. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20120403-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20120424-S-A-MiniTOP|next meeting]]'''
----
= Minutes of the MiniTOP on the 2012-04-17 =
== Setting ==
The MiniTOP will be held via telco 22:00 CEST
Attendees: Marcus, Uli, Magu, dirk, Michael
== Topics ==
(skip to [[#AGENDA|agenda]])
Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]'''
<<Include(Software/Assessment/ActionItems)>>
<<Anchor(AGENDA)>>
== Agenda ==
## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP
* there are 5 topics of high priority (2-6):
=== 1. Preface ===
1. dirk topics
1. Cebit brainstorming
* dirk: request for events report
* (2012-03-27) Marcus awaiting translation from Marc
* (2012-04-03) Marcus will do upcoming (easter) weekend
1. github
1. new [[https://bugs.cacert.org/view.php?id=1031|bug#1031]] security issue?
=== 2. Software-Assessors candidates ===
* Problem:
. 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive
* candidate to contact by ...
* kotek? (-> neo) - neo is doing reviewing
* aphexer? (-> ?)
* bjoern? (-> magu) - no update
* willm (-> neo) (xing contact, developer), will contact next
* stephan (-> marcus)
=== 3. bug #1023 Testing (6.php) ===
1. Thawte points removal, final step
* relates to 6.php
* this also relates to TTP
* dirk will work on this last weekend (2012-01-21)
* current state: not yet finished
* expected finishing? upcoming weekend (2012-01-23 to 2012-01-30)
* not finished, upcoming weekend 2012-02-06?
* not finished, last weekend 2012-03-12?
* 2012-03-13: new bug#1023 [[https://bugs.cacert.org/view.php?id=1023|bug#1023]]
* transfered to git cacert
* to test:
* assure someone
* w/ and w/o ttp
* in all variations
* Added to testserver Tue 13.3., Wed 14.3.
|| dirk || [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] Consolidate changes into the Assure Someone page || 6.php global re-design project<<BR>>assurance, wot area (Thawte points removal effective) || {0} ||
* current state: patch removed from testserver, needs work (DEV)
* (