE5QUSTEa0LHFyrTxX +E5vwIX6m6EEVBzdUtHZD9WOM6mOiGgRT6LOHy2NPy+YERvGUUQyb2PqTzxgnBzWB +Cqfh6Ki0f9ZVlt5ctr83EUmd5h3DwfZH1rKaCRKZ0tw/wsP1aA6BkHhhH4VP1uov +5UTjpRmVbs9evqy+aiO+BRCXdJK0/eZv4wWaK/j4D3aDaZ4Vhotw8i/+A+xB5GF0 +tjrGGO+7XfaQYTtz1aeTMMmrfJBTYO0Bzs8jH1kY41NYy36lMaxGGgf0wNS+IuP/ +n1oaf8VD4MBxPjR1lEIXBtUq/OYSWr69UsKniFmsTXqx4U35geVQugpKT+ILfeHX +NHeF4Tnsz3siIy4FpMLOcCYbihf+LAJm8/HyukODEdrb7dkjlyT9ivE7rH2GA+uc +eb1NIfBveYHu2o+WbENHKqXFNVO+p6kw3vfR4Le98pGVhrOPMiFfmfe9SrhRq8Yb +wn3EbWa/UcVhXGnUQgoV +=HQyf +-----END PGP SIGNATURE----- diff --git a/policy.mdwn b/policy.mdwn new file mode 100644 index 0000000..f5ee36e --- /dev/null +++ b/policy.mdwn @@ -0,0 +1,185 @@ +__Providers' Commitment for Privacy: _Version 1.0___ + + +Translations: [[Castellano|policy_es]] + +[[!toc levels=2]] + +# Preamble + +This document contains many social and technical issues, that should lead to a more secure handling of private user data. + +In light of the increased surveillance and repression measures established by many governments in the first decade of this millennium, it is now even more necessary to improve users' understanding and awareness of privacy matters, as well as the privacy levels offered by tech collectives and groups. + +With this draft, we are trying to create more transparency for our users. This document states what users can expect from the tech collectives and groups that signed it, in terms of the use of encryption, logging of ip's and data storage. + +Another reason to write this document is to encourage a privacy/security awareness amongst us. This draft can be used to put pressure on sysadmins, collectives and groups to do the right thing. In order to reduce the work involved, the signing tech collectives and groups share knowledge and write down standards that can be implemented by other tech collectives and groups. + +This being said, beware: + + 1. The fact that a tech collective or group signed this document is not a guarantee in itself; as a user you should have a trust relationship with the tech collective or group based on personal relations, not on signatures. Your data can only be as secure as the human beings who maintain the server it is stored on. + 2. There is no such thing as a perfectly secure server! Human mistakes and software bugs can disclose your data, reveal your identity, send you to jail and kill your kitten. + 3. Nothing that your preferred tech collective or group does will be enough to protect you from intense directed scrutiny from a powerful organization. If you suspect you are the target of special surveillance, you need to take your own privacy into your own hands. + + +# Description of the security levels + +_The computer is to the information industry roughly what the +central power station is to the electrical industry. + -- Peter Drucker_ + +There is no such thing as service that is both perfectly secure and one that fully protects the end-user's privacy. The policy defined below thus is designed to enumerate different levels of security and privacy. Each tech collective should try to reach the highest possible level. Even at the highest defined level, the ideal setup may be somewhere beyond what is proposed in this document. In many cases it will be impossible to fulfill some points due to various problems: technical, social, resources, etc. The levels defined are intended to make it easier for users of services to understand, and as a result, make better decisions about the security and privacy of their data. They also should serve as guidelines for sysadmins who need an overview of the various aspects involved in these important issues and some of the goals that they should strive to attain. + +The policy defines three levels of security and privacy. The first level (level 1) contains basic requirements for services, its defined as less secure and providing less privacy assurances than “level 2”. Fulfilling the requirements of the highest level (level 3) will be the most challenging to implement for the technical collectives and will, in most cases, protect users’ data better. The following descriptions of the levels are meant to give a short overview of the key differences between each. Please refer to the specific list of requirements for more details. Yet beware, the higher the level, the harder it is to achieve or verify for the user. + + +## Short overview of _level 1_ +* Connections to all services are encrypted by default. If a non-encrypted alternative connection is offered, then this must be marked visibly to warn users. +* Mail sent through the service can possibly include user identifiable information (e.g. the IP address of the originating