Merge pull request #38 from Engineering-Research-and-Development/cert…

…_doc_upadate_part_10

Cert doc upadate part 10

README.md

@@ -1,6 +1,6 @@
 ![](doc/TRUE_Connector_Logo.png?raw=true)
 <div align="right" style="color: black; font-size: 25px;">
-   <strong> Version 1.0.7 </strong>
+   <strong> Version 1.0.8 </strong>
 </div>
 
 </br></br>

doc/TRUEConnector/prerequisite.md

@@ -64,8 +64,7 @@ AllowUsers sshUser1 sshUser2...
 
 ### Create SSH public and private keys for user accessing host machine
 
-As a first step, a key-pair needs to be created. This is usually done on the server. 
-With the following command a new key-pair is created. 
+As the first step, a key pair needs to be created. Following best security practices, each ***user*** generates their asymmetric key pair and securely shares the public key with the OS administrator for implementation at the OS level.  The following command is used to create a new key pair.
 
 ```
 ssh-keygen -t rsa -b 4096 -f ~/.ssh/desktop_key-rsa
@@ -76,8 +75,10 @@ ssh-keygen -t rsa -b 4096 -f ~/.ssh/desktop_key-rsa
 * `-b 4096` - specifies the key length, 4096 offers a good balance between security and performance, providing strong protection against brute-force attacks without being overly taxing on system resources.
 * `-f ~/.ssh/desktop_key-rsa` -  specifies the filename for the key file
 
-In order to create the key, you will be asked for a password. This is the password for your key. It is recommended and considered as best practice (and also security related) to enter passphrase. It will be used as security step, avoiding the usage of a stolen or lost private key. The result of this command should be two files. The file "\~/.ssh/desktop_key-rsa" which is the private-key file, and the file "~/.ssh/desktop_key-rsa.pub" which contains your public-key file. 
-This public-key and private-key will be securely transferred to the client. This means that keys are transferred to the client machine without exposing the content of the file, following best practices for delivering files containing sensitive data, such are password protected zip archive, uploading to some storage, and providing link to the responsible user, admin approaching to the client and copying key file from USB stick, or whatever is applicable and most suitable for the company.
+Using `-t rsa -b 4096` with `ssh-keygen` is essential for creating RSA keys of 4096 bits, improving security. The algorithm employed in the SSH communication protocol is the 4096-bit RSA asymmetric encryption algorithm. This method of key generation guarantees that the SSH keys for authentication are robust and secure against unauthorized access
+
+In order to create the key, you will be asked for a password. This is the password for your key. It is recommended and considered as best practice (and also security related) to enter passphrase. It will be used as security step, avoiding the usage of a stolen or lost private key. The result of this command should be two files. The file "\~/.ssh/desktop_key-rsa" which is the private-key file, and the file "~/.ssh/desktop_key-rsa.pub" which contains your public-key file.
+After the process is completed, the ***user*** must securely transfer the public-key to the OS administrator. This entails transferring the public-key without exposing the file's contents, following best practices for delivering files containing sensitive data. These practices may include using a password-protected zip archive, uploading to secure storage and providing a link to the responsible OS administrator, physically approaching the OS administrator and copying the key file from a USB stick, or employing any other applicable and suitable method for the company.
 
 public-key needs to be added to the authorized keys. To make sure we do not override any already configured authorized key, 
 we add the public-key to the authorized_keys file. If the file does not yet exist, it will create it automatically:
@@ -116,13 +117,13 @@ AllowUsers sshUser1 sshUser2...
 
 ### Periodic SSH Key Update Procedure
 
-For maintaining security administrators should perform a periodic refresh of SSH keys. This process should be conducted every three months (minimal, or even on lesser time frame if security policy requires). During each update cycle, the administrator is responsible for generating new SSH keys for all end users and ensuring the invalidation of previous keys. This practice ensures that any potential security risks associated with compromised or outdated keys are mitigated.
+To maintain security, OS administrators must periodically refresh SSH keys. This process must occur every three months (minimal, or even on lesser time frame if security policy requires). During each update cycle, administrators are responsible for informing users that they need to generate a new key pair and securely transfer the new public key. Failure to do so will make previous authorized keys invalid. This practice ensures that potential security risks associated with compromised or outdated keys are mitigated.
 
