To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-07-05

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: dirk, Uli, Michael, Marcus, Marc

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Agenda

Software Assessors Patch Reviews - working session in meeting
- Review 1: review, add to cacert-devel, transfer to testserver
  - Ted
    
    bug #940 (outsource help pages to wiki)
    
    Mawa
    
    bug #943 (replace OA-admin text with OA-Assurer)
    
    Michael
    
    bug #841 (cert login - check issuer source)
- Review 2: finish tests, bundle patch, send to critical team ?
  - Dirk
    
    the Bug #948 (impact on mail delivery (non RFC-2821 compliance))
strategy plans ... next: strategy for "New Roots & Escrow"
1. idea: using indirect crl's ?
  - 2 crl's needed, one valid, one invalid crl server
  - more infos available ? who ?
    1. build testserver with special certs
    2. Magu, Michael to send instructions for test deployment
      - indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
  - Magu: not avail, no update
  - other testers ?
  - Marcus: no, Marc: ?
  - some discussion about potential test environment, no result
  - Define requirements, Define a testszenario
2. policy group: define requirements
  - multimember escrow method ?
    - needs risk analyze
    - potential candidates ?
      - Marcus to contact Thomas K
        contacted benedikt, will take care about
        will contact Thomas K
3. how does debian work ?
  - defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
State Testserver Update, Current Patches on Testserver, current running Arbitrations:
- the list of unhandled patches
  1. Arbitration case a20110312.1 Weak keys bug #918
    - mail to ted to continue with arb case, adding to thread on arb case
    - Next: script to bulk revoke weak keys, new bug #954
    - see action items, update ?
  2. Arbitration case a20110419.1 Bug #637: Weak Passwords
    - Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd
    - problem #1 at login, plz change, use old pwd works - fail
    - problem #2 at join
    - to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ?
    - current: clear password in source code
    - checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd
    - dictionary is still active grep current-pwd share/userdict
      1. Fred... to add into checkpassword()
      2. checkpassword() to add into login procedure
    - pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"
    - SE reset pwd procedure doesn't take care about weak pwd
    - Under testing: update
  3. "Thawte" patch Bug# 827 Points-Count-Order-Change project
    - in testing
    - problems in counting found, missing points
    - new commit by dirk, forwarded by NEO
    - 80 pts counted, 100 countable ... problem
    - new commit by dirk, forwarded by NEO
    - pts problem seems to be solved, assurer challenge needed seems now to be ok
    - Under testing: update
    - Marc: thawte patch problem found 2147483647 assurance pts entered, 15.php displays 2147483647 pts
      - Arbitration: exists values in points? limit 0-150 pts ? or no arbitration ? (discussion)
Annoying gpg bug
- dirk, michael, uli
  
  annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
Documentation
- Bugs.cacert.org
  - discussion about states to define, redefine
  - bugs documentation I (bugs handbook)
  - bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
  - Review, Update
- uli, marcus - Testserver + Software Testers - task based help - update
- uli, marcus - testers how-to regarding testserver roots: live-cd ? how-to, 2nd profile add to Welcome Pack - update
CI (Update)
next meeting: Tuesday, July 12, 2011 22:00

Minutes

Review 2: finish tests, bundle patch, send to critical team ?
- Dirk
  
  the Bug #948 (impact on mail delivery (non RFC-2821 compliance))
- Uli: new file to patch found: CommModule client.pl (dirk will check)
- Marc, Marcus to test
Michael: TMS Batch Assurance implemented
Michael: Bugs tracker, added field/column reviewed by ...
strategy plans ... next: strategy for "New Roots & Escrow"
1. policy group: define requirements
  - multimember escrow method ?
    - needs risk analyze
    - potential candidates ?
      - Marcus to contact Thomas K
        contacted benedikt, will take care about
        will contact Thomas K
      - Marcus in meeting with Benedikt, ok from Benedikt, B. needs some more details input, Uli to contact
2. idea: using indirect crl's ?
  - 2 crl's needed, one valid, one invalid crl server
  - more infos available ? who ?
    1. build testserver with special certs
    2. Magu, Michael to send instructions for test deployment
      - indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
  - Magu: not avail, no update
  - other testers ?
  - Marcus: no, Marc: ?
  - some discussion about potential test environment, no result
  - Define requirements, Define a testszenario
    - requirement:
      - webserver to deliver test crl's
      - openssl - create testCA incl. subCA + non-CA but allowed to create crl's
      - publish only subRoot + crl cert
      - publish public key of root
      - in certs ocsp responder should be prevented or otherwise own ocsp responder has to be deployed
      - testCA and subCA doesn't publish crl's
      - subCA included: link to CRL-distribution-point -> non-CA crl distributor
      - in certs issued of subRoot has to include CRL-distribution-point that is identical with crl of subRoot
        own crl-distribution-point for each subRoot
      - RootCA -> SubRoot-blub -> SubRoot-blub-certs -> crl-distribution-point is blub
      - crl needs extensions
      - RootCA -> A -> C, SubCA -> B -> B, 2 crl distribution points B and C
      - client with software to test, browser, email client, acrobat (doc-signing), code-signing
      - what is the content of crl-distribution-point server cert?
        points to himself
        no distribution point
        rootCA creates one crl, that only is used for crl-signer
      - does one of the methods work ?
      - for testing: virtual server: apache + openssl
      - create certs -> manual openssl command
feature request by dirk: to add ntp to testserver image, pool.ntp.org
Working session:
- Dirk:
  - Dirk
    