host). +* Only data that is not already publicly accessible has to be stored encrypted (e.g. user private data) +* It is possible that user identifiable logs are stored without encryption. +* Compliance with the policy is reviewed by the administrators at least once in a year. + +## Short overview of _level 2_ +* Connections between users and the services they use are always encrypted. +* Mails contain no user identifiable information. +* No user identifiable information are stored in logs. +* The operating system of the service and its configuration are only stored encrypted. +* Compliance with the policy is reviewed by the administrators at least once within six months. + +## Short overview of _level 3_ +* All services are also available as hidden Tor services. +* No logs are stored. +* Compliance with the policy is reviewed by the administrators at least once within three months. + + +# Modules + +Obviously, every security/privacy level requires that you keep your software up to date to the current knowledge of security issues. + + +## What to do in case of fire? + +### Level 1 + +* Make sure to have means of communication to users when the server goes down. This can be an alternative communication channel (e.g. external mail, phone, ...) or an off-site status web page. + +## Mail + +### Level 1 + +* If the server adds the IP address of a user sending a mail through its service anywhere in the email, the user is informed about this. +* The connections between the user and the server are always encrypted. +* Use StartTLS to exchange mails with other servers whenever available. +* The server must have its own SSL certificate signed by one of a given set of certificate authorities. See best practices documents for details. + +### Level 2 + +* The server doesn't add the IP address of a user sending a mail through its service anywhere in the email. +* TLS is required with other level 2 compliant servers. Certificates are verified with fingerprint. + +### Level 3 + +* Mail is also available as an enclaved hidden Tor service. + +## Webmail + +### Level 1 + +* The connections between the server and the user are always encrypted. +* If the user's IP address appears in the email headers, this fact is visibly marked as insecure. + +### Level 2 + +* All sessions must be stored as cookies. Session IDs cannot be in the URL. +* The user's IP address does not appear in any email headers. + +### Level 3 + +* Due to the fact that client-side scripting, such as Javascript, can reveal the user's IP address (this is why users of Tor typically disable it), Webmail is functional without it. +* The session ID algorithm and cookies do not use or store the user's IP address, neither in plain text or some garbled form. Sessions are not restricted to IP addresses (since this would prevent access with anonymity tools such as Tor). +* Webmail is also available as an enclaved hidden Tor service. + +## Certificates and keys for encrypted stream-based services + +### Level 1 + +* Stream-based communication uses only a well-established set of cryptographic parameters (ciphers, message digests, asymmetric encryption algorithms, etc). See best practices documents for details. + +### Level 2 + +* Private keys are only stored encrypted. + +### Level 3 + +* Private keys are only stored encrypted and off-site. + +## Filesystems and Storage + +### Level 1 + +* User data that is not publicly accessible is stored encrypted, using a strong passphrase. See best practices documents for details. This includes mails, databases, list archives, restricted websites and others. + +### Level 2 + +* Swap is stored encrypted. +* The operating system and its configuration is stored encrypted with a strong passphrase. See best practices documents for details. + +### Level 3 + +* Swap is encrypted with a random key on boot. + +## Logs + +### Level 1 + +* Logs are stored encrypted or only in memory. + +### Level 2 + +* Logs are anonymized and contain no information that can identify user activities. + +### Level 3 + +* No logs of any kind are stored. + +## Users + +### Level 1 + +* Users are advised about good passwords and polices. See best practices documents for details. + +### Level 2 + +* Users are forced to use strong passwords, as measured by a generally accepted password strength algorithm. See best practices documents for details. +* Shell accounts for users are only in vservers, separate boxes, or similar sandboxes. No end user have a login on a server that provides sensitive services. See best practices documents for details. + +### Level 3 + +* Shell accounts are isolated from other users: each user's shell account exists in a chrooted