Minutes of the MiniTOP on the 2011-07-19

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Dirk, Marcus, Marc, Uli, Michael, Alex

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Agenda

  1. Software Update Cycle - Review 1 - Review 2 workflow

    • Proposal 1 - sequential update cycle Software update cyle

      1. Review 1 to bundle with add to cacert-devel repository and transfer to testserver
      2. Review 2 to bundle with check review 1, testing, bundle package to critical team

    • Proposal 2 - parallel update cycle see pictures under Bugs docu

      1. Fix available
      2. Transfer to Testserver | Review 1 | Review 2
      3. Ready to deploy
    • Other proposals ?

  2. Arbitration case a20110312.1 Weak keys bug #918

    • mail to ted to continue with arb case, adding to thread on arb case

    • Next: script to bulk revoke weak keys, new bug #954

    • on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)

    • Remove Weak Certs is under deployment, testing
    • Weak Certs script testing
    • out of chroot, vulnkey out of chroot
    • set delete date to 1970.. triggers cert revoke routine in client.pl

    • needs review bug #954

    • infos from critical team

  3. annoying gpg bug #911

    • dirk, michael, uli

      annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?

      {0}

    • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html

    • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html

      1. the key is ok
      2. display on gpg list in webdb displays wrong date
    • to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
    • 2 potential propblem areas
      1. add and sign new gpg key (save to database script results in wrong date)
      2. view gpg keys (read from database)
    • new infos from critical team 
      • cacert.gpg expire filled with "1971-01-02 00:00:00"  starting 2010-12-29
the system upgrade date from Debian Etch (1.4.6-2+etch1) to Debian Lenny (1.4.9-3+lenny1)

The function OpenPGPextractExpiryDate defined and used in CommModule/client.pl
appears to be relying rather strongly on the ascii formatted output of the
"gpg -vv keyfile" command. This output has probably changed
  4. Workshop
    1. Review bugs under testing (finished testing?) (Review 2?)

      • bug #835 Assurer challenge (on testserver)

      • bug #827 "Thawte" patch (still running) x1

      • bug #897 transfer text pages to wiki (points system) (T) x3

      • bug #637 weak password x2

      • bug #921 Privacy Policy cleanup

      • bug #948 SMTP protocol bug and fix (T) x3

      • bug #942 CATS import (2)

      • bug #943 change OA admin/assurer text

      • bug #841 Problems on cert login

      • x1 Bug# 827 "Thawte" patch - Points-Count-Order-Change project 

            * in testing
    * problems in counting found, missing points
    * new commit by dirk, forwarded by NEO
    * 80 pts counted, 100 countable ... problem
    * new commit by dirk, forwarded by NEO
    * pts problem seems to be solved, assurer challenge needed seems now to be ok
    * Under testing: update
    * Marc: thawte patch problem found 2147483647 assurance pts entered, 15.php displays 2147483647 pts
     * Arbitration: exists values in points? limit 0-150 pts ? or no arbitration ?  (discussion)
    * Next step(s)

      • x2 Bug #637: Weak Passwords 

            * Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd
    * problem #1 at login, plz change, use old pwd works - fail
    * problem #2 at join
    * to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ?
    * current: clear password in source code
    * checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd
    * dictionary is still active grep current-pwd share/userdict
     1. Fred... to add into checkpassword()
     1. checkpassword() to add into login procedure
    * pwd cannot be changed - new [[https://bugs.cacert.org/view.php?id=953|Bug# 953]] "After change of password change on account.php?id=14 does not meet requirements wrong redirect"
    * SE reset pwd procedure doesn't take care about weak pwd
    * Under testing: update

      • x3 Review bugs under testing (finished testing?), state from last meeting

        • bug #897 transfer text pages to wiki (points system) (T)

          finished testing, ready to deploy

          {+}

          bug #948 SMTP protocol bug and fix (T)

          needs more tests

          {0}

    2. list of unhandled bugs
      1. VBscript, Weak Keys script

      2. Dirk reminder (from last meeting) assure someone patches (checkboxes)

        • Dirk

          DEV: bug #894 problems with check-boxes on website forms (Assure someone) -> a20091118.3

          {0}

      3. Review 1: review, add to cacert-devel, transfer to testserver
  5. ADS Challenge (from last board meeting)

    • new bug #958

    • Update from last board meeting

  6. strategy plans ... next: strategy for "New Roots & Escrow"