-To facilitate this process, the following steps should be diligently followed:
+To facilitate this process, the following steps must be diligently followed:
 
-* Generate New SSH Keys: Admins should create new SSH key pairs for each user.
+* Generate New SSH Keys: Users must create new SSH key pairs.
 
-* Distribute New Keys Securely: Once new keys are generated, they should be securely transferred to the end users.
+* Distribute New Keys Securely: Once new keys are generated, the public-key must be securely transferred to OS administrator.
 
 * Update the authorized_keys File: The new public keys must be added to the authorized_keys file on the server, replacing the old keys.
 
@@ -135,7 +136,7 @@ To facilitate this process, the following steps should be diligently followed:
 * Review and Test: After updating, conduct a thorough review and testing to ensure that only the new keys are operational and that server access is functioning as expected with the updated keys.
 
 
-By regularly updating SSH keys every three months, administrators will enhance the security of server access, making sure these keys effectively protect against unauthorized entry.
+By regularly updating SSH keys every three months, OS administrators will enhance the security of server access, making sure these keys effectively protect against unauthorized entry.
 
 ## Secure DB
 

doc/configuration-list-evaluation.md

@@ -4,13 +4,14 @@ This document contains an iterative table providing details on the certification
 
 | TRUE Connector version  | Release Date   | Submodules version                                                      | Source code | Evaluation evidence| 
 |:-----------------------:|:--------------:|:-----------------------------------------------------------------------:|:----------:|:-------------------|
-| v1.0.7                  | 2023-02-27     | ECC (v1.14.8), DataApp (v0.3.8), UCApp (v1.7.9), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.7) |Teams meetings, Email conversations |
-| v1.0.6                  | 2023-01-26     | ECC (v1.14.7), DataApp (v0.3.8), UCApp (v1.7.8), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.6) |TRUE Connector evaluation clarification points TC/v1/v2/v3/v4/v5/v6, Email conversations |
-| v1.0.5                  | 2022-12-13     | ECC (v1.14.6), DataApp (v0.3.7), UCApp (v1.7.8), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.5) | JIRA issues, Email conversations |
-| v1.0.4                  | 2022-11-17     | ECC (v1.14.6), DataApp (v0.3.7), UCApp (v1.7.8), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.4) |JIRA issues, Email conversations |
-| v1.0.3                  | 2022-10-13     | ECC (v1.14.4), DataApp (v0.3.4), UCApp (v1.7.5), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.3) | JIRA issues, Email conversations |
-| v1.0.2                  | 2022-10-04     | ECC (v1.14.3), DataApp (v0.3.2), UCApp (v1.7.5), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.2) | JIRA issues, Email conversations |
-| v1.0.1                  | 2021-08-22     | ECC (v1.14.2), DataApp (v0.3.1), UCApp (v1.7.4), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.1) | JIRA Issues, Email conversations |
+| v1.0.8                  | 2024-03-20     | ECC (v1.14.8), DataApp (v0.3.8), UCApp (v1.7.9), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.8) | Email conversations |
+| v1.0.7                  | 2024-02-27     | ECC (v1.14.8), DataApp (v0.3.8), UCApp (v1.7.9), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.7) |Teams meetings, Email conversations |
+| v1.0.6                  | 2024-01-25     | ECC (v1.14.7), DataApp (v0.3.8), UCApp (v1.7.8), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.6) |TRUE Connector evaluation clarification points TC/v1/v2/v3/v4/v5/v6, Email conversations |
+| v1.0.5                  | 2023-12-13     | ECC (v1.14.6), DataApp (v0.3.7), UCApp (v1.7.8), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.5) | JIRA issues, Email conversations |
+| v1.0.4                  | 2023-11-17     | ECC (v1.14.6), DataApp (v0.3.7), UCApp (v1.7.8), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.4) |JIRA issues, Email conversations |
+| v1.0.3                  | 2023-10-13     | ECC (v1.14.4), DataApp (v0.3.4), UCApp (v1.7.5), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.3) | JIRA issues, Email conversations |
+| v1.0.2                  | 2023-10-04     | ECC (v1.14.3), DataApp (v0.3.2), UCApp (v1.7.5), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.2) | JIRA issues, Email conversations |
+| v1.0.1                  | 2023-08-22     | ECC (v1.14.2), DataApp (v0.3.1), UCApp (v1.7.4), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.1) | JIRA Issues, Email conversations |
 | v1.0.0                  | 2023-07-19     | ECC (v1.14.1), DataApp (v0.3.0), UCApp (v1.7.2), PIP (v1.0.0)           |[Link](https://github.com/Engineering-Research-and-Development/true-connector/releases/tag/v1.0.0) | Feedback_Questionnaire_Connector_TRUE_Connector_14_07_2023.xlsx, JIRA issues, email conversations |