environment that has no visibility into other user's environments (files, processes, etc.). + +## Evaluation of policy compliance + +### Level 1 + +* Yearly periodic self-evaluation: checking at least every twelve months that requirements supposed to be achieved actually are. + +### Level 2 + +* Semi-yearly self-evaluation: checking at least every six months that requirements supposed to be achieved actually are. + +### Level 3 + +* Quarterly self-evaluation: checking at least every three months that requirements supposed to be achieved actually are. + +## Verification + +The current version of the policy is signed with an OpenGPG key +([keyserver](https://keys.mayfirst.org/pks/lookup?op=get&search=0xCE8BA23183EC5CB69760E02F8BC0E739D0645843)). Key +details are as follows: + + pub 4096R/D0645843 2011-12-28 [expires: 2013-01-31] + Key fingerprint = CE8B A231 83EC 5CB6 9760 E02F 8BC0 E739 D064 5843 + uid Providers Commitment for Privacy + +The signed file is [[here|policy-signed.txt]]. diff --git a/policy_es.mdwn b/policy_es.mdwn new file mode 100644 index 0000000..9057bc7 --- /dev/null +++ b/policy_es.mdwn @@ -0,0 +1,169 @@ +[[!toc levels=2]] + +#Preámbulo... + +Este documento contiene varios temas sociales y técnicos que deberían dar lugar a una forma más segura de tratar los datos de las usuarias. + +A la luz del desmesurado crecimiento de las medidas de vigilancia y represión establecidas por muchos gobiernos durante las primeras décadas de este milenio, se hace cada vez más necesario profundizar la comprensión de las usuarias y su sensibilidad en torno a los asuntos vinculados a la privacidad, así como los niveles de privacidad ofrecidos por colectivos y grupos tecnológicos. + +Con este borrador estamos intentando generar más transparencia para nuestras usuarias. Este documento establece lo que las usuarias pueden esperar de parte de los grupos y colectivos que lo firman, en términos del uso de la encriptación, registro de IP's y datos almacenados. + +Otra razón para escribir este documento es fomentar cierta sensibilidad en torno a la privacidad/seguridad entre nosotras. Este borrador puede ser utilizado para presionar a administradores de sistemas, colectivos y grupos a hacer las cosas de la forma que consideramos correcta. Con el objetivo de reducir el trabajo implicado, los colectivos y grupos tecnológicos firmantes compartirán su conocimiento y escribirán estándares que puedan ser implementados por otros colectivos y grupos tecnológicos. + +Dicho esto, tened presente que: + +1. El hecho de que un grupo o colectivo tecnológico firme este documento no es una garantía en sí misma; como usuaria deberías tener una relación de confianza con los colectivos o grupos tecnológicos basada en relaciones personales, no en firmas. Tus datos sólo estarán seguros si lo están los sujetos que mantienen el servidor donde se alojan tus datos. +2. No existe un servidor perfectamente seguro! Los errores humanos y los fallos informáticos pueden divulgar tus datos, revelar tu identidad, enviarte a la cárcel y matar a tu gatita. +3. Nada de lo que tu grupo o colectivo tecnológico preferido haga será suficiente para protegerte de un examen intenso y directo de una organización poderosa. Si sospechas que estás siendo blanco de vigilancia tendrás que tomar tu privacidad con tus propias manos. + +# Descripción de los niveles de seguridad + +_La computadora es a la industria de la información (casi) lo mismo que la central energética a la industria eléctrica. --Peter Drucker_ + +No hay ninguna clase de servicio que sea pefectamente seguro y que pueda proteger completamente los datos de lxs usuarixs. La politica definida aqui abajo esta diseñada par enumerar los niveles de seguridad y privacidad. Cada colectivo tecnologico deberia intentar alcanzar el nivel más alto posible. Incluso estando al nivel más alto de los defindos aqui, el setup ideal podria estar incluso más allá de lo propuesto en estos documentos. En algunos casos podría ser imposible completar algunos de los puntos debido a varios problemas: técnicos, sociales, recursos, etc. Los niveles definidos aquí intentan hacer todo esto lo más fácil y entendible para los usuarixs de los servicios, con la intención de generar mejores decisiones acerca de la seguridad y privacidad de los datos. También podrían servir como guias para sysadmins(administradores de sistemas) que necesiten una mirada rápida a los varios aspectos envueltos en estas importantes cuestiones y algunos de los objetivos a los que deberían atenerse. + +La política define tres niveles de seguridad y privacidad. El primer nivel (level 1) contiene los requerimientos básicos de los servicios, definidos como