• Software
• Assessment
• 20110719-S-A-MiniTOP

• To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-07-19

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Dirk, Marcus, Marc, Uli, Michael, Alex

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Agenda

1. Software Update Cycle - Review 1 - Review 2 workflow

   • Proposal 1 - sequential update cycle Software update cyle

     1. Review 1 to bundle with add to cacert-devel repository and transfer to testserver
     2. Review 2 to bundle with check review 1, testing, bundle package to critical team

   • Proposal 2 - parallel update cycle see pictures under Bugs docu

     1. Fix available
     2. Transfer to Testserver | Review 1 | Review 2
     3. Ready to deploy
   • Other proposals ?

2. Arbitration case a20110312.1 Weak keys bug #918

   • mail to ted to continue with arb case, adding to thread on arb case

   • Next: script to bulk revoke weak keys, new bug #954

   • on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)

   • Remove Weak Certs is under deployment, testing
   • Weak Certs script testing
   • out of chroot, vulnkey out of chroot
   • set delete date to 1970.. triggers cert revoke routine in client.pl

   • needs review bug #954

   • infos from critical team

3. annoying gpg bug #911

   • dirk, michael, uli

     annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?

   • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html

   • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html

     1. the key is ok
     2. display on gpg list in webdb displays wrong date
   • to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
   • 2 potential propblem areas
     1. add and sign new gpg key (save to database script results in wrong date)
     2. view gpg keys (read from database)
   • new infos from critical team

     • cacert.gpg expire filled with "1971-01-02 00:00:00"  starting 2010-12-29
       the system upgrade date from Debian Etch (1.4.6-2+etch1) to Debian Lenny (1.4.9-3+lenny1)
       
       The function OpenPGPextractExpiryDate defined and used in CommModule/client.pl
       appears to be relying rather strongly on the ascii formatted output of the
       "gpg -vv keyfile" command. This output has probably changed

4. Workshop
   1. Review bugs under testing (finished testing?) (Review 2?)

      • bug #835 Assurer challenge (on testserver)

      • bug #827 "Thawte" patch (still running) x¹

      • bug #897 transfer text pages to wiki (points system) (T) x³

      • bug #637 weak password x²

      • bug #921 Privacy Policy cleanup

      • bug #948 SMTP protocol bug and fix (T) x³

      • bug #942 CATS import (2)

      • bug #943 change OA admin/assurer text

      • bug #841 Problems on cert login

      • x¹ Bug# 827 "Thawte" patch - Points-Count-Order-Change project

            * in testing
            * problems in counting found, missing points
            * new commit by dirk, forwarded by NEO
            * 80 pts counted, 100 countable ... problem
            * new commit by dirk, forwarded by NEO
            * pts problem seems to be solved, assurer challenge needed seems now to be ok
            * Under testing: update
            * Marc: thawte patch problem found 2147483647 assurance pts entered, 15.php displays 2147483647 pts
             * Arbitration: exists values in points? limit 0-150 pts ? or no arbitration ?  (discussion)
            * Next step(s)

      • x² Bug #637: Weak Passwords

            * Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd
            * problem #1 at login, plz change, use old pwd works - fail
            * problem #2 at join
            * to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ?
            * current: clear password in source code
            * checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd
            * dictionary is still active grep current-pwd share/userdict
             1. Fred... to add into checkpassword()
             1. checkpassword() to add into login procedure
            * pwd cannot be changed - new [[https://bugs.cacert.org/view.php?id=953|Bug# 953]] "After change of password change on account.php?id=14 does not meet requirements wrong redirect"
            * SE reset pwd procedure doesn't take care about weak pwd
            * Under testing: update

      • x³ Review bugs under testing (finished testing?), state from last meeting

        • bug #897 transfer text pages to wiki (points system) (T)	finished testing, ready to deploy
          bug #948 SMTP protocol bug and fix (T)	needs more tests

   2. list of unhandled bugs
      1. VBscript, Weak Keys script

         • dirk

           DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

         • vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)

         • Api CertEnroll (MS crypto provider)

      2. Dirk reminder (from last meeting) assure someone patches (checkboxes)

         • Dirk

           DEV: bug #894 problems with check-boxes on website forms (Assure someone) -> a20091118.3

      3. Review 1: review, add to cacert-devel, transfer to testserver

         • ?	bug #955 Possibilty to change the sorting order for the organisation overview
           ?	bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible

5. ADS Challenge (from last board meeting)

   • new bug #958

   • Update from last board meeting

6. strategy plans ... next: strategy for "New Roots & Escrow"

   1. idea: using indirect crl's ?
      • 2 crl's needed, one valid, one invalid crl server
      • more infos available ? who ?
        1. build testserver with special certs
        2. Magu, Michael to send instructions for test deployment

           • indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)

      • Last meeting we've defined Testing requirements and a potential testszenario
      • Next step(s)
   2. policy group: define requirements
      • multimember escrow method ?
        • needs risk analyze
        • potential candidates ?
          • Marcus to contacted Benedikt, will contact Thomas K
          • Next step(s)
   3. how does debian work ?
      • defered to Froscon (end of Aug), CCCcamp (around Aug 10th)

7. AGM reports 2010-2011

   • Software-Assessment project team report started, review
8. Documentation Bugs.cacert.org Review
   • discussion about states to define, redefine

   • bugs documentation I (bugs handbook)

   • bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)

   • Review, Update
9. CI (Update)
10. next meeting: Tuesday, July 26, 2011 22:00

Minutes

1. Software Update Cycle - Review 1 - Review 2 workflow

   • Proposal 1 - sequential update cycle Software update cyle

     1. Review 1 to bundle with add to cacert-devel repository and transfer to testserver
     2. Review 2 to bundle with check review 1, testing, bundle package to critical team

   • Proposal 2 - parallel update cycle see pictures under Bugs docu

     1. Fix available
     2. Transfer to Testserver | Review 1 | Review 2
     3. Ready to deploy
   • using proposal 2 - 5 aye

2. annoying gpg bug #911

   • dirk, michael, uli

     annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?

   • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html

   • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html

     1. the key is ok
     2. display on gpg list in webdb displays wrong date
   • to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
   • 2 potential propblem areas
     1. add and sign new gpg key (save to database script results in wrong date)
     2. view gpg keys (read from database)
   • new infos from critical team

     • cacert.gpg expire filled with "1971-01-02 00:00:00"  starting 2010-12-29
       the system upgrade date from Debian Etch (1.4.6-2+etch1) to Debian Lenny (1.4.9-3+lenny1)
       
       The function OpenPGPextractExpiryDate defined and used in CommModule/client.pl
       appears to be relying rather strongly on the ascii formatted output of the
       "gpg -vv keyfile" command. This output has probably changed

   • OpenPGPextractExpiryDate() in client.pl may cause problems
   • client.pl 543 "if ( /^\s*version \d+, created (\d+), md5len 0, sigclass \d+\s*$/ ) " needs updated

   • -> sigclass 0x[0-9A-Fa-f]

   • client.pl fix added by Michael

   • gpg signing to enable on testserver

     • gpg signing authority is there

       gpg --gen-key
       Please select what kind of key you want:
          (1) DSA and Elgamal (default)
          (2) DSA (sign only)
          (5) RSA (sign only)
       Your selection? -> 1
       DSA keypair will have 1024 bits.
       ELG-E keys may be between 1024 and 4096 bits long.
       What keysize do you want? (2048) -> 4096
       Requested keysize is 4096 bits
       Please specify how long the key should be valid.
                0 = key does not expire
             <n>  = key expires in n days
             <n>w = key expires in n weeks
             <n>m = key expires in n months
             <n>y = key expires in n years
       Key is valid for? (0) -> Enter
       Key does not expire at all
       Is this correct? (y/N) -> y
       You need a user ID to identify your key; the software constructs the user ID
       from the Real Name, Comment and Email Address in this form:
           "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
       
       Real name: -> My Givenname Surname
       Email address: -> my@email.tld
       Comment: 
       You selected this USER-ID:
           "My Givenname Surname <my@email.tld>"
       
       Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? -> o
       You need a Passphrase to protect your secret key.
       
       Enter passphrase: -> enter a passphrase
       Repeat passphrase: -> enter your passphrase
       We need to generate a lot of random bytes. It is a good idea to perform
       some other action (type on the keyboard, move the mouse, utilize the
       disks) during the prime generation; this gives the random number
       generator a better chance to gain enough entropy.
       +++++++++++++++...++++++++++.+++++++++++++++++++++++++.+++++++++++++++++++++++++
       +++++..+++++.++++++++++..++++++++++.+++++++++++++++...++++++++++>++++++++++.<.++
       +++...>++++++++++
       We need to generate a lot of random bytes. It is a good idea to perform
       some other action (type on the keyboard, move the mouse, utilize the
       disks) during the prime generation; this gives the random number
       generator a better chance to gain enough entropy.
       ..+++++.+++++++++++++++....++++++++++.++++++++++.+++++.+++++...++++++++++.++++++
       ++++...++++++++++.+++++.+++++++++++++++.+++++..+++++..++++++++++.+++++++++++++++
       .++++++++++.+++++..+++++++++++++++>+++++.+++++...++++++++++++++++++++.+++++..+++
       ++...+++++....+++++>.+++++>+++++>...+++++.......................................
       ...............................................+++++^^^
       gpg: key 5C68118C marked as ultimately trusted
       public and secret key created and signed.
       
