. '''To Software''' '''[[Software|Software]]''' - '''To Software-Assessment - ''' '''[[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20110315-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20110329-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2011-03-22 = == Setting == The MiniTOP will be held via telco 22:00 CET Attendees: Dirk, Magu, Michael, Uli, Ted == Action items from last meeting == * Dirk: translingo cacert upload.pl bug #913 * Dirk: regular Thawte patches, still open * 15.php - add assurers state at bottom of page * Michael: TMS function (Assurances) * Michael: Hosting providers: to contact Martin Ga regarding questions about VMs on vienna hosting * Michael: add SA's to Admin in bugs for customizing, mail to Philipp, Andreas, Mario * Dirk: strategy for: "Certificates Class3" problem and "New Roots & Escrow" * contact root cert group * Michael: CI (low priority) == Topics == * State Testserver Update * Current Patches on Testserver: * "Thawte" patch [[https://bugs.cacert.org/view.php?id=827|Bug# 827]] * /locale/ cleanup [[https://bugs.cacert.org/view.php?id=896|Bug# 896]] * see action items * strategy plans ... * strategy for: "Certificates Class3" problem and "New Roots & Escrow" * see action items * [[https://lists.cacert.org/wws/arc/cacert-root/2011-02/msg00030.html|pragmatic solution proposed]] * [[OverviewProjectsBoard|Overview Projects Board]] (wiki:OverviewProjectsBoard) topics for SA (Update) * Signer deployment (Andreas/Markus) (Update) * Automated testing system (Andreas, Magu, MSchiffer) (Update) * Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] * next meeting: Tuesday, March 29, 2011 22:00 == Minutes == * Action items from last meeting * Michael: TMS function (Assurances), still open * Michael: Hosting providers: to contact Martin Ga regarding questions about VMs on vienna hosting, still open * Michael: add SA's to Admin in bugs for customizing, mail to Philipp, Andreas, Mario, still open * Michael: CI (low priority), still open * strategy plans ... * strategy for: "Certificates Class3" problem and "New Roots & Escrow" * Multimember Escrow system proposal by Mario: HR problem, CRL signing problem * [[OverviewProjectsBoard|Overview Projects Board]] (wiki:OverviewProjectsBoard) topics for SA (Update) * WIP * Dirk, Ted: translingo cacert upload.pl bug #913, still open * Dirk: regular Thawte patches, still open * 15.php - add assurers state at bottom of page, still open * Special Case: in production system user with 120 pts: 60 + 30 + 30 F2F (!!) * Michael to add sql injection onto special testuser * Dirk: strategy for: "Certificates Class3" problem and "New Roots & Escrow" * class3 prob: signing server receives identifier for which cert certs to issue * Michael: webdb is the problem, to correct on several code snippests * "New Roots" makes no sense with Software not Audit Ready * proposal: one event: old "new" clase3 (A), create new root (B), new class3 (C), (A) to apply first * Software and "Audit Ready" topic 1. software needs documented 1. each step has to be traceable * eg. logical deletions -> delete mark, but content shouldn't be deleted * assurances -> deletable by support or by administrative increases * temporary administrative increases * admin for organisation assurerance * delete account function from support console * may be more 1. full code review * in the past this leads to Software Camp Innsbruck - Software is not auditable * we have procedures for updates, but new critical bugs needs to be fixed * also Policy related fixes * critical mass of developers 1. policy conformity 1. fix major bugs * Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] "Weak keys" * Weak keys ... check databases, revoke keys and so on * search keys from database script * testservers: all software assessors should have console access onto all related servers (cacert1, git) * ted has access to test1.cacert.at * in database is filename of pem encoded cert file * in database there is some info, but not valueable * rsa key lengths vs. dsa key lengths, first check rsa keys * tests finished, needs coding, and running * generate emails based on the exec results * Michael: don't accept weak csr's * Ted: 4 procedures to check: user client cert, user server cert, org client cert, org server cert * Michael: account.php 23 matches regarding openssl, -7 text matches * Michael: api - running a script with parameters /www/api * web api (SOA) * Ted: relevant positions to find - transfer to signer * Michael: its to late, to send user responses * proposed fix till end of week, review upcoming monday * revocation of too small keys, info to board * next meeting: Tuesday, March 29, 2011 22:00 * Ted: pushed a branch to git: translingo cacert upload.pl bug #913 * Signer deployment (Andreas/Markus), Michael will contact Andreas * meeting closed [0:45] ---- Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> ---- . CategorySoftwareAssessment