menos seguros y de menos seguridad y privacidad que los del nivel 2 (level 2). Alcanzar los requerimientos del nivel 3 (level 3) sera el mayor desafió a implementar por los colectivos técnicos y será, en la mayoría de los casos la mejor forma de proteger nuestros datos. La siguiente descripción de niveles signigica también dar una mirada a las diferencias claves entre los distintos niveles. Para más detalles mira en la lista de requerimientos específicos. Hay que tener en cuenta que a mayor nivel, más duro es de lograr o verificar para el usuario. + +## Resumen Nivel 1 + +* Todas las conexiones de servicios estan encriptadas por defecto. Si se ofrece una alternativa no-encriptada, entonces debe avisarse de forma visible a lxs user. +* Los mails enviados a traves del servicio puede incluir identificación e información del usuario ( por ej. la dirección IP del ""host que envia"" ). +* Solo los datos que no estan accesibles de forma pública tienen que almacenarse de forma encriptada. +* Es posible que los registros de los usuarios se guarden sin encriptación. //* Los registros de los usuarios se pueden guardar sin encriptación. +* Se revisa por lxs administradorxs, el cumplimiento de la politica del servidor por lo menos una vez al año. + +## Resumen Nivel 2 + +* La conexión entre usuarias y los servivios que usen estan siempre encripatdas. +* Los correos no contienen información identificable de las usuarias. +* Ninguna información identificable de las usuarias es almacenada en los logs. +* El sistema operativo del servicio solamente y su configuración solamente están almacenadas encriptadamente. +* La conformidad con la politica es revisada por las administradoras al menos una vez cada seis meses. + +## Resumen Nivel 3 + +* Todos los servicios están támbién disponibles con servicio de ocultación Tor +* Los logos no son almacenados +* El cumplimiento de esta política es revisada por los administradores al menos una vez cada tres meses. + +Obviamente, cada nivel se seguridad/privacidad requiere que mantenga su software actualizado y al día en relación a los conocimientos actuales en cuestiones de seguridad. +Obviously, every security/privacy level requires that you keep your software up to date to the current knowledge of security issues. + +## ¿Que hacer en caso de incendio? + +### Nivel 1 + +* Asegurate de contar con canales de comunicación con las usuarias si el servidor se cae. Por ejemplo, un correo electrónico externo, un teléfono, o una página web alojada en otro lugar. +* Si el servidor añade la dirección IP del usuario cuando envía un correo electrónico a través de su servicio , el usuario debe ser informado acerca de ello. +* Las conexiones entre las personas usuarias y el servidor deben siempre ser encriptadas. +* Usa StartTLS siempre que puedas para intercambiar correos con otros servidores. +* El servidor debe contar con su propio certificado SSL firmado por una o varias autoridades certificadoras. Vean el documento de mejores practicas para los detalles. + +### Nivel 2 + +* El servidor no debe añadir la dirección IP de una persona usuaria enviando un correo electronico a través de su servicio en ningún lugar del correo. +* El uso de TLS es obligatorio con otros servidores cumplidores del nivel 2. Los certificados se verifican con un fingerprint (huella digital). + +### Nivel 3 + +* El correo también esta disponible como un servicio oculto enclavado de Tor. + +## Webmail + +### Nivel 1 + +* Las conexiones entre el servidor y el usuario están siempre encriptadas. +* Si la dirección de IP del usuario aparece en los encabezamientos de email, este hecho es visiblemente marcado como inseguro. + +### Nivel 2 + +* Todas las sesiones tienen que estar almacenadas como cookies. Las sesiones IDs no pueden estar en la URL. +* La dirección IP del usuario no aparece en ningun encabezamiento de email. + +### Nivel 3 + +* Debido a que cliente-lado scripting, como Javascript, puede revelar la dirección IP del usuario (esto es porque las usuarias de Tor generalmente las inutiliza), Webmail es funcional sin él. +* La sesión de algoritmo ID y las cookies no utilizan o almacenar la dirección de IP de la usuaria, tampoco en texto sencillo o en alguna forma confusa. Las sesiones no estan restringidas a direcciones de IP (ya que esto impediría el acceso con herramientas de anonimato como Tor). +* Webmail también esta disponible como un servicio enclaved escondido Tor. + +## Certificados y llaves para servicios encriptados basados en stream + +### Nivel 1 + +* La comunicación basada en stream solo usa un kit de parametros criptográficos bien establecidos (ciphers, mensajes resumidos, algoritmos de encriptación