    1. idea: using indirect crl's ?
      • 2 crl's needed, one valid, one invalid crl server
      • more infos available ? who ?
        1. build testserver with special certs
        2. Magu, Michael to send instructions for test deployment
      • Last meeting we've defined Testing requirements and a potential testszenario
      • Next step(s)
    2. policy group: define requirements
      • multimember escrow method ?
        • needs risk analyze
        • potential candidates ?
          • Marcus to contacted Benedikt, will contact Thomas K
          • Next step(s)
    3. how does debian work ?
      • defered to Froscon (end of Aug), CCCcamp (around Aug 10th)

  7. AGM reports 2010-2011

    • Software-Assessment project team report started, review
  8. Documentation Bugs.cacert.org Review
    • discussion about states to define, redefine

    • bugs documentation I (bugs handbook)

    • bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)

    • Review, Update
  9. CI (Update)
  10. next meeting: Tuesday, July 26, 2011 22:00

Minutes

  1. Software Update Cycle - Review 1 - Review 2 workflow

    • Proposal 1 - sequential update cycle Software update cyle

      1. Review 1 to bundle with add to cacert-devel repository and transfer to testserver
      2. Review 2 to bundle with check review 1, testing, bundle package to critical team

    • Proposal 2 - parallel update cycle see pictures under Bugs docu

      1. Fix available
      2. Transfer to Testserver | Review 1 | Review 2
      3. Ready to deploy
    • using proposal 2 - 5 aye

  2. annoying gpg bug #911

    • dirk, michael, uli

      annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?

      {0}

    • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html

    • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html

      1. the key is ok
      2. display on gpg list in webdb displays wrong date
    • to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
    • 2 potential propblem areas
      1. add and sign new gpg key (save to database script results in wrong date)
      2. view gpg keys (read from database)
    • new infos from critical team 
      • cacert.gpg expire filled with "1971-01-02 00:00:00"  starting 2010-12-29
the system upgrade date from Debian Etch (1.4.6-2+etch1) to Debian Lenny (1.4.9-3+lenny1)

The function OpenPGPextractExpiryDate defined and used in CommModule/client.pl
appears to be relying rather strongly on the ascii formatted output of the
"gpg -vv keyfile" command. This output has probably changed
    • OpenPGPextractExpiryDate() in client.pl may cause problems
    • client.pl 543 "if ( /^\s*version \d+, created (\d+), md5len 0, sigclass \d+\s*$/ ) " needs updated

    • -> sigclass 0x[0-9A-Fa-f]

    • client.pl fix added by Michael

    • /!\ gpg signing to enable on testserver

      • gpg signing authority is there 
        gpg --gen-key
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? -> 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) -> 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) -> Enter
Key does not expire at all
Is this correct? (y/N) -> y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: -> My Givenname Surname
Email address: -> my@email.tld
Comment: 
You selected this USER-ID:
    "My Givenname Surname <my@email.tld>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? -> o
You need a Passphrase to protect your secret key.

Enter passphrase: -> enter a passphrase
Repeat passphrase: -> enter your passphrase
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++...++++++++++.+++++++++++++++++++++++++.+++++++++++++++++++++++++
+++++..+++++.++++++++++..++++++++++.+++++++++++++++...++++++++++>++++++++++.<.++
+++...>++++++++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++.+++++++++++++++....++++++++++.++++++++++.+++++.+++++...++++++++++.++++++
++++...++++++++++.+++++.+++++++++++++++.+++++..+++++..++++++++++.+++++++++++++++
.++++++++++.+++++..+++++++++++++++>+++++.+++++...++++++++++++++++++++.+++++..+++
++...+++++....+++++>.+++++>+++++>...+++++.......................................
...............................................+++++^^^
gpg: key 5C68118C marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/5C68118C 2011-07-19
      Key fingerprint = 95F2 D66C 4313 839C 77FD  F374 AAF6 0782 5C68 118C
uid                  My Givenname Surname <my@email.tld>
sub   4096g/5C7F1F26 2011-07-19