       gpg: checking the trustdb
       gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
       gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
       pub   1024D/5C68118C 2011-07-19
             Key fingerprint = 95F2 D66C 4313 839C 77FD  F374 AAF6 0782 5C68 118C
       uid                  My Givenname Surname <my@email.tld>
       sub   4096g/5C7F1F26 2011-07-19
       
       Export:
       gpg --export --armor>ascii-key-filename.extension
       
       For debugging:
       gpg -v ascii-key-filename.extension
       
       FAQ: problems with middlename, remove middlename

3. Arbitration case a20110312.1 Weak keys bug #918 / bug #954

   • infos from critical team, no update as ted doesn't attended
   • mailing sent
   • keys revocation script not started
   • not yet published

   • weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

4. Workshop
   1. Review bugs under testing (finished testing?) (Review 2?)

      • bug #835 Assurer challenge (on testserver)

        • asssigned to Ted, set to needs work, CATS to install on ca-mgr1

      • bug #827 "Thawte" patch (still running) x¹

        • related bug 959: needs 1 more test, needs 2nd review
        • 2nd review: also check -x
        • tests done, needs 2nd review

      • bug #897 transfer text pages to wiki (points system) (T) x³

        • Michael: to bundle to critical team

      • bug #637 weak password x²

        • needs 2nd review, not Micha, Dirk? Ted?

      • bug #921 Privacy Policy cleanup

        • Marcus: 2nd test
        • Dirk, Ted: 2nd review

      • bug #948 SMTP protocol bug and fix (T) x³

        • wait for 3rd tester ? or deploy?
        • removed space, no function destroyed

        • ready to deploy -> Micha

      • bug #942 CATS import (2)

        • complete re-test as of code changes

          needs further testing:
          a) assuree has 99 pts, assurer challenge passed
             add 1 assurance, -> result has to be 100 pts and is assurer
          b) assuree has 99 pts, assurer challenge not passed
             add 1 assurance -> result has to be 100 pts and NO assurer
          c) add one more 1 pts -> 100 pts, NO assurer
          d) pass assurer challenge -> 100 pts, and IS assurer
          
          e) assuree with 80 pts, challange passed
             add: temporary points increase
             you need your admin account with boardmember flag
             add temporary increase 20 pts
             => result?  100 pts? is assurer?

      • bug #943 change OA admin/assurer text

        • needs 2nd test -> Fabian, Marc, Alex?

        • needs 2nd review -> Dirk, Ted

      • bug #841 Problems on cert login

        • needs 2nd review

5. list of unhandled bugs -> dirk to work on following bugs

   1. VBscript, Weak Keys script

      • dirk

        DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

      • vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)

      • Api CertEnroll (MS crypto provider)

   2. Dirk reminder (from last meeting) assure someone patches (checkboxes)

      • Dirk

        DEV: bug #894 problems with check-boxes on website forms (Assure someone) -> a20091118.3

6. fix available
   1. Review 1: review, add to cacert-devel, transfer to testserver

      • ?	bug #955 Possibilty to change the sorting order for the organisation overview
        ?	bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible

7. ADS Challenge (from last board meeting)

   • new bug #958

   • Update from last board meeting
   • no more info

8. strategy plans ... next: strategy for "New Roots & Escrow"

   1. idea: using indirect crl's ?
      • to remind every meeting
9. Testing
   1. Marcus Nov 2-3 test event Nuernberg
      • software-qs-tag 2011, 2-3 Nov, Nuernberg, www.ix-konferenz.de
   2. Michael: new eclipse version, test tool included, eg web applications
      • you click the tasks to do within framework, no programming

      • description to eclipse testpage

10. AGM/TeamReports/2011 plz review

11. Documentation Bugs.cacert.org Review
    • Michael added some pictures
12. next meeting: Tuesday, July 26, 2011 22:00

Fixed Action Items since last or within meeting

• Michael, Ted, Uli, Marcus	bugs documentation I (bugs handbook) bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
  dirk, michael, uli	annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?

Action Items New

• Michael	weak keys: problems with cryptostick to test at Froscon with Juergen ?
  Dirk	ADS Challenge (from last board meeting), bug #958, Update from last board meeting, no more info, on hold till further infos available, dirk to receive response from board
  Marcus	Nov 2-3 test event Nuernberg, software-qs-tag 2011, 2-3 Nov, Nuernberg, www.ix-konferenz.de, check for infos, attendance ?
  Michael	new eclipse version, test tool included, eg web applications, description to eclipse testpage (add to CI project?)
  All	AGM team report review
  Tester	annoying bug #911 (gpg expires 1970)

Action items: Meeting Action Items

• CategorySoftwareAssessment