To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2011-07-12
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: Marcus, dirk, Uli, Alex, Michael, Ted
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Agenda
- Software Assessors Patch Reviews - working session in meeting and State Testserver Update, Current Patches on Testserver, current running Arbitrations:
- Workshop
Dirk reminder (from last meeting) assure someone patches (checkboxes)
- Review 1: review, add to cacert-devel, transfer to testserver
- VBscript, Weak Keys script
dirk
DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
Api CertEnroll (MS crypto provider)
annoying gpg bug #911
dirk, michael, uli
annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html
https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html
- the key is ok
- display on gpg list in webdb displays wrong date
- to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
- 2 potential propblem areas
- add and sign new gpg key (save to database script results in wrong date)
- view gpg keys (read from database)
- To discuss (the list of unhandled patches)
Arbitration case a20110312.1 Weak keys bug #918
- mail to ted to continue with arb case, adding to thread on arb case
Next: script to bulk revoke weak keys, new bug #954
on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)
- Remove Weak Certs is under deployment, testing
Arbitration case a20110419.1 Bug #637: Weak Passwords
- Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd
- problem #1 at login, plz change, use old pwd works - fail
- problem #2 at join
- to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ?
- current: clear password in source code
- checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd
- dictionary is still active grep current-pwd share/userdict
- Fred... to add into checkpassword()
- checkpassword() to add into login procedure
pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"
- SE reset pwd procedure doesn't take care about weak pwd
- Under testing: update
"Thawte" patch Bug# 827 Points-Count-Order-Change project
- in testing
- problems in counting found, missing points
- new commit by dirk, forwarded by NEO
- 80 pts counted, 100 countable ... problem
- new commit by dirk, forwarded by NEO
- pts problem seems to be solved, assurer challenge needed seems now to be ok
- Under testing: update
- Marc: thawte patch problem found 2147483647 assurance pts entered, 15.php displays 2147483647 pts
- Arbitration: exists values in points? limit 0-150 pts ? or no arbitration ? (discussion)
- Next step(s)
- Review bugs under testing (finished testing?)
bug #835 Assurer challenge (on testserver)
bug #827 "Thawte" patch (still running)
bug #897 transfer text pages to wiki (points system) (T)
bug #637 weak password
bug #921 Privacy Policy cleanup
bug #948 SMTP protocol bug and fix (T)
bug #942 CATS import (2)
bug #943 change OA admin/assurer text
bug #841 Problems on cert login
- Workshop
- Software-Assessment project team report started, review
strategy plans ... next: strategy for "New Roots & Escrow"
- idea: using indirect crl's ?
- 2 crl's needed, one valid, one invalid crl server
- more infos available ? who ?
- build testserver with special certs
- Magu, Michael to send instructions for test deployment
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
- Last meeting we've defined Testing requirements and a potential testszenario
- Next step(s)
- policy group: define requirements
- multimember escrow method ?
- needs risk analyze
- potential candidates ?
- Marcus to contacted Benedikt, will contact Thomas K
- Next step(s)
- multimember escrow method ?
- how does debian work ?
- defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
- idea: using indirect crl's ?
- Documentation
- Bugs.cacert.org
- discussion about states to define, redefine
bugs documentation I (bugs handbook)
bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
- Review, Update
- Bugs.cacert.org
- CI (Update)
- next meeting: Tuesday, July 19, 2011 22:00
Minutes
1. Arbitration case a20110312.1 Weak keys bug #918
- mail to ted to continue with arb case, adding to thread on arb case
Next: script to bulk revoke weak keys, new bug #954
on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)
- Remove Weak Certs is under deployment, testing
- Weak Certs script testing
- out of chroot, vulnkey out of chroot
- set delete date to 1970.. triggers cert revoke routine in client.pl
needs review bug #954
- adwards from last board meeting
- ads will only displayed in logout mode
- http vs https mode ?
- googleads doesn't work with https
- question from dirk: to add ads only on http or also under https ? login mode too ?
new bug #958
- Workshop - Review patches
- Review 1: review, add to cacert-devel, transfer to testserver
- Review 1: review, add to cacert-devel, transfer to testserver
AGM reports 2010-2011 for review
- Review bugs under testing (finished testing?)
- next meeting: Tuesday, July 19, 2011 22:00
Fixed Action Items since last or within meeting
Michael
bug #959 add points bug
All
bugs for review 1: if unhandled before next meeting to handle under working session within next meeting
Michael, Dirk, Ted
New bug fixes: review, add to cacert-devel, transfer to testserver REVIEW 1
bug #940 (outsource help pages to wiki) Michael, Dirk, Ted, Mawa
bug #953 (change pwd routine, text changes only) REVIEW 1
Software Assessors Review 1
Action Items New
Action items: Meeting Action Items
Software/Assessment/ActionItems
Marcus
cap.php review different languages, from meeting 2012-04-24, contact translators
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
Development, Deployment, Discussion
dirk Brian
DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php)
new bug#964
current state: test /account/4.php added to testserver
Marcus will do detailed tests on Wed
some references added to bug#964 done.
proposal patch from Brian rcvd OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex?
/ needs 2nd review -> Ted, rejected uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
uli
bug #988 TTP cap form deployment Case study
sneak preview
for local testserver deployment only uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field All
bug #1034 files to remove from webdb
eg wot/14
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
uli
bug #977 admin console text fix
admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue
Testing
Testers task
gagern
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more
neo
bug #922 CAcert application code problem causing missing "certificate about to expire" messages
Ted
bug #835 Assurer challenge (on testserver)
needs testing
Michael
bug #1003 Provide a possibility to regularly review the permissions in the system
also bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
uli, ted
bug #789 OA edit domain fix
Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy
more fixes, more testing6
uli
bug #967 OA isassurer check
Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#540 Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978 neo
bug #1024 Assurer flag is not set correctly on updatesort.php run
tested by 4, ok
dirk
bug #1023 Consolidate changes into the Assure Someone page
6.php global re-design project
assurance, wot area (Thawte points removal effective) inopiae
New layout of view for Organisation Administrators in account/id35
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
Awaiting Response from Critical Team