. '''To Software''' '''[[Software|Software]]''' - '''To Software-Assessment - ''' '''[[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20110712-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20110726-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2011-07-19 = == Setting == The MiniTOP will be held via telco 22:00 CEST Attendees: Dirk, Marcus, Marc, Uli, Michael, Alex == Topics == (skip to agenda) Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' == Agenda == 1. Software Update Cycle - Review 1 - Review 2 workflow * Proposal 1 - sequential update cycle [[Software/Assessment/Documentation|Software update cyle]] 1. Review 1 to bundle with add to cacert-devel repository and transfer to testserver 1. Review 2 to bundle with check review 1, testing, bundle package to critical team * Proposal 2 - parallel update cycle [[Software/Assessment/Documentation/bugs|see pictures under Bugs docu]] 1. Fix available 1. Transfer to Testserver | Review 1 | Review 2 1. Ready to deploy * Other proposals ? 1. Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] Weak keys [[https://bugs.cacert.org/view.php?id=918|bug #918]] * mail to ted to continue with arb case, adding to thread on arb case * Next: script to bulk revoke weak keys, new [[https://bugs.cacert.org/view.php?id=954|bug #954]] * on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see [[https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html]]) * Remove Weak Certs is under deployment, testing * Weak Certs script testing * out of chroot, vulnkey out of chroot * set delete date to 1970.. triggers cert revoke routine in client.pl * needs review [[https://bugs.cacert.org/view.php?id=954|bug #954]] * infos from critical team 1. annoying gpg [[http://bugs.cacert.org/view.php?id=911|bug #911]] || dirk, michael, uli || annoying [[http://bugs.cacert.org/view.php?id=911|bug #911]] (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ? || {0} || * [[https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html]] * [[https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html]] a. the key is ok a. display on gpg list in webdb displays wrong date * to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support * 2 potential propblem areas 1. add and sign new gpg key (save to database script results in wrong date) 1. view gpg keys (read from database) * new infos from critical team {{{ cacert.gpg expire filled with "1971-01-02 00:00:00" starting 2010-12-29 the system upgrade date from Debian Etch (1.4.6-2+etch1) to Debian Lenny (1.4.9-3+lenny1) The function OpenPGPextractExpiryDate defined and used in CommModule/client.pl appears to be relying rather strongly on the ascii formatted output of the "gpg -vv keyfile" command. This output has probably changed }}} 1. Workshop 1. Review bugs under testing (finished testing?) (Review 2?) * [[https://bugs.cacert.org/view.php?id=835|bug #835]] Assurer challenge (on testserver) * [[https://bugs.cacert.org/view.php?id=827|bug #827]] "Thawte" patch (still running) x^1^ * [[https://bugs.cacert.org/view.php?id=897|bug #897]] transfer text pages to wiki (points system) (T) x^3^ * [[https://bugs.cacert.org/view.php?id=637|bug #637]] weak password x^2^ * [[https://bugs.cacert.org/view.php?id=921|bug #921]] Privacy Policy cleanup * [[https://bugs.cacert.org/view.php?id=948|bug #948]] SMTP protocol bug and fix (T) x^3^ * [[https://bugs.cacert.org/view.php?id=942|bug #942]] CATS import (2) * [[https://bugs.cacert.org/view.php?id=943|bug #943]] change OA admin/assurer text * [[https://bugs.cacert.org/view.php?id=841|bug #841]] Problems on cert login * x^1^ [[https://bugs.cacert.org/view.php?id=827|Bug# 827]] "Thawte" patch - Points-Count-Order-Change project {{{ * in testing * problems in counting found, missing points * new commit by dirk, forwarded by NEO * 80 pts counted, 100 countable ... problem * new commit by dirk, forwarded by NEO * pts problem seems to be solved, assurer challenge needed seems now to be ok * Under testing: update * Marc: thawte patch problem found 2147483647 assurance pts entered, 15.php displays 2147483647 pts * Arbitration: exists values in points? limit 0-150 pts ? or no arbitration ? (discussion) * Next step(s) }}} * x^2^ [[https://bugs.cacert.org/view.php?id=637|Bug #637]]: Weak Passwords {{{ * Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd * problem #1 at login, plz change, use old pwd works - fail * problem #2 at join * to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ? * current: clear password in source code * checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd * dictionary is still active grep current-pwd share/userdict 1. Fred... to add into checkpassword() 1. checkpassword() to add into login procedure * pwd cannot be changed - new [[https://bugs.cacert.org/view.php?id=953|Bug# 953]] "After change of password change on account.php?id=14 does not meet requirements wrong redirect" * SE reset pwd procedure doesn't take care about weak pwd * Under testing: update }}} * x^3^ Review bugs under testing (finished testing?), state from last meeting || [[https://bugs.cacert.org/view.php?id=897|bug #897]] transfer text pages to wiki (points system) (T) || finished testing, ready to deploy || {+} || || [[https://bugs.cacert.org/view.php?id=948|bug #948]] SMTP protocol bug and fix (T) || needs more tests || {0} || 1. list of unhandled bugs 1. VBscript, Weak Keys script || dirk || DEV: [[Arbitrations/a20110312.1|a20110312.1]] [[https://bugs.cacert.org/view.php?id=918|bug#918]] Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' || {-} || * vbscript needs to be improved with select box key size and lower limit to 2048 (based on [[https://wiki.mozilla.org/CA:MD5and1024]]) * Api CertEnroll (MS crypto provider) 1. Dirk '''reminder''' (from last meeting) assure someone patches (checkboxes) || Dirk || DEV: [[https://bugs.cacert.org/view.php?id=894|bug #894]] problems with check-boxes on website forms (Assure someone) -> [[Arbitrations/a20091118.3|a20091118.3]] || {0} || 1. Review 1: review, add to cacert-devel, transfer to testserver || ? || [[https://bugs.cacert.org/view.php?id=955|bug #955]] Possibilty to change the sorting order for the organisation overview || {0} || || ? || [[https://bugs.cacert.org/view.php?id=957|bug #957]] Resize the comment field on [[https://secure.cacert.org/account.php?id=27]] so more information is visible || {0} || 1. ADS Challenge (from last board meeting) * new [[https://bugs.cacert.org/view.php?id=958|bug #958]] * Update from last board meeting 1. strategy plans ... next: strategy for "New Roots & Escrow" 1. idea: using indirect crl's ? * 2 crl's needed, one valid, one invalid crl server * more infos available ? who ? 1. build testserver with special certs 1. Magu, Michael to send instructions for test deployment * indirect CRL: RFC 5280 [[http://tools.ietf.org/html/rfc5280]] (chapter 5) * Last meeting we've defined Testing requirements and a potential testszenario * Next step(s) 1. policy group: define requirements * multimember escrow method ? * needs risk analyze * potential candidates ? * Marcus to contacted Benedikt, will contact Thomas K * Next step(s) 1. how does debian work ? * defered to Froscon (end of Aug), CCCcamp (around Aug 10th) 1. [[AGM/TeamReports/2011#Software-Assessment-Project|AGM reports 2010-2011]] * Software-Assessment project team report started, review 1. Documentation Bugs.cacert.org Review * discussion about states to define, redefine * bugs documentation I ([[Software/Assessment/Documentation/bugs|bugs handbook]]) * bugs documentation II (to incorporate into the [[Software/Assessment/Documentation|Software-Update-Cycle]] procedure/documentation) * Review, Update 1. CI (Update) 1. next meeting: Tuesday, July 26, 2011 22:00 == Minutes == 1. Software Update Cycle - Review 1 - Review 2 workflow * Proposal 1 - sequential update cycle [[Software/Assessment/Documentation|Software update cyle]] 1. Review 1 to bundle with add to cacert-devel repository and transfer to testserver 1. Review 2 to bundle with check review 1, testing, bundle package to critical team * Proposal 2 - parallel update cycle [[Software/Assessment/Documentation/bugs|see pictures under Bugs docu]] 1. Fix available 1. Transfer to Testserver | Review 1 | Review 2 1. Ready to deploy * using proposal 2 - 5 aye 1. annoying gpg [[http://bugs.cacert.org/view.php?id=911|bug #911]] || dirk, michael, uli || annoying [[http://bugs.cacert.org/view.php?id=911|bug #911]] (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ? || {0} || * [[https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html]] * [[https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html]] a. the key is ok a. display on gpg list in webdb displays wrong date * to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support * 2 potential propblem areas 1. add and sign new gpg key (save to database script results in wrong date) 1. view gpg keys (read from database) * new infos from critical team {{{ cacert.gpg expire filled with "1971-01-02 00:00:00" starting 2010-12-29 the system upgrade date from Debian Etch (1.4.6-2+etch1) to Debian Lenny (1.4.9-3+lenny1) The function OpenPGPextractExpiryDate defined and used in CommModule/client.pl appears to be relying rather strongly on the ascii formatted output of the "gpg -vv keyfile" command. This output has probably changed }}} * OpenPGPextractExpiryDate() in client.pl may cause problems * client.pl 543 "if ( /^\s*version \d+, created (\d+), md5len 0, sigclass \d+\s*$/ ) " needs updated * -> sigclass 0x[0-9A-Fa-f] * client.pl fix added by Michael * /!\ gpg signing to enable on testserver * gpg signing authority is there {{{ gpg --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? -> 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) -> 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) -> Enter Key does not expire at all Is this correct? (y/N) -> y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: -> My Givenname Surname Email address: -> my@email.tld Comment: You selected this USER-ID: "My Givenname Surname " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? -> o You need a Passphrase to protect your secret key. Enter passphrase: -> enter a passphrase Repeat passphrase: -> enter your passphrase We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++++...++++++++++.+++++++++++++++++++++++++.+++++++++++++++++++++++++ +++++..+++++.++++++++++..++++++++++.+++++++++++++++...++++++++++>++++++++++.<.++ +++...>++++++++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..+++++.+++++++++++++++....++++++++++.++++++++++.+++++.+++++...++++++++++.++++++ ++++...++++++++++.+++++.+++++++++++++++.+++++..+++++..++++++++++.+++++++++++++++ .++++++++++.+++++..+++++++++++++++>+++++.+++++...++++++++++++++++++++.+++++..+++ ++...+++++....+++++>.+++++>+++++>...+++++....................................... ...............................................+++++^^^ gpg: key 5C68118C marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/5C68118C 2011-07-19 Key fingerprint = 95F2 D66C 4313 839C 77FD F374 AAF6 0782 5C68 118C uid My Givenname Surname sub 4096g/5C7F1F26 2011-07-19 Export: gpg --export --armor>ascii-key-filename.extension For debugging: gpg -v ascii-key-filename.extension FAQ: problems with middlename, remove middlename }}} 1. Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] Weak keys [[https://bugs.cacert.org/view.php?id=918|bug #918]] / [[https://bugs.cacert.org/view.php?id=954|bug #954]] * infos from critical team, no update as ted doesn't attended * mailing sent * keys revocation script not started * not yet published * weak keys: problems with cryptostick (to test at [[events/FrOSCon2011|Froscon]] with Juergen ?) 1. Workshop 1. Review bugs under testing (finished testing?) (Review 2?) * [[https://bugs.cacert.org/view.php?id=835|bug #835]] Assurer challenge (on testserver) * asssigned to Ted, set to needs work, CATS to install on ca-mgr1 * [[https://bugs.cacert.org/view.php?id=827|bug #827]] "Thawte" patch (still running) x^1^ * related bug 959: needs 1 more test, needs 2nd review * 2nd review: also check -x * tests done, needs 2nd review * [[https://bugs.cacert.org/view.php?id=897|bug #897]] transfer text pages to wiki (points system) (T) x^3^ * Michael: to bundle to critical team * [[https://bugs.cacert.org/view.php?id=637|bug #637]] weak password x^2^ * needs 2nd review, not Micha, Dirk? Ted? * [[https://bugs.cacert.org/view.php?id=921|bug #921]] Privacy Policy cleanup * Marcus: 2nd test * Dirk, Ted: 2nd review * [[https://bugs.cacert.org/view.php?id=948|bug #948]] SMTP protocol bug and fix (T) x^3^ * wait for 3rd tester ? or deploy? * removed space, no function destroyed * ready to deploy -> Micha * [[https://bugs.cacert.org/view.php?id=942|bug #942]] CATS import (2) * complete re-test as of code changes {{{ needs further testing: a) assuree has 99 pts, assurer challenge passed add 1 assurance, -> result has to be 100 pts and is assurer b) assuree has 99 pts, assurer challenge not passed add 1 assurance -> result has to be 100 pts and NO assurer c) add one more 1 pts -> 100 pts, NO assurer d) pass assurer challenge -> 100 pts, and IS assurer e) assuree with 80 pts, challange passed add: temporary points increase you need your admin account with boardmember flag add temporary increase 20 pts => result? 100 pts? is assurer? }}} * [[https://bugs.cacert.org/view.php?id=943|bug #943]] change OA admin/assurer text * needs 2nd test -> Fabian, Marc, Alex? * needs 2nd review -> Dirk, Ted * [[https://bugs.cacert.org/view.php?id=841|bug #841]] Problems on cert login * needs 2nd review 1. list of unhandled bugs -> dirk to work on following bugs 1. VBscript, Weak Keys script || dirk || DEV: [[Arbitrations/a20110312.1|a20110312.1]] [[https://bugs.cacert.org/view.php?id=918|bug#918]] Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' || {-} || * vbscript needs to be improved with select box key size and lower limit to 2048 (based on [[https://wiki.mozilla.org/CA:MD5and1024]]) * Api CertEnroll (MS crypto provider) 1. Dirk '''reminder''' (from last meeting) assure someone patches (checkboxes) || Dirk || DEV: [[https://bugs.cacert.org/view.php?id=894|bug #894]] problems with check-boxes on website forms (Assure someone) -> [[Arbitrations/a20091118.3|a20091118.3]] || {0} || 1. fix available 1. Review 1: review, add to cacert-devel, transfer to testserver || ? || [[https://bugs.cacert.org/view.php?id=955|bug #955]] Possibilty to change the sorting order for the organisation overview || {0} || || ? || [[https://bugs.cacert.org/view.php?id=957|bug #957]] Resize the comment field on [[https://secure.cacert.org/account.php?id=27]] so more information is visible || {0} || 1. ADS Challenge (from last board meeting) * new [[https://bugs.cacert.org/view.php?id=958|bug #958]] * Update from last board meeting * no more info 1. strategy plans ... next: strategy for "New Roots & Escrow" 1. idea: using indirect crl's ? * to remind every meeting 1. Testing a. Marcus Nov 2-3 test event Nuernberg * software-qs-tag 2011, 2-3 Nov, Nuernberg, www.ix-konferenz.de a. Michael: new eclipse version, test tool included, eg web applications * you click the tasks to do within framework, no programming * [[http://live.eclipse.org/node/1031|description to eclipse testpage]] 1. [[AGM/TeamReports/2011]] plz review 1. Documentation Bugs.cacert.org Review * Michael added some pictures 1. next meeting: Tuesday, July 26, 2011 22:00 ==== Fixed Action Items since last or within meeting ==== || Michael, Ted, Uli, Marcus || bugs documentation I ([[Software/Assessment/Documentation/bugs|bugs handbook]])<
>bugs documentation II (to incorporate into the [[Software/Assessment/Documentation|Software-Update-Cycle]] procedure/documentation) || {g} || || dirk, michael, uli || annoying [[http://bugs.cacert.org/view.php?id=911|bug #911]] (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ? || {g} || ---- ==== Action Items New ==== || Michael || weak keys: problems with cryptostick to test at [[events/FrOSCon2011|Froscon]] with Juergen ? || {b} || || Dirk || ADS Challenge (from last board meeting), [[https://bugs.cacert.org/view.php?id=958|bug #958]], Update from last board meeting, no more info, on hold till further infos available, dirk to receive response from board || {b} || || Marcus || Nov 2-3 test event Nuernberg, software-qs-tag 2011, 2-3 Nov, Nuernberg, www.ix-konferenz.de, check for infos, attendance ? || {0} || || Michael || new eclipse version, test tool included, eg web applications, [[http://live.eclipse.org/node/1031|description to eclipse testpage]] (add to CI project?) || {0} || || All || [[AGM/TeamReports/2011#Software-Assessment-Project|AGM team report]] review || {0} || || Tester || annoying [[http://bugs.cacert.org/view.php?id=911|bug #911]] (gpg expires 1970) || {0} || Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> ---- . CategorySoftwareAssessment