asimétrica, etc). Mira los documentos de buenas prácticas para más detalles. + +### Nivel 2 + +* Las llaves privadas sólo son almacenadas de manera encriptada. + +### Nivel 3 + +* Las llaves privadas son sólo almacenadas encriptado y fuera del sitio. + +## Sistema de archivos y almacenamiento + +### Nivel 1 + +* Los datos de usuarias que no son accesibles públicamente se almacenan encriptados, utilizando una frase de pasword fuerte. Mira los documentos de buenas prácticas para más detalles. Esto incluye correos, bases de datos, listas de archivos, sitios web restringidos y otros.. + +### Nivel 2 + +* La memoria de intercambio se almacena encriptadamente. +* El sistema operativo y su configuración se almacenada encriptadamente con una frase de password fuerte. Mira los documentos de buenas prácticas para más detalles. + +### Nivel 3 + +* La memoria de intercambio está encriptada con una llave aleatoria en el boot. + +## Registros + +### Nivel 1 + +* Los registros son almacenados encriptadamente sólo en la memoria. + +### Nivel 2 + +* Los registros son anonimizados y no contienen ninguna información que puede identificar las actividades de la usuaria. + +### Nivel 3 + +* Ninguna clase de registro son almacenados. + +## Usuarias + +### Nivel 1 + +* Se aconseja a las usuarias sobre buenas contraseñas buenas y politicas. Mira los documentos de buenas prácticas para más detalles. + +### Nivel 2 + +* Las usuarias están forzadas a utilizar contraseñas fuertes, medidas generalmente por una contraseña aceptada por un algoritmo de fuerza. Mira los documentos de buenas prácticas para más detalles. +* Las cuentas de la terminal para usuarias estan sólo en vservers, cajas separadas, o sandboxes similares. Ninguna usuaria tiene un login en un servidor que proporcione servicios sensibles. Mira los documentos de buenas prácticas para más detalles. + +### Nivel 3 + +* Las cuentas de la terninal están aisladas de otras usuarias: cada cuenta de usuaria en la terminal existe en un entorno chrooted que no tiene ninguna visibilidad en entornos de otras usuarias (archivos, procesos, etc.). + +## Evaluación de conformidad de la política + +### Nivel1 + +* Auto-evaluación periódica anual: comprobar al menos cada doce meses que los requisitos supuestos para ser conseguidos están. + +### Nivel 2 + +* Auto-evaluación semi-Anual: comprobar al menos cada seis meses que los requisitos supuestos son conseguidos. + +### Nivel 3 + +* Auto-evaluación trimestral: comprobar al menos cada tres meses que los requisitos supuestos son conseguidos. + +## Verificación + +La versión actual de la politica esta firmada con una llave OpenGPG (keyserver). Los detalles de la llave son: +pub 4096R/D0645843 2011-12-28 [expires: 2013-01-31] + Key fingerprint = CE8B A231 83EC 5CB6 9760 E02F 8BC0 E739 D064 5843 uid + +## Compromiso de los proveedores para privacidad + +El archivo firmado es aquí. diff --git a/sidebar.mdwn b/sidebar.mdwn new file mode 100644 index 0000000..e5effa9 --- /dev/null +++ b/sidebar.mdwn @@ -0,0 +1,4 @@ +* [Home](/) +* [[Policy]] +* [[Best Practices]] +* [[About]] diff --git a/style.css b/style.css new file mode 100644 index 0000000..48db1d1 --- /dev/null +++ b/style.css @@ -0,0 +1,798 @@ +/* ikiwiki style sheet */ + +/* PCP Theme */ + +/* Note that instead of modifying this style sheet, you can instead edit + * local.css and use it to override or change settings in this one. + */ + +/* html5 compat */ +article, +header, +footer, +nav { + display: block; +} + +#content { + margin-left: 1em; + min-height: 300px; +} + +#content p { + line-height: 1.3em; + margin-left: 2em; +} +#content li { + line-height: 1.5em; + margin-left: 2em; +} + +.header { + padding-top: 0.5em; + margin: 0; + font-size: 22px; + font-weight: bold; + line-height: 1em; + display: block; +} + +.inlineheader .author { + margin: 0; + font-size: 18px; + font-weight: bold; + display: block; +} + +.actions ul { + width: 100%; + margin: 0; + padding: 6px .4em; + height: 1em; + list-style-type: none; +} +.actions li { + display: inline; + padding: .2em; +} + +#otherlanguages ul { + margin: 0; + padding: 6px; + list-style-type: none; +} +#otherlanguages li { + display: inline; + padding: .2em .4em; +} +.pageheader #otherlanguages { + border-bottom: 1px solid #000; +} + +.inlinecontent { + margin-top: .4em; +} + +.pagefooter, +.inlinefooter, +.comments { + clear: both; +} + +#footer { + border-top: 1px solid #000; +} + +#pageinfo { + margin: 1em ; + margin-top: 0.5em; +} + +.tags { + margin-top: 1em; +} + +.inlinepage .tags { + display: inline; +} + +.mapparent { + text-decoration: none; +} + +.img caption { + font-size: 80%; + caption-side: bottom; + text-align: center; +} + +img.img { + margin: 0.5ex; +} + +.align-left { + float:left; +} + +.align-right { + float:right; +} + +#backlinks { + margin-top: 0em; +} + +#searchform { + display: inline; + float: right; +} + +#editcontent { + width: 98%; +} + +.editcontentdiv { + width: auto; + overflow: auto; +} + +img { + border-style: none; +} + +pre { + overflow: auto; +} + +div.recentchanges { + border-style: solid; + border-width: 1px; + overflow: auto; + width: auto; + clear: none; + background: #eee; + color: black !important; +} +.recentchanges .metadata { + padding: 0px 0.5em; +} +.recentchanges .changelog { + font-style: italic; + clear: both; + display: block; + padding: 1px 2px; + background: white !important; + color: black !important; +} +.recentchanges .desc { + display: none; +} +.recentchanges .diff { + display: none; +} +.recentchanges .committer { + float: left; + margin: 0; + width: 40%; +} +.recentchanges .committype { + float: left; + margin: 0; + width: 5%; + font-size: small; +} +.recentchanges .changedate { + float: left; + margin: 0; + width: 35%; + font-size: small; +} +.recentchanges .pagelinks { + float: right; + margin: 0; + width: 60%; +} + +#blogform { + padding: 10px 10px; + border: 1px solid #aaa; + background: #eee; + color: black !important; + width: auto; + overflow: auto; +} + +.inlinepage { + padding: 10px 10px; + border: 1px solid #aaa; + overflow: auto; +} + +.pagedate, +.pagelicense, +.pagecopyright { + font-style: italic; + font-size: 0.8em; + display: block; + margin-top: 1em; + padding-bottom: 0.5em; +} + +.error { + color: #C00; +} + +.sidebar { + position: absolute; + width: 14em; + right: 0em; + float: right; + margin-left: 0; + margin-bottom: 1em; + margin-top: 1em; + margin-right: 1em; + padding-top: .4em; + padding-left: .6em; + padding-right: 0em; + padding-bottom: 1em; + background: #bababa; + border: .1em solid black; + color: black !important; +} + +.sidebar ul { + margin-top: 0.5em; +} + +.sidebar li { + font-weight: bold; +} + +.sidebar h1 { + margin-top: 0em; + margin-left: 0em; + padding-bottom: 0; + margin-bottom: 0; + font-size: 1.2em; +} + +hr.poll { + height: 10pt; + color: white !important; + background: #eee; + border: 2px solid black; +} +div.poll { + margin-top: 1ex; + margin-bottom: 1ex; + padding: 1ex 1ex; + border: 1px solid #aaa; +} + +span.color { + padding: 2px; +} + +.comment-header, +.microblog-header { + font-style: italic; + margin-top: .3em; +} +.comment .author, +.microblog .author { + font-weight: bold; +} +.comment-subject { + font-weight: bold; +} +.comment { + border: 1px solid #aaa; + padding: 3px; +} + +div.progress { + margin-top: 1ex; + margin-bottom: 1ex; + border: 1px solid #888; + width: 400px; + background: #eee; + color: black !important; + padding: 1px; +} +div.progress-done { + background: #ea6 !important; + color: black !important; + text-align: center; + padding: 1px; +} + +/* things to hide in printouts */ +@media print { + .actions { display: none; } + .tags { display: none; } + .feedbutton { display: none; } + #searchform { display: none; } + #blogform { display: none; } + #backlinks { display: none; } +} + +/* infobox template */ +.infobox { + float: right; + margin-left: 2ex; + margin-top: 1ex; + margin-bottom: 1ex; + padding: 1ex 1ex; + border: 1px solid #aaa; + background: white; + color: black !important; +} + +/* notebox template */ +.notebox { + display: none; + float: right; + margin-left: 2ex; + margin-top: 1ex; + margin-bottom: 1ex; + padding: 1ex 1ex; + border: 1px solid #aaa; + width: 25%; + background: white; + color: black !important; +} + +/* popup template and backlinks hiding */ +.popup { + border-bottom: 1px dotted #366; + color: #366; +} +.popup .balloon, +.popup .paren, +.popup .expand { + display: none; +} +.popup:hover .balloon, +.popup:focus .balloon { + position: absolute; + display: inline; + margin: 1em 0 0 -2em; + padding: 0.625em; + border: 2px solid; + background-color: #dee; + color: black; +} + +/* form styling */ +fieldset { + margin: 1ex 0; + border: 1px solid black; +} +legend { + padding: 0 1ex; +} +.fb_submit { + float: left; + margin: 2px 0; +} +label.block { + display: block; +} +label.inline { + display: inline; +} +input#openid_identifier { + background: url(wikiicons/openidlogin-bg.gif) no-repeat; + background-color: #fff; + background-position: 0 50%; + color: #000; + padding-left: 18px; +} +input#searchbox { + background: url(wikiicons/search-bg.gif) no-repeat; + background-color: #fff; + background-position: 100% 50%; + color: #000; + padding-right: 16px; +} +/* invalid form fields */ +.fb_invalid { + color: red; + background: white !important; +} +/* required form