    the Bug #948 (impact on mail delivery (non RFC-2821 compliance))
- Michael:
  - Michael
    
    bug #841 (cert login - check issuer source)
Documentation
- Bugs.cacert.org
  - discussion about states to define, redefine
  - bugs documentation I (bugs handbook)
  - bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
  - Review, Update
- Testserver Documentations
  - uli, marcus - Testserver + Software Testers - task based help - update
    - defered after discussion
  - uli, marcus - testers how-to regarding testserver roots: live-cd ? how-to, 2nd profile add to Welcome Pack - update
    - defered after discussion
  - general problem to spoon-feed the people with step by step documentations
Uli: Marcus, please re-test/check Bugs 921 + 942
topic ..
- dirk
  
  DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
- vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
- Api CertEnroll (MS crypto provider)
annoying bug #911

dirk, michael, uli

annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
- https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html
- https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html
  1. the key is ok
  2. display on gpg list in webdb displays wrong date
- to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
review finished, transfered to testserver
- bug #841 (cert login - check issuer source)
State Testserver Update, Current Patches on Testserver, current running Arbitrations:
- the list of unhandled patches
  1. Arbitration case a20110312.1 Weak keys bug #918
    - mail to ted to continue with arb case, adding to thread on arb case
    - Next: script to bulk revoke weak keys, new bug #954
    - see action items, update ?
    - on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)

Fixed Action Items since last or within meeting

Uli	add to testers portal, push testers on bug#942 and Bug #948
uli, marcus	Testserver + Software Testers - task based help
uli, marcus	testers how-to regarding testserver roots: live-cd ? how-to, 2nd profile add to Welcome Pack
Michael	bug #943 (replace OA-admin text with OA-Assurer), Uli: transfered to testers portal
Michael	DEV: TMS function (Batch Assurances) DEV
Michael	bug #841 (cert login - check issuer source)
Marcus, Uli	2. next: strategy for "New Roots & Escrow" - multimember escrow method risk analyze contact potential candidates for doing a risk analyze

Action Items New

Action items: Meeting Action Items

Software/Assessment/ActionItems

Marcus	cap.php review different languages, from meeting 2012-04-24, contact translators
uli	Experience points for ATE attendance check board motions and/or trigger if not yet passed
uli	Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 current state: see Funding Landing Page
All	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, deferred to next events (?)
Uli, Michael	Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png

Development, Deployment, Discussion

dirk Brian	DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php)	new bug#964 current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964 done. proposal patch from Brian rcvd
OAO, Ted	bug #943 change OA admin/assurer text	needs 2nd test -> Fabian, Marc, Alex? / needs 2nd review -> Ted, rejected
uli, Ted	bug #824 Org User cert fix Case study	Organisation User Certificates: Need UI improvement for proper production usage
uli	bug #988 TTP cap form deployment Case study	sneak preview for local testserver deployment only
uli, ted	bug #823 email address removal fix	No warning when removing e-mail address from account that certificates will be revoked checked by 4, needs 2nd review, deploy rejected
inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number
uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface rejected, certs login doesn't modify "modified" field
All	bug #1034 files to remove from webdb	eg wot/14

Software Assessors: Review 1 / add to cacert-devel, add to testserver

Software-Assessors task

uli

bug #977 admin console text fix

admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue

Testing

Testers task

gagern	bug #440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more
neo	bug #922 CAcert application code problem causing missing "certificate about to expire" messages
Ted	bug #835 Assurer challenge (on testserver)	needs testing
Michael	bug #1003 Provide a possibility to regularly review the permissions in the system	also bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1
neo	bug #1025 Domain Dispute issue	disputes rc and rc2 var prob

Software Assessors: 2nd Review, Bundle Package to Critical Team

Software-Assessors task

uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26 2 tests, needs 2nd review, deploy more fixes, more testing	6
uli	bug #967 OA isassurer check	Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer
neo	bug #978 Invalid SPKAC requests are not properly validated	recheck full certs signing procedures duplicate report to bug#540
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978
neo	bug #1024 Assurer flag is not set correctly on updatesort.php run	tested by 4, ok
dirk	bug #1023 Consolidate changes into the Assure Someone page	6.php global re-design project assurance, wot area (Thawte points removal effective)
inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administrators in account/id35

Software Assessors: Bundle Package to Critical Team

Software-Assessors task

Awaiting Response from Critical Team

CategorySoftwareAssessment

CategorySoftwareAssessment

Software/Assessment/20110705-S-A-MiniTOP (last edited 2011-09-23 00:03:04 by UlrichSchroeter)

Ted	bug #940 (outsource help pages to wiki)
Mawa	bug #943 (replace OA-admin text with OA-Assurer)
Michael	bug #841 (cert login - check issuer source)