Minutes of the MiniTOP on the 2012-02-21


The MiniTOP will be held via telco 22:00 CET

Attendees: uli, marcus, michael, dirk, magu


(skip to agenda)

Action items from last meeting Meeting Action Items


Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected


    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage


    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy



    bug #920 Join - single name only (eg Indonesian)

    details under bug number



    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field



    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open


    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development



    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work



    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work


Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task


  • Testers task


    bug #1004 Stats page improvement

    tested by 2, needs 2nd review



    Bugs #1159 it might be possible to execute commands on the signing server



    bug #1065 Wrong wording when sending mails during the assurance process



    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\



    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails



    bug #988 TTP cap form deployment


Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task


    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review



    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review



    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update



    bug #1010 Reorder the view on organisation certificates

    tested by 3


Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task


    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer


Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link



1. Preface

  1. Push PR on CLT (by dirk)
  2. PO (by dirk)
  3. Software Testers - Testing - doesn't work as expected

2. Dirks Big Redesign Project

  1. bug #827 - New Points calculation / Thawte patch
    1. bug#827 + bug#882 to merge
      • close bug#882
      • wot.inc.php + notary.inc.php to merge
      • continue with bug#827
      • pojam bug to fix
    2. Thawte points removal, final step
      • relates to 6.php
      • this also relates to TTP
      • dirk will work on this last weekend (2012-01-21)
      • current state: not yet finished
        • expected finishing? upcoming weekend (2012-01-23 to 2012-01-30)
        • not finished, upcoming weekend 2012-02-06?
  2. Bring TTP assurances up to running
    • requirement: make 855 active on production
    • TTP-caps can be build by TTP-admins offline, not for public distribution !!
      • uli

        bug #855 admin console interface "unknown" + "empty" assurance method fields, needed for correct testing on testserver

        admin console lists "empty" and "Unknown" assurance types on listing given Assurances


    • uli to add test report
    • needs 2nd review by dirk, ted, markus, pg - ted will do within the upcoming days, probably Thursday
    • passed to production
    • TTP CAP form - sneak preview
      • for local testserver only /!\ bug #988 TTP cap form deployment Case study

    • TTP system implementation to enter TTP assurances into the system
    • current workaround - make use of "old" "TTP assurance" method with TTPadmin flag set, TOPUP impossible
    • question araised:
      • Notary public is also CAcert assurer, 2 possible ways
        1. make assurance via TTP assurance, entered into the system by TTPadmin
        2. make assurance as CAcert assurer
      • TTPadmin has different userid then TTP who is also CAcert assurer
        • AP prevents double assurances, but system cannot discover that, that TTP sends one TTP CAP form to TTPadmin and TTPadmin enters this assurance into the system and Notary public in role as CAcert assurer makes a 2nd CAcert assurance by CAP form
  3. PoJAM patch
    • bug #872 PoJAM 3.3 restricition not applied

  4. bug #920 Join - single name only (eg Indonesian)

    • details under bug number
    • presented to Policy Group
    • first results from policy group?
      • dirk has made some changes in 6.php last year
      • there are 4 possible choices:
        1. givenname
        2. lastname (as current fix)
        3. givenname or lastname
        4. brians proposal, mononym + checkbox
      • dirks proposal:
        • make name handling more AP conform (1 line names, multiple names)
      • 2 possible paths:
        1. allow multiple names (dirks proposal) is massive change (long term change)
        2. "simple" solution (short term change)
      • global re-design
        • eg users view
        • 43.php, multiple views
  5. alternate experience points
    • bug #1007 add 5 Experience points for ATE attendance form

  6. bug#964, bug#918 (Part II) Codename "BlackJack" - VBscript for Vista/Win7 (select keysize >= 1024)

    • x1 Dirk, new bug#964
      DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

      current state: test /account/4.php added to testserver
      Marcus will do detailed tests on Wed
      some references added to bug#964


    • as part of
    • x1 Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964

    • Current state:
      • {g}

        pre mailing sent


        keys revocation script to bulk revoke weak keys, new bug #954, finished


        dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
        vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
        Api CertEnroll (MS crypto provider)
        new bug#964
        current state: test /account/4.php added to testserver
        Marcus will do detailed tests on Wed
        some references added to bug#964 - codename "BlackJack"


