. '''To Software''' '''[[Software|Software]]''' - '''To Software-Assessment - ''' '''[[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20110405-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20110419-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2011-04-12 = == Setting == The MiniTOP will be held via telco 22:00 CEST Attendees: Magu, Marcus, Dirk, Uli, Ted, Michael == Topics == * Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' * Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] * State Testserver Update * Current Patches on Testserver: * "Thawte" patch [[https://bugs.cacert.org/view.php?id=827|Bug# 827]] * triage test on CATS (Update) * strategy plans ... * strategy for: "Certificates Class3" problem and "New Roots & Escrow" * [[https://lists.cacert.org/wws/arc/cacert-root/2011-02/msg00030.html|pragmatic solution proposed]] * [[https://bugs.cacert.org/view.php?id=637|Bug #637]]: Password suggestion always the same. Proposed solution. * next meeting: Tuesday, April 19, 2011 22:00 == Minutes == * couple of finished action items || Uli || write kees mail about telco server: 2 still connections || {+} || || Dirk, Ted, Michael || translingo cacert upload.pl bug #913 (next: test, review) by M. || {+} || || Dirk, Michael, Uli || to write instructions for Critical team about translingo bug by M. || {+} || || Michael, Wytze || environment for vuln-key on testserver, critical system || {+} || || Uli || create wiki page(s) (regarding [[WeakKeys|weak keys]]) || {+} || * Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] * first tests started, some discussions * tests with ie6, ie8, ie9: ie8 test creates 1024 bit keys, ie6 test creates 1024 bits keys, ie9 creattes 512 bit keys - difference on rsabase.dll vs. rsaenh.dll * perl script trigger to critical team by ted * org certs needs to be tested * org certs: no csr adding is possible - is there a bug# ? -> bug# 363 * create org client certs -> id=16 * win7, ie9, client certs ok keysize visible, org client certs keysize invisible * /pages/account/.. 4.php, 17.php to combine ? * triage test on CATS (Update), probably upcoming week * [[https://bugs.cacert.org/view.php?id=637|Bug #637]]: Password suggestion always the same. Proposed solution. * topic on mailing list * signon page sample password * proposal 1: random password (+1) * proposal 2: prevent sample password (+4) * proposal 3: combine 1 & 2 (+2) * proposal 4: new sample pwd + prevent sample pwd (0) * proposal 5: new sample pwd from known sentence, using each 3rd char x1) + prevent sample pwd (+3) . x1) sample [[http://www.gpg4win.de/doc/de/gpg4win-compendium_9.html]] * proposal 6: no sample, only requirements on how to build a pwd (+3) * Action Items: 1. Modify text 1. pwd blacklist 1. to move to salted hash * migration plan: generate salt, convert hash for all users, replace login procedure * proposal 5 + 6 => 3:3 -> alternate: remove sample pwd and let see * advantage: can be pushed tonight * starting administrative check or not ? -> weak passwords discussion * to start with migration to salted hashes * dirk will take care about text removal (general.php check pwd proc, text /pages/index/1.php) * adding blocking pwd to dictionary does not make sense, will be replaced on next sys upgrade * adding addtl. local dictionary ? * first simple check "Fred Smith" ? * sub selection on Is-Assurer ? has points ? (if exist notary ?) * first test: count(hash(simple-pwd)) on pwd column * "Thawte" patch [[https://bugs.cacert.org/view.php?id=827|Bug# 827]], continued, but not finished * next meeting: Tuesday, April 19, 2011 22:00 * meeting closed [0:00] ---- Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' new items: * Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] * Ted: perl script trigger to critical team by ted * dirk: /pages/account/.. 4.php, 17.php to combine ? * Ted: triage test on CATS (Update), probably upcoming week * [[https://bugs.cacert.org/view.php?id=637|Bug #637]]: Password suggestion always the same. Proposed solution. * dirk: will take care about text removal (general.php check pwd proc, text /pages/index/1.php) * marcus: start dispute, first test: sql-query, to be verified by 2nd SA: select count(*) from users where password='xxx'; <> ---- . CategorySoftwareAssessment