Export:
gpg --export --armor>ascii-key-filename.extension

For debugging:
gpg -v ascii-key-filename.extension

FAQ: problems with middlename, remove middlename

  3. Arbitration case a20110312.1 Weak keys bug #918 / bug #954

    • infos from critical team, no update as ted doesn't attended
    • mailing sent
    • keys revocation script not started
    • not yet published

    • weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

  4. Workshop
    1. Review bugs under testing (finished testing?) (Review 2?)

      • bug #835 Assurer challenge (on testserver)

        • asssigned to Ted, set to needs work, CATS to install on ca-mgr1

      • bug #827 "Thawte" patch (still running) x1

        • related bug 959: needs 1 more test, needs 2nd review
        • 2nd review: also check -x
        • tests done, needs 2nd review

      • bug #897 transfer text pages to wiki (points system) (T) x3

        • Michael: to bundle to critical team

      • bug #637 weak password x2

        • needs 2nd review, not Micha, Dirk? Ted?

      • bug #921 Privacy Policy cleanup

        • Marcus: 2nd test
        • Dirk, Ted: 2nd review

      • bug #948 SMTP protocol bug and fix (T) x3

        • wait for 3rd tester ? or deploy?
        • removed space, no function destroyed

        • ready to deploy -> Micha

      • bug #942 CATS import (2)

        • complete re-test as of code changes 
          needs further testing:
a) assuree has 99 pts, assurer challenge passed
   add 1 assurance, -> result has to be 100 pts and is assurer
b) assuree has 99 pts, assurer challenge not passed
   add 1 assurance -> result has to be 100 pts and NO assurer
c) add one more 1 pts -> 100 pts, NO assurer
d) pass assurer challenge -> 100 pts, and IS assurer

e) assuree with 80 pts, challange passed
   add: temporary points increase
   you need your admin account with boardmember flag
   add temporary increase 20 pts
   => result?  100 pts? is assurer?

      • bug #943 change OA admin/assurer text

        • needs 2nd test -> Fabian, Marc, Alex?

        • needs 2nd review -> Dirk, Ted

      • bug #841 Problems on cert login

        • needs 2nd review

  5. list of unhandled bugs -> dirk to work on following bugs

    1. VBscript, Weak Keys script

    2. Dirk reminder (from last meeting) assure someone patches (checkboxes)

      • Dirk

        DEV: bug #894 problems with check-boxes on website forms (Assure someone) -> a20091118.3

        {0}

  6. fix available
    1. Review 1: review, add to cacert-devel, transfer to testserver
  7. ADS Challenge (from last board meeting)

    • new bug #958

    • Update from last board meeting
    • no more info

  8. strategy plans ... next: strategy for "New Roots & Escrow"

    1. idea: using indirect crl's ?
      • to remind every meeting
  9. Testing
    1. Marcus Nov 2-3 test event Nuernberg
      • software-qs-tag 2011, 2-3 Nov, Nuernberg, www.ix-konferenz.de
    2. Michael: new eclipse version, test tool included, eg web applications

  10. AGM/TeamReports/2011 plz review

  11. Documentation Bugs.cacert.org Review
    • Michael added some pictures
  12. next meeting: Tuesday, July 26, 2011 22:00

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

Software/Assessment/ActionItems

Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected

    {-}

    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage

    {0}

    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy
    rejected

    {-}

    inopiae

    bug #920 Join - single name only (eg Indonesian)

    details under bug number

    {0}

    uli

    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field

    {r}

    Michael

    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open

    {0}

    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development

    {r}

    neo

    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work

    {r}

    dirk

    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work

    {r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task

Testing

  • Testers task

    neo

    bug #1004 Stats page improvement

    tested by 2, needs 2nd review

    {0}

    neo

    Bugs #1159 it might be possible to execute commands on the signing server

    {0}

    inopiae

    bug #1065 Wrong wording when sending mails during the assurance process

    {0}

    inopiae

    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\

    {0}

    inopiae

    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails

    {0}

    inopiae

    bug #988 TTP cap form deployment

    {0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task

    Ted

    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review

    {0}

    Ted

    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review

    {0}

    magu

    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update

    {0}

    inopiae

    bug #1010 Reorder the view on organisation certificates

    tested by 3

    {0}

Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task

    inopiae

    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer

    {0}

Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link

    {g}

Software/Assessment/20110719-S-A-MiniTOP (last edited 2011-09-23 00:01:44 by UlrichSchroeter)