        Weak keys blog post, published


        Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)


        weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

    • cert enroll infos under bug#964

    • vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation

    • dirk: has not started the virtual machine
    • Question from Marcus: did someone contacted illuminat?
      • No, Marcus: to contact illuminat
      • illuminat will give it a try, first needs download of testserver image
    • Update?
      • marcus: illuminat not yet seen last time
      • baseline requirement - keyssize >= 2048 to fix till end of 2011

      • how to proceed?
      • dirk: 1st step, to bring win test server localy online
      • marcus: to contact illuminat
      • Do we have other developers who may pick up this project?
    • Marcus -> dirk: announcement of vbscript bug to developers mailing list

      • change keysize
      • merge 2 scripts to one
      • fix on script 1 needs fix in 2nd script too, solutions: include, one file, or comment fix script 2 too
    • interrupt: bug#964 -> codename "BlackJack"

      • relates to IE8 problem, that certs cannot be created
      • is there a security issue with available fix? also bug#918

      • related 927, 901, 847
      • a patch is online on testserver, but cannot found
      • related patch files, /pages/account/ 3,4,16,17; /include/account.php
      • there are other vbscript pages: ../account/ 6 + 19
    • Brian bug#964

      • Michael: Marcus to test with IE
      • IE select provider only
    • code from Brian needs some corrections, corrections to do, 4 + 17 inclusions, checkin
      • notification to Brian, done
      • quickfix has problems too
      • next step(s)
        • check error codes / debug routines
        • open developer mode, create cert
          • resulting error: line 213, put length, wrong parameter
            Zeile: 213
            Fehler: CertEnroll::CX509PrivateKey::put_Length: Falscher Parameter. 0x80070057 (WIN32: 87)
            Zeile 213:  objPrivateKey.Length = &h08000000
    • current state: an undef error with current patch
      • we need someone who has experience with vbscript, to come into telco, reviews interface/api beforehand
        • illuminat: not before eastern
        • marcus: will ask users on assurance party Wed 18th Jan
    • 2012-01-23:
      • also cabforum requirement, keysize under IE limited to 1024
      • how to find programmers ?
        • windows webserver programmers: Outlook, Citrix portals
      • new API's can use java, new apis have web-enabled
      • splitting vbscript for os revisions < vista, java for os revisions >= vista ?

    • NEO started development, not yet finished
  7. Global Re-Design project
    • add a work flow concept ?

3. Certs Patches

  1. bug#540 No key usage attribute in cacert org certs anymore?

    • also: bug#905

    • Policy group discussion - Extended key usage -> p20111113, motion CARRIED

    • deployment
      1. prepare fixes -> Michael to prepare diffs, against svn

      2. sending to testserver
      3. transfer to critical system
    • (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
    • Michael did transfer the patch to testserver
      • signer code update
      • changes against svn
      • uli, to add to tester portal, done
      • uli to inform testers about new tests
      • test report from kenneth to transfer to report (email from 2011-12-25)
        • Michael: where to find the report from kenneth? link?
        • NEO has added the report (written to private dl)
      • who has adobe 8 for testing?
        • magu has, please test
      • next: needs testing (week 6)
        • uli, marcus: needs full cert create tests
        • uli (2012-01-25): sent notification to software testers
        • awaiting testing ... problem FULL test, including all possible variations with certs creation
        • also to report under bug #978 bug 978 (weak keys) (bug 918)

      • Testers: test all certs veriations, functions
  2. bug#440 Problem with subjectAltName (CSR, renew certs)

    • "There seems to be a problem with the subjectAltName. Dupes, missing entries, and more"
    • patch by gagern
    • Software-Assessors: needs 1st review + transfer to testserver (week 4)
    • (2012-01-23) michael picked up
  3. bug #978 bug 978 (weak keys) (bug 918)

    • invalid key format, no regular error message, something wrong, error code # identified
    • debugging infos from user + infos from critical team with error code #, was spkac routine
    • one test done 2011-12-17 by JensK
    • uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests

    • (week 7)
  4. bug #812 CAcert certificate not working with Windows Encrypting Filesystem (EFS)

  5. bug #905 Unable to sign PDF file with Acrobat

4. Patches queue

  1. bug #985 - Move Translingo to Translations (incl. patches) - POST work
    • bug#900 0000900: CAcert Site translation

    • http://blog.cacert.org/2011/02/497.html Workaround for Russian Translation of the CAcert Website (bug #900)

