To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-06-21

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, Uli, Michael, Magu, Dirk

Topics

(skip to agenda)

new items in last meeting:

dirk ? michael ? jandd ? alexander ? sven ? - next strategy for "New Roots & Escrow" - get in contact with debian group
dirk, michael, uli - annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
uli, marcus - Testserver + Software Testers - task based help

Action items from last meeting Meeting Action Items

Agenda

strategy plans ...
1. next: strategy for "New Roots & Escrow"
  - idea: using indirect crl's ?
    - 2 crl's needed, one valid, one invalid crl server
    - more infos available ? who ?
  - policy group: define requirements
    - multimember escrow method ?
    - how does debian work ?
      - secret sharing schema
      - docu process http://ftp-master.debian.org/keys.html
      - public mailing lists ? contacts ?
      - dirk ? michael ? jandd ? alexander ? sven ? and other contacts (ftp team ?)

State Testserver Update, Current Patches on Testserver, current running Arbitrations:

the list of unhandled patches

Arbitration case a20110312.1 Weak keys bug #918
Arbitration case a20110419.1 Bug #637: Weak Passwords
"Thawte" patch Bug# 827 Points-Count-Order-Change project

Software Assessors Review 1

Michael, Dirk, Ted, Mawa	bug #940 (outsource help pages to wiki)
Michael, Dirk, Ted, Mawa	bug #943 (replace OA-admin text with OA-Assurer)
Michael, Dirk, Ted, Mawa	bug #841 (cert login - check issuer source)
Dirk, Michael, Mawa	bug#942 (CATS test)
Dirk	bug#827 (Thawte patches, points order change)

Software Assessors Review 2
- Dirk, Ted, Mawa
  
  the Bug #948 (impact on mail delivery (non RFC-2821 compliance))

Testgroup: recruit new testers, update
- result from: Software Testers - Workshop at Barcamp Karlsruhe
CI (Update)
next meeting: Tuesday, June 28, 2011 22:00

Minutes

Bugs.cacert.org
- discussion about states to define, redefine
- bugs documentation I (bugs handbook)
- bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
strategy plans ...
- next: strategy for "New Roots & Escrow"
  1. idea: using indirect crl's ?
    - 2 crl's needed, one valid, one invalid crl server
    - more infos available ? who ?
      1. build testserver with special certs
      2. Magu, Michael to send instructions for test deployment
        indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
  2. policy group: define requirements
    - multimember escrow method ?
      - needs risk analyze
      - potential candidates ?
        Marcus to contact Thomas K
        Uli to contact Benedikt
  3. how does debian work ?
    - secret sharing schema
    - docu process http://ftp-master.debian.org/keys.html
    - public mailing lists ? contacts ?
      - dirk ? michael ? jandd ? alexander ? sven ? and other contacts (ftp team ?)
    - Update: no update, no one works on contacts
      - defered to Froscon (end of Aug), CCCcamp (around Aug 10th)

State Testserver Update, Current Patches on Testserver, current running Arbitrations:

the list of unhandled patches

Arbitration case a20110312.1 Weak keys bug #918
- mail to ted to continue with arb case, adding to thread on arb case
Arbitration case a20110419.1 Bug #637: Weak Passwords
- Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd
- problem #1 at login, plz change, use old pwd works - fail
- problem #2 at join
- to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ?
- current: clear password in source code
- checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd
- dictionary is still active grep current-pwd share/userdict
  1. Fred... to add into checkpassword()
  2. checkpassword() to add into login procedure
- pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"
- SE reset pwd procedure doesn't take care about weak pwd
- to continue testing
"Thawte" patch Bug# 827 Points-Count-Order-Change project
- in testing
- problems in counting found, missing points
- new commit by dirk, forwarded by NEO
- 80 pts counted, 100 countable ... problem
- new commit by dirk, forwarded by NEO
- pts problem seems to be solved, assurer challenge needed seems now to be ok

Software Assessors Review 1

Michael, Dirk, Ted, Mawa	bug #940 (outsource help pages to wiki)
Michael, Dirk, Ted, Mawa	bug #943 (replace OA-admin text with OA-Assurer)
Michael, Dirk, Ted, Mawa	bug #841 (cert login - check issuer source)
Dirk, Michael, Mawa	bug#942 (CATS test)
Dirk	bug#827 (Thawte patches, points order change)

we need active SA's
- PG inactive
- Mawa currently on projects
- Dirk writes patches
- Ted is currently busy
- Michael is alone
new SA's ?
Uli to write mail to SA's: dirk, michael + ted, to appoint each SA two bugs
next week working session

Software Assessors Review 2
- Dirk, Ted, Mawa
  
  the Bug #948 (impact on mail delivery (non RFC-2821 compliance))
- dirk will check

