Security Policy

Print this page

Version $v*1

@fullXRI inherits the Global Security Policy defined by XDI.org, and in addition publishes its own Community Security Policy.

Global Security Policy

  1. XDI.org Agents MUST use commercially reasonable efforts to protect the security of all XRI and XDI data under their authority. Such security protection must at a minimum include industry standard authentication, authorization, and access control, and must further support all privacy, survivability, and accountability controls that apply to the data.
  2. Due the wide diversity and constantly evolving nature of computer security mechanisms and practices, XDI.org does not specify a precise set of security mechanisms and practices. XDI.org Agents SHOULD adhere to the [ISO17799] international standard for Information Security Management Systems (ISMS). It is further recommended that all XDI.org Agents who store Registrant data SHOULD become ISO 17799 certified by a recognized certification authority.

Community Security Policy

In addition to inheriting the Global Security Policy, @fullXRI defines the following Community Security Policy:

  • @fullXRI uses commercially reasonable efforts to protect the security of all XRI and XDI data under its authority. Such security protection includes industry standard authentication, authorization, and access control, and further supports all privacy, survivability, and accountability controls that apply to the data.
  • @fullXRI maintains a packet filter firewall to block network connections that are not essential to its services.
  • @fullXRI operates only the minimal amount of server applications necessary to provide its services, in order to keep potential points of attack to a minimum.
  • @fullXRI stores Registrants' passwords in a hashed format.
  • @fullXRI maintains detailed log files of both local and networked activity on its servers.
  • @fullXRI frequently updates its server software to their latest versions.
  • @fullXRI does not provide any way for users to upload executable code, scripts, etc., which could be used for an attack.
  • @fullXRI will never ask Registrants for their passwords whether by phone, email or other communications means. Registrants are advised never to disclose their account password to anyone else. Registrants are solely responsible for keeping and maintaining the secrecy of their passwords.
  • @fullXRI recommends that Registrants use password with the following attributes: 1. At least eight characters in length, 2. Contain both upper and lower case characters, 3. Use numbers and punctuation characters as well as letters, 4. Not identical to a word found in a dictionary (spelled forwards or backwards), 5. Not personally identifiable information such as a birth date, address, bank account number, or phone number, 6. Not easily discoverable information such as a maiden name, spouse's name, parent's name, child's name, pet's name, street name, school name, etc.
  • @fullXRI will use Diligent Efforts to assure the integrity and confidentiality of data that Registrants provide as part of the registration or account management process.

Conformance

@fullXRI assures that this Security Policy is in conformance with the XDI.org Global Security Policy.