    • Does Russian charset works now?
      • last comment 2012-01-30: This should be fixed by the transition to pootle. Please test and if successful close or if not reopen the bug.
      • russian in signer doesn't work yet, so the problem consists using russian names in account conflicts in certs creation (will garble)
  2. bug#1002 0001002: Contact Assurer form leaves a funny comment after sending

    • Michael did transfer the patch to testserver
    • Michael: request to alex to check, seems to be ok
    • next: tested by 2, needs 2nd review + deploy (week 4), ted?
    • (2012-01-23) ted picked up
  3. Marcus: working session bug#789 OA field extension

    • 2nd review: dirk or ted
  4. bug #859 admin console interface - feature request: show activity on an account in the admin interface, new update

    • Michael: needs 1st review + transfer to testserver
    • NEO: will check the next days (done)
    • show creation date as date? or daterange?
    • nothing prevents to show date as SE receives request from user or arbitrator to view user record (permission given)
    • will an access be logged?
      • yes, eg 43.php?usreid=1234567
      • expires after 3-6 months
    • split 43.php to two pages?
    • show last account activity on login page for the user?
    • no central landing page: account.php without parameters
    • alternates
      1. new page, needs return url
      2. 2nd part, add below (like points table)
        • several parts: eg show user flags, show account states
    • fixed: email, names, rest: dob, training, flags, addtl. parts
    • find user performance varies
      • sometimes fast, sometimes slow
    • flag settings per get request change?
    • sublinked, last login as date
    • needs testing
  5. bug #1011 problem fix

    • needs review by Software-Assessor - priority: high {-}
    • untestable, needs 2nd review

5. Michaels workqueue

  1. OCSP server - timeout 10 min too short, 3 days to long, recommendation is 24-48 hours max, verisign: 7 days, startssl: 2d
    • who has been informed, contacted?
    • Michael will inform Wytze
    • not yet written
    • general solved
    • scalability might be a problem in the future ?!?
    • preconfigured there is no solution
    • whats with EBJCA
      • java based
      • distribution solution (database replication), master server distributes to other criticial slaves, no caching function
      • post request includes timestamp, simple http cache probably doesn't work
      • engineX ?
    • ocsp protocol: version, requestor-name, extension, request-list
    • open issue, needs time for implementation
    • studienarbeit? bachelor arbeit?
    • new bug #1001 Need a way to set up redundant OCSP responders

    • still WIP, low priority
    • Around 2012-02-07: Google announcement: remove OCSP - use CRLs
  2. New function to TMS - edit notary table record
    • bug #980

    • infos from last meeting
    • testers needs editing individual notary records: fields "method", "awarded", "points"
    • easier to create notary records with testserver (add F2F), and edit existing record, doesn't need to check for assurer-from, assuree-to and so on
    • Update?
    • Michael (2011-11-15): after some other bug reviews
    • TMS - certs expire handling
      • for testserver eg 3 days (short), 31 days (long)
      • short 3d, long 30d, org 7d activated by NEO

6. General Bugs List Overview

  1. Bugs to Review #1, transfer to testserver - Currently 3

    • uli

      bug #977 admin console text fix

      admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue



      bug #967 OA isassurer check

      Give an OA the oppertuntiy to check if a desiginated Organisation Admininistrator is a CAcert assurer



      bug #981 OA overview (dupe of bug #943)

      New layout of view for Organisation Administraors in account/id35


      • michael will check
  2. Bugs under testing: - Currently 5

    • Michael

      bug #978 bug 978 (weak keys) (bug 918)

      invalid key format, no regular error message, something wrong, error code # identified
      debugging infos from user + infos from critical team with error code #
      was spkac routine



      bug #540

      p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing



      bug #859 admin console interface

      feature request: show activity on an account in the admin interface, new update /!\



      bug #1003 permissions notifications

      Provide a possibility to regularly review the permissions in the system
      all special flags, recipients and board (see account in bug note)



      bug#440 Problem with subjectAltName (CSR, renew certs)

      There seems to be a problem with the subjectAltName. Dupes, missing entries, and more


  3. Needs 2nd review + transfer to Critical team, to bundle, to deploy - Currently 3

    • define priority eg. 10,2, and so on, proposed order: from 1 to 10

      uli, ted

      bug #789 OA edit domain fix

      Editing domain for organisations does not work
      new update 2011-09-26
      more fixes, more testing
      * testcase scenario
      * open org, edit 1st domain in new window, edit 2nd domain in new window
      * results in: change made in window 2, written to record in window 2
      * needs cross checking

