To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2011-04-19
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: Dirk, Martin, Ted, Uli, Marcus
Topics
Action items from last meeting Meeting Action Items
new items in last meeting:
Arbitration case a20110312.1
- Ted: perl script trigger to critical team by ted
- dirk: /pages/account/.. 4.php, 17.php to combine ?
- Ted: triage test on CATS (Update), probably upcoming week
Bug #637: Password suggestion always the same. Proposed solution.
- dirk: will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
- marcus: start dispute, first test: sql-query, to be verified by 2nd SA: select count(*) from users where password='xxx';
Arbitration case a20110312.1
- State Testserver Update
- triage test on CATS (Update)
- strategy plans ...
strategy for: "Certificates Class3" problem and "New Roots & Escrow"
Bug #637: Password suggestion always the same. Proposed solution.
- CI new product
- next meeting: Tuesday, April 26, 2011 22:00
Minutes
- Magu: has new product under test, app.test, eclipse based
- has deployed a Hudson installation
- Action Items
- Ted, triage test on CATS (Update), probably upcoming week
- finished
- transfer of TRIAGE results to webdb is currently commented out, not active, but CATS is still active
- OA test is only avail on test1
Marcus: Bug #637 Weak Password: start dispute, first test: sql-query, to be verified by 2nd SA -> a20110413.1
- 1st step: Quick fix: reject default pwd
- 2nd step: to fix current effected accounts, to be handled under arbitration
- Michael: index old id=1 is join form, check pwd in /includes/general.php
- Dirk: 1.php, 6.php, 14.php modified
- send info to users, weak pwd, please replace pwd
- 1 month deadline, running script to set randam pwd
- addtl. query to crtical team:
- when last logged-in ?
- accounts assured ?
- Michael: to add a new branch within git
- git fetch (current state between server and local)
- git checkout -b bug-637 origin/release
- further documentation by Michael
- Request Michael to Uli: to write request to Markus, Andreas to create new cacert1 image and set url for download
- dirk Bug #637 Weak Password: will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
- bug#637 files send by dirk, reviewed by Michael, pushed to branch, pushed to master, checked-out to testserver, part I + II
- part I: removal of text
- part II: to push users to replace their pwd
- next steps: arbitrator to decide, how this case should be handled eg mailing, how to handle unused accounts and so on
- arbitration: file dispute, who ? Michael, what ? see above step 2
Arbitration case a20110312.1, bug#918
- perl script started, runs long time, result sent by Wytze
- scipt is ok, one run 9 hours !
- if web code fixes on production then script can be run on production
- mailing script is pushed to git
some tests has been made, Hanno also involved in testing but no report, only keys < 1024 blocked
- review of patches:
- perl script by ted, reviewed by michael
- mailing script php by ted, reviewed by Michael
patches to block weak keys by michael, needs to be reviewed -> Ted
- dirk: a20110312.1 /pages/account/.. 4.php, 17.php to combine ? no update
- michael briefs dirk
- call 17.php from 16.php, call 4.php from 3.php
- add/replace code with include(/includes/keygen.php) within 4.php + 17.php under bug#918
- Dirk: 15.php, not updated
- Michael: add SA's to Admin in bugs for customizing, mail to Philipp, Andreas, Mario
- email to write, within session, mail sent
- Ted, triage test on CATS (Update), probably upcoming week
- Bug#921, Michael will review Wed and add to testserver
- Uli to prepare blog post
Bug#897 HowManyPoints
- patch by Uli, first review by Michael, needs 2nd review
- dirk has new xen vm, trafic limit 1 or 5 TB, 4 ip's, and IPv6 for 10 EUR, alternate for hosting ?
- no concensus, probably for Non-Critical not interesting as each of the Non-Critical machines are VMs by itself
- strategy plans ...
strategy for: "Certificates Class3" problem and "New Roots & Escrow"
- Michael: class3 renew ?
- Dirk: board motion, no new class3 cert
Michael: to wait for new roots & escrow is probably no option
- Dirk: current class1 + class3 on testserver, test class3 replacement on testserver, what are the changes to do ?
- Michael: changes to do:
- /etc/ssl/openssl-ca.cnf algorythm to replace line 30 default md5 to sha1
- Dirk: revocation list, and renewal of keys ?
- Class3 replace test after Eastern
- Uli: tester to inform regarding class3 certs creation in mailing regarding bug#921
- next meeting: Tuesday, April 26, 2011 22:00
Fixed Action Items since last Meeting
Ted
a20110312.1 perl script trigger to critical team
Ted
triage test on CATS (Update), probably upcoming week
dirk
Bug #637 Weak Password: will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
Marcus
Bug #637 Weak Password: start dispute, first test: sql-query, to be verified by 2nd SA -> a20110413.1
Michael
update to Hanno
Michael
add SA's to Admin in bugs for customizing, mail to Philipp, Andreas, Mario
Dirk
strategy for: "Certificates Class3" problem and "New Roots & Escrow"
contact root cert group
new plan: signer class3 test on cacert1
Action items: Meeting Action Items
Action Items New
- Uli: to write request to Markus, Andreas to create new cacert1 image and set url for download
- Ted: bug#918 patches to block weak keys by michael, needs to be reviewed
- Michael: Bug #637 Weak Password, file dispute regarding 2nd step: to fix current effected accounts, to be handled under arbitration
- Uli: added patch bug#637 onto testserver, update testers portal, notify tester group
- Michael: Bug#921 review on Wed and add to testserver
- Uli: add patch bug#921 onto testserver, update testers portal, notify tester group, publish blog post "Easter Eggs"
- Ted, Markus, Dirk: Bug#897 2nd review
- Uli: tester to inform regarding class3 certs creation in mailing regarding bug#921
Software/Assessment/ActionItems
Marcus
cap.php review different languages, from meeting 2012-04-24, contact translators
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
Development, Deployment, Discussion
dirk Brian
DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php)
new bug#964
current state: test /account/4.php added to testserver
Marcus will do detailed tests on Wed
some references added to bug#964 done.
proposal patch from Brian rcvd OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex?
/ needs 2nd review -> Ted, rejected uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
uli
bug #988 TTP cap form deployment Case study
sneak preview
for local testserver deployment only uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field All
bug #1034 files to remove from webdb
eg wot/14
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
uli
bug #977 admin console text fix
admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue
Testing
Testers task
gagern
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more
neo
bug #922 CAcert application code problem causing missing "certificate about to expire" messages
Ted
bug #835 Assurer challenge (on testserver)
needs testing
Michael
bug #1003 Provide a possibility to regularly review the permissions in the system
also bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
uli, ted
bug #789 OA edit domain fix
Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy
more fixes, more testing6
uli
bug #967 OA isassurer check
Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#540 Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978 neo
bug #1024 Assurer flag is not set correctly on updatesort.php run
tested by 4, ok
dirk
bug #1023 Consolidate changes into the Assure Someone page
6.php global re-design project
assurance, wot area (Thawte points removal effective) inopiae
New layout of view for Organisation Administrators in account/id35
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
Awaiting Response from Critical Team