Testgroup: recruit new testers, update
- result from: Software Testers - Workshop at Barcamp Karlsruhe
- no real new testers ... some interesting talks, but no HR
next meeting: Tuesday, June 28, 2011 22:00

Unhandled within meeting

(from action items)

dirk, michael, uli	annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
uli, marcus	Testserver + Software Testers - task based help
uli, markus	testers how-to regarding testserver roots: live-cd ? how-to, 2nd profile add to Welcome Pack

Fixed Action Items since last or within meeting

Dirk, Ted, Mawa	Bug #946 (Class3 Fingerprints)
Dirk	DEV: bug#827 regular Thawte patches: still open 15.php - add assurers state at bottom of page Thursday ? REVIEW 1
Michael	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? send instructions for test deployment
Michael	Arbitration case a20110312.1 Weak keys bug #918 mail to ted to continue with arb case, adding to thread on arb case
Marcus	pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"

Modification on Action Items

dirk ? michael ? jandd ? alexander ? sven ?

next strategy for "New Roots & Escrow" - get in contact with debian group

split to 3 sub parts

Action Items New

Michael, Ted, Uli, Marcus	bugs documentation I (bugs handbook) bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
Michael	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? send instructions for test deployment
Magu	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment
Marcus, Uli	2. next: strategy for "New Roots & Escrow" - multimember escrow method risk analyze contact potential candidates for doing a risk analyze
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
Michael	Arbitration case a20110312.1 Weak keys bug #918 mail to ted to continue with arb case, adding to thread on arb case
Marcus	pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"
Testers	Arbitration case a20110419.1 Bug #637: Weak Passwords * one report: lost password: is fixed on testserver, needs testing !!! Continue TESTING
Testers	bug#827 regular Thawte patch/Points-Count-Order-Change project applied to testserver, needs testing !!! Urgent TESTING
Uli	to write mail to SA's: dirk, michael + ted, to appoint each SA two bugs for review 1
All	bugs for review 1: if unhandled before next meeting to handle under working session within next meeting
Dirk	the Bug #948 (impact on mail delivery (non RFC-2821 compliance)) REVIEW 2

Action items: Meeting Action Items

Software/Assessment/ActionItems

Marcus	cap.php review different languages, from meeting 2012-04-24, contact translators
uli	Experience points for ATE attendance check board motions and/or trigger if not yet passed
uli	Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 current state: see Funding Landing Page
All	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, deferred to next events (?)
Uli, Michael	Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png

Development, Deployment, Discussion

dirk Brian	DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php)	new bug#964 current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964 done. proposal patch from Brian rcvd
OAO, Ted	bug #943 change OA admin/assurer text	needs 2nd test -> Fabian, Marc, Alex? / needs 2nd review -> Ted, rejected
uli, Ted	bug #824 Org User cert fix Case study	Organisation User Certificates: Need UI improvement for proper production usage
uli	bug #988 TTP cap form deployment Case study	sneak preview for local testserver deployment only
uli, ted	bug #823 email address removal fix	No warning when removing e-mail address from account that certificates will be revoked checked by 4, needs 2nd review, deploy rejected
inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number
uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface rejected, certs login doesn't modify "modified" field
All	bug #1034 files to remove from webdb	eg wot/14

Software Assessors: Review 1 / add to cacert-devel, add to testserver

Software-Assessors task

uli

bug #977 admin console text fix

admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue

Testing

Testers task

gagern	bug #440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more
neo	bug #922 CAcert application code problem causing missing "certificate about to expire" messages
Ted	bug #835 Assurer challenge (on testserver)	needs testing
Michael	bug #1003 Provide a possibility to regularly review the permissions in the system	also bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1
neo	bug #1025 Domain Dispute issue	disputes rc and rc2 var prob

Software Assessors: 2nd Review, Bundle Package to Critical Team

Software-Assessors task

uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26 2 tests, needs 2nd review, deploy more fixes, more testing	6
uli	bug #967 OA isassurer check	Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer
neo	bug #978 Invalid SPKAC requests are not properly validated	recheck full certs signing procedures duplicate report to bug#540
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978
neo	bug #1024 Assurer flag is not set correctly on updatesort.php run	tested by 4, ok
dirk	bug #1023 Consolidate changes into the Assure Someone page	6.php global re-design project assurance, wot area (Thawte points removal effective)
inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administrators in account/id35

Software Assessors: Bundle Package to Critical Team

Software-Assessors task

Awaiting Response from Critical Team

CategorySoftwareAssessment

CategorySoftwareAssessment

Software/Assessment/20110621-S-A-MiniTOP (last edited 2011-09-23 00:04:14 by UlrichSchroeter)