      7 {0}


      bug #1002

      0001002: Contact Assurer form leaves a funny comment after sending



      bug #1011 problem fix

      needs review by Software-Assessor - priority: high, untestable, needs 2nd review


  4. Needs development, deployment, discussion, reminder
    1. bug #835 Migrate CATS onto testserver

      • Ted

        bug #835 Assurer challenge (on testserver)

        asssigned to Ted, CATS to install on ca-mgr1, awaiting deployment


        • (2012-01-23) reminder to Ted
    2. bug#964, bug#918 (Part II) Codename "BlackJack"

      • Brian

        new bug#964
        DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

        some references added to bug#964
        current state: first review, add to testserver


7. Long term projects

  1. strategy plans ... next: strategy for "New Roots & Escrow"

    1. idea: using indirect crl's ?
      • 2 crl's needed, one valid, one invalid crl server
      • more infos available ? who ?
        1. build testserver with special certs
        2. Magu, Michael to send instructions for test deployment
      • meetings ago we've defined Testing requirements and a potential testszenario
      • to remind every meeting
      • Michael: testserver environment deployment
      • Michael will review after Certs extension policy group vote
        • Michael: VM + OS builtup for CRL server tests (WIP)
    2. roots escrow method risk analyse process for proposal to policy group / board
      • currently Ian works on this
      • publishing of results is not that a big problem, as not yet in production
  2. CI (Update)
    1. description to eclipse testpage, Webinar

      • deployment scenario:
        1. create testusers
        2. testing
        3. delete testusers
      • regression test for standard tests: eg 0,1,49,50,51,99,100,101 pts w/ and w/o CATS passed
      • reminder
    2. Jubula Test-Tool (by Michael) - update?
    3. new proposal by Sven: Webdriver with Maven and Jenkins-CI
      1. sven did some work regarding frontendtest (Webdriver with Maven and Jenkins-CI)
        • Michael did some review: probably needs some seperation
        • raw source

        • one implemented test case

          • needs building a team, sven + 2 others, to be forced and pushed forward
          • active people have to work with this framework
            1. write a testunit that triggers the bug
            2. write a bugfix
            3. start regression test
        • what do we want?
        • is this our direction?
        • does this fit to our requirements?
        • someone needs time to do a deep review
        • long term view:
          • developers needs to become familiar with the automated testing system to write also the test scripts
          • software-assessors to review test results
        • automated testing will be helpful in relation to certs creation
        • but may be a problem in certs creation
        • selenium test makes frontend tests, solution is ok for our requirements
  3. Infrastructure seperation
    1. CAcert Inc statement - received
    2. Hosting/Housing
      1. Hosting/Housing Provider - Funkfeuer
        • 2011-12-01: Vienna response
        • questions answered
      2. Alternates
        • Benedikt: rcvd contact - bladeservers exist, needs further investigations
    3. Hardware
      1. alternate solutions
        • uli: luxemburg connection, will try 1st week in january
        • 2 way path: search sponsors for money, search hardware sponsors
        • level after netburst
        • sample TK config: 1626.90€ + 117.30€ (1750)
        • includes: Intel Xeon 4-Core E3-1260L 2,4GHz 8MB 5GT/s, 16 GB ECC DDR3 1333-RAM, 4x 500 GB SATA II WD Raid
        • fund rising project
        • new hardware -> leasing?

      2. Definition of Infrastructure Systems
    4. Financing
      1. contacting secure-u, oophaga started?
        • Frank, Mario, Ted, Uli, Sebastian ?
        • Secure-u started 2011-12-19, awaiting response
        • Oophaga: first contact 2012-02-05
      2. Fund raising (upcoming projects)
        1. Hardware and Housing
          • starting at Fosdem
          • rcpt: money + address to association
          • Secure-u: next meeting 2012-01-12, first Thursday per month
          • request to secure-u vorstand@, subject: infrastructure separation
            • sent 2011-12-18
          • Hardware / host funding - 2000 Euro
            • starting fosdem
            • collected 200 Euro at Fosdem
        2. Cebit booth funding - 500 Euro
          • probably 2 presentations
          • Cebit visitors?
          • LibreOffice booth on Friday

