To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-04-12

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Magu, Marcus, Dirk, Uli, Ted, Michael

Topics

Action items from last meeting Meeting Action Items
Arbitration case a20110312.1
State Testserver Update
- Current Patches on Testserver:
  - "Thawte" patch Bug# 827
triage test on CATS (Update)
strategy plans ...
- strategy for: "Certificates Class3" problem and "New Roots & Escrow"
- pragmatic solution proposed
Bug #637: Password suggestion always the same. Proposed solution.
next meeting: Tuesday, April 19, 2011 22:00

Minutes

couple of finished action items

Uli	write kees mail about telco server: 2 still connections
Dirk, Ted, Michael	translingo cacert upload.pl bug #913 (next: test, review) by M.
Dirk, Michael, Uli	to write instructions for Critical team about translingo bug by M.
Michael, Wytze	environment for vuln-key on testserver, critical system
Uli	create wiki page(s) (regarding weak keys)

Arbitration case a20110312.1
- first tests started, some discussions
  - tests with ie6, ie8, ie9: ie8 test creates 1024 bit keys, ie6 test creates 1024 bits keys, ie9 creattes 512 bit keys - difference on rsabase.dll vs. rsaenh.dll
- perl script trigger to critical team by ted
- org certs needs to be tested
- org certs: no csr adding is possible - is there a bug# ? -> bug# 363
  - create org client certs -> id=16
- win7, ie9, client certs ok keysize visible, org client certs keysize invisible
- /pages/account/.. 4.php, 17.php to combine ?
triage test on CATS (Update), probably upcoming week
Bug #637: Password suggestion always the same. Proposed solution.
- topic on mailing list
- signon page sample password
- proposal 1: random password (+1)
- proposal 2: prevent sample password (+4)
- proposal 3: combine 1 & 2 (+2)
- proposal 4: new sample pwd + prevent sample pwd (0)
- proposal 5: new sample pwd from known sentence, using each 3rd char x1) + prevent sample pwd (+3)
  - x1) sample http://www.gpg4win.de/doc/de/gpg4win-compendium_9.html
- proposal 6: no sample, only requirements on how to build a pwd (+3)
- Action Items:
  1. Modify text
  2. pwd blacklist
  3. to move to salted hash
    - migration plan: generate salt, convert hash for all users, replace login procedure
- proposal 5 + 6 => 3:3 -> alternate: remove sample pwd and let see
- advantage: can be pushed tonight
- starting administrative check or not ? -> weak passwords discussion
  - to start with migration to salted hashes
- dirk will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
- adding blocking pwd to dictionary does not make sense, will be replaced on next sys upgrade
- adding addtl. local dictionary ?
- first simple check "Fred Smith" ?
- sub selection on Is-Assurer ? has points ? (if exist notary ?)
- first test: count(hash(simple-pwd)) on pwd column
"Thawte" patch Bug# 827, continued, but not finished
next meeting: Tuesday, April 19, 2011 22:00
meeting closed [0:00]

Action items: Meeting Action Items

new items:

Arbitration case a20110312.1
- Ted: perl script trigger to critical team by ted
- dirk: /pages/account/.. 4.php, 17.php to combine ?
Ted: triage test on CATS (Update), probably upcoming week
Bug #637: Password suggestion always the same. Proposed solution.
- dirk: will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
- marcus: start dispute, first test: sql-query, to be verified by 2nd SA: select count(*) from users where password='xxx';

Software/Assessment/ActionItems

Marcus	cap.php review different languages, from meeting 2012-04-24, contact translators
uli	Experience points for ATE attendance check board motions and/or trigger if not yet passed
uli	Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 current state: see Funding Landing Page
All	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, deferred to next events (?)
Uli, Michael	Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png

Development, Deployment, Discussion

dirk Brian	DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php)	new bug#964 current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964 done. proposal patch from Brian rcvd
OAO, Ted	bug #943 change OA admin/assurer text	needs 2nd test -> Fabian, Marc, Alex? / needs 2nd review -> Ted, rejected
uli, Ted	bug #824 Org User cert fix Case study	Organisation User Certificates: Need UI improvement for proper production usage
uli	bug #988 TTP cap form deployment Case study	sneak preview for local testserver deployment only
uli, ted	bug #823 email address removal fix	No warning when removing e-mail address from account that certificates will be revoked checked by 4, needs 2nd review, deploy rejected
inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number
uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface rejected, certs login doesn't modify "modified" field
All	bug #1034 files to remove from webdb	eg wot/14

Software Assessors: Review 1 / add to cacert-devel, add to testserver

Software-Assessors task

uli

bug #977 admin console text fix

admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue

Testing

Testers task

gagern	bug #440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more
neo	bug #922 CAcert application code problem causing missing "certificate about to expire" messages
Ted	bug #835 Assurer challenge (on testserver)	needs testing
Michael	bug #1003 Provide a possibility to regularly review the permissions in the system	also bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1
neo	bug #1025 Domain Dispute issue	disputes rc and rc2 var prob

Software Assessors: 2nd Review, Bundle Package to Critical Team

Software-Assessors task

uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26 2 tests, needs 2nd review, deploy more fixes, more testing	6
uli	bug #967 OA isassurer check	Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer
neo	bug #978 Invalid SPKAC requests are not properly validated	recheck full certs signing procedures duplicate report to bug#540
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978
neo	bug #1024 Assurer flag is not set correctly on updatesort.php run	tested by 4, ok
dirk	bug #1023 Consolidate changes into the Assure Someone page	6.php global re-design project assurance, wot area (Thawte points removal effective)
inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administrators in account/id35

Software Assessors: Bundle Package to Critical Team

Software-Assessors task

Awaiting Response from Critical Team

CategorySoftwareAssessment

CategorySoftwareAssessment

Software/Assessment/20110412-S-A-MiniTOP (last edited 2011-09-23 00:10:33 by UlrichSchroeter)