fields */ +.fb_required { + font-weight: bold; +} + +/* highlight plugin */ +pre.hl { color:#000000; background-color:#ffffff; } +.hl.num { color:#2928ff; } +.hl.esc { color:#ff00ff; } +.hl.str { color:#ff0000; } +.hl.dstr { color:#818100; } +.hl.slc { color:#838183; font-style:italic; } +.hl.com { color:#838183; font-style:italic; } +.hl.dir { color:#008200; } +.hl.sym { color:#000000; } +.hl.line { color:#555555; } +.hl.mark { background-color:#ffffbb; } +.hl.kwa { color:#000000; font-weight:bold; } +.hl.kwb { color:#830000; } +.hl.kwc { color:#000000; font-weight:bold; } +.hl.kwd { color:#010181; } + +/* calendar plugin */ +.month-calendar-day-this-day, +.year-calendar-this-month { + background-color: #eee; +} +.month-calendar-day-head, +.month-calendar-day-nolink, +.month-calendar-day-link, +.month-calendar-day-this-day, +.month-calendar-day-future { + text-align: right; +} +.month-calendar-arrow A:link, +.year-calendar-arrow A:link, +.month-calendar-arrow A:visited, +.year-calendar-arrow A:visited { + text-decoration: none; + font-weight: normal; + font-size: 150%; +} + +/* outlines */ +li.L1 { list-style: upper-roman; } +li.L2 { list-style: decimal; } +li.L3 { list-style: lower-alpha; } +li.L4 { list-style: disc; } +li.L5 { list-style: square; } +li.L6 { list-style: circle; } +li.L7 { list-style: lower-roman; } +li.L8 { list-style: upper-alpha; } + +/* tag cloud */ +.pagecloud { + display: none; + float: right; + width: 30%; + text-align: center; + padding: 10px 10px; + border: 1px solid #aaa; + background: #eee; + color: black !important; +} +.smallestPC { font-size: 70%; } +.smallPC { font-size: 85%; } +.normalPC { font-size: 100%; } +.bigPC { font-size: 115%; } +.biggestPC { font-size: 130%; } + +/* orange feed button */ +.feedbutton { + background: #ff6600; + color: white !important; + border-left: 1px solid #cc9966; + border-top: 1px solid #ccaa99; + border-right: 1px solid #993300; + border-bottom: 1px solid #331100; + padding: 0px 0.5em 0px 0.5em; + font-family: sans-serif; + font-weight: bold; + font-size: small; + text-decoration: none; + margin-top: 1em; +} +.feedbutton:hover { + color: white !important; + background: #ff9900; +} + +/* openid selector */ +#openid_choice { + display: none; +} +#openid_input_area { + clear: both; + padding: 10px; +} +#openid_btns, #openid_btns br { + clear: both; +} +#openid_highlight { + background-color: black; + float: left; +} +.openid_large_btn { + padding: 1em 1.5em; + border: 1px solid #DDD; + margin: 3px; + float: left; +} +.openid_small_btn { + padding: 4px 4px; + border: 1px solid #DDD; + margin: 3px; + float: left; +} +a.openid_large_btn:focus { + outline: none; +} +a.openid_large_btn:focus { + -moz-outline-style: none; +} +.openid_selected { + border: 4px solid #DDD; +} +/* bzed theme for ikiwiki + * + * Copyright (C) 2010 Bernd Zeimetz + * Licensed under same license as ikiwiki: GPL v2 or later + * + * Parts of this file are based on the awesome YUI, + * these parts will stay under the BSD license, + * but you're free to apply the GPLv2 to them, of course. + */ + + + +/* ------------------------------------------------------------------------------------------------- +Based on reset-fonts-grids.css from yui. +Copyright (c) 2008, Yahoo! Inc. All rights reserved. +Code licensed under the BSD License: +http://developer.yahoo.net/yui/license.txt +version: 2.5.1 +*/ +body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,legend,p,blockquote,th,td{margin:0;padding:0;} +table{border-collapse:collapse;border-spacing:0;} +img{border:0;} +address,caption,cite,code,dfn,em,strong,th,var{font-style:normal;font-weight:normal;} +li{list-style:none;} +caption,th{text-align:left;} +h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;} +q:before,q:after{content:'';} +abbr,acronym {border:0;font-variant:normal;} +sup {vertical-align:text-top;} +sub {vertical-align:text-bottom;} +input,textarea,select{font-family:inherit;font-size: 13px;font-weight:normal;} +input,textarea,select{font-size:100%;} +legend{color:#000;} +body {font:13px Verdana,Lucida,Helvetica,Arial,sans-serif;} +table {font-size:inherit;font:100%;} +pre,code,kbd,samp,tt{font-family:monospace;} + + +body{text-align:left;} +.inlinefooter{clear:both;} + + +/* #doc3{margin:auto 10px;width:auto;} */ + + +/* ------------------------------------------------------------------------------------------------ + * Taken from base.css, part of YUI's CSS Foundation + * Copyright (c) 2008, Yahoo! Inc. All rights reserved. + * Code licensed under the BSD License: + * http://developer.yahoo.net/yui/license.txt + * version: 2.5.1 +*/ +h1 { + /*18px via YUI Fonts CSS foundation*/ + font-size:138.5%; +} +h2 { + /*16px via YUI Fonts CSS foundation*/ + margin-left: 0.8em; + font-size:123.1%; +} +h3 { + /*14px via YUI Fonts CSS foundation*/ + margin-left: 1.5em; + font-size:108%; +} +h1,h2,h3,h4,h5,h6,strong { + /*bringing boldness back to headers and the strong element*/ + font-weight:bold; +} + +abbr,acronym { + /*indicating to users that more info is available */ + border-bottom:1px dotted #000; + cursor:help; +} +em { + /*bringing italics back to the em element*/ + font-style:italic; +} +blockquote,ul,ol,dl { + /*giving blockquotes and lists room to breath*/ + margin:1em; +} +ol,ul,dl { + /*bringing lists on to the page with breathing room */ + margin-left:2em; +} +ol li { + /*giving OL's LIs generated numbers*/ + list-style: decimal outside; +} +ul li { + /*giving UL's LIs generated disc markers*/ + list-style: disc outside; +} +dl dd { + /*giving UL's LIs generated numbers*/ + margin-left:1em; +} +th,td { + /*borders and padding to make the table readable*/ + border:1px solid #000; + padding:.5em; +} +th { + /*distinguishing table headers from data cells*/ + font-weight:bold; + text-align:center; +} +caption { + /*coordinated margin to match cell's padding*/ + margin-bottom:.5em; + /*centered so it doesn't blend in to other content*/ + text-align:center; +} +p,fieldset,table,pre { + /*so things don't run into each other*/ + margin-bottom:1em; +} + +#searchbox { + width:21.5em; +} + + +/* ------------------------------------------------------------------------------------------------ + * All CSS below is + * Copyright (C) 2010 Bernd Zeimetz + * Licensed under same license as ikiwiki: GPL v2 or later */ + +.page, .pageheader, #content, #comments, .inlinepage, .recentchanges, .pageheader .actions ul { + border: none; +} + +html, body { + color:#000; + background-color: #353D40; +} + +body { + padding: 0; + margin: 0; +} + +.page { + position: relative; + margin:auto; + text-align:left; + width:auto; + min-width:750px; + max-width:1200px; + background: #ddd; +} +.pageheader { + position: relative; + background-image: url('header_background.jpg'); + background-repeat: repeat-x; + height: 100px; + padding-left: 1em; + padding-right: 1em; + padding-bottom: 1em; + padding-top: 1.2em; +} + +.pageheader .header { + text-align: top; + clear: both; +} + +.pageheader .header form { + padding: 0em 0em 0em 0em; + float: right; + margin-top: 0.5em; +} + +.pageheader .header .title, .pageheader .header .parentlinks, + .inlinepage .inlineheader, + h1, h2, h3, h4, h5, h6 { + margin-top: 1em; + font-weight: bold; +} + +.parentlinks,.title, .actions ul li { + background-color: rgba(85,100,115,0.7); +} + +.pageheader .header .title, .pageheader .header .parentlinks, .pageheader .actions ul li, .pageheader .header span { + padding: 0.25em 0.25em 0.25em 0.25em; + opacity: 1; + color: #FFF; +} + +.pageheader .header span a, .pageheader .actions ul li a, .pageheader .header .parentlinks a { + color: white; + text-decoration: none; + opacity: 1; +} + +.pageheader .actions { + float: right; + position: absolute; + text-align: right; + vertical-align: bottom; + clear: both; + bottom: 1em; + right: 2em; +} + + + +#pagebody { + position:static; + padding-right: 1em; + padding-bottom: 2em; + margin-right: 17em; + clear: none; +} + +#content a, #comments a, .sidebar a, .pagefooter a { + color: #215470; + text-decoration: none; + font-weight: bold; +} + +.sidebar .menu { + margin-left: 1em; +} + + +.inlinepage, .recentchanges, div.recentchanges { + clear: none !important; + margin-bottom: 2em; +} + +.inlinefooter { + border-top: 1px dotted #315485; +} + +.inlinefooter .pagedate, .inlinefooter .tags { + display: inline; + clear: none; + margin-right: 2em; +} + +.calendar .month-calendar th, .calendar .month-calendar td { + padding: 0.22em; +} + +@media print { + .sidebar, .page .pageheader .header .parentlinks { + content:"."; + display:block; + height:0; + visibility:hidden; + } + .page { + padding: 1em 1em 1em 1em; + } + .pageheader .header span a, .pageheader .actions ul li a, .pageheader .header .parentlinks a { + color #315485; + } + #content, #comments, #pagebody { + margin-right: 0; + *margin-right: 0; + border-right: none; + } + +} + diff --git a/test.mdwm b/test.mdwm new file mode 100644 index 0000000..a042389 --- /dev/null +++ b/test.mdwm @@ -0,0 +1 @@ +hello world! diff --git a/users/anarcat.mdwn b/users/anarcat.mdwn new file mode 100644 index 0000000..dbc75f0 --- /dev/null +++ b/users/anarcat.mdwn @@ -0,0 +1 @@ +see <https://wiki.koumbit.net/TheAnarcat> diff --git a/users/maxigas.mdwn b/users/maxigas.mdwn new file mode 100644 index 0000000..a042389 --- /dev/null +++ b/users/maxigas.mdwn @@ -0,0 +1 @@ +hello world! |