          • m: 30, n: 30, d: 50, ma: 30, u: 360
          • via secure-u
        3. Merchandizing ideas
          • baseball caps
          • cups and lighters
  4. Helping CAcert
    • How does recruitment work?
    • Newsletters, recuring notifications
    • Fosdem -> focus on Nucleus events

    • Recruitment on events?
    • Recruitment page eg events/Recruitment, HelpingCAcert, Jobs

    • Flyers?
    • re-design main page:
      • dirk: 3 news, upcoming events
      • michael: *
      • rss-feed script modification is simple
      • main page cms page, login to secure area (portal project)
        • public: www.cacert.org
          • secure1: www.cacert.org
          • secure2: secure.cacert.org
    • Upcoming Event Fosdem 2012

      • A3: Logo + volunteers wanted! (Software, Administration, Support)
      • A5, A4 with detailed infos
        • who?
          • A3: dirk
          • A4, A5: Software-Developer (php, vbscript), Software-Tester, Triage, Sysadmins
      • Discussion: makes it sense to offer Cheat Sheets?
        • experiences from ATEs: most of the Cheat Sheets left after the ATE :-P
        • so does it make sense to print A4, A5 detailed infos no one wants to take @home ?!?
      • Fosdem 2012: we had A3 logos + volunteers wanted, feedback?
    • Ted sent infos for Assurers at events
      • Cheat Sheet, first proposal ok
  5. Discovery II a20110118.1 discussion / Permissions Stocktaking

    • still running
    • who should receive infos? list of appropiate recipients listed in discovery II table
    • possible software solutions:
      1. triggered info mailing eg board-private mailing list + support
      2. view page with current results (like hidden stats page?)
    • bug#1003 Provide a possibility to regularly review the permissions in the system

    • motion from last board meeting:
      1. m20120122.1 Request permissions stocktaking SQL queries - carried

      2. m20120122.2 Request up-to-date access lists - carried

        • It is moved that Board or a representative asks the persons responsible for an up-to-date copy of all access lists as specified in the Security Policy §3.4.2 including OA
    • see also bug #1003
  6. Affilates program
    • topic for SA? currently not
    • planned income projects by CAcert Inc
    • new portal (Benedikt, Karsten working on it)
      • critical / non-critical systems
        • non-critical portal - with login link to critical secure.cacert.org
        • cms system: own user base?
        • critical system userid includes @, cms userid does not include @
        • cms login adding userid from critical system may result in security leak that account data can be collected (MITM)
    • affiliate link to each event (template)
      1. addtl. link under main ads
    • affiliates program planning
      • community project: crypto stick (gooze, validated)
      • alternate project: crypto stick (gpf, gpg based) - doesn't relate to the planned affilates program
  7. CAP Form redesign for upcoming events
    • Fosdem
    • Cebit
    • Chemnitzer Linuxtag
    • CAP forms have no bank account infos
      • CAP form redesign
  8. "NEO projects"
    1. architecture/design (aka Birdshack design)
    2. signer rewrite
      • cabforum, blacklist implementation
      • needs a rewrite, protocol isn't that reliable as required/needed
      • problems in current design: eg count of days a cert expires will be transfered from client to server
      • multiple servers (staging/scaling/load balancing)
      • problems in current design: eg OpenSSL and multithreading
  9. Vendor-Api / New Assurers Portal
    • Marcus sent some proposals
    • A team is working on a Portal project (Carsten, Marcus)
  10. Foundations
    • dst files for logos
  11. Google - Summer of Code
  12. fiddle system: which one is current production?
    • dev.fiddle.it (works), fiddle.it (doesn't work)
    • whats about a sysadmin for this system?

8. next meeting


  1. PolO (policy officer) (by dirk)
  2. Software Testers - Testing - doesn't work as expected
    • 2012-01-25: uli sent newsletter to all software testers with request to test, no response so far
  3. Marcus: status of 6.php to dirk
    • not yet done
  4. summary:
    • there are 4 topics of high priority:
      1. 6.php by dirk
      2. testing of certs patches
      3. 2nd review of 3 patches
      4. continue "BlackJack" coding by Michael

    • moved on to makes this meeting a working session
      1. dirk to continue coding 6.php
      2. michael to continue "BlackJack" coding

      3. software testing of certs patches by the rest

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

Software/Assessment/20120221-S-A-MiniTOP (last edited 2012-02-21 21:36:27 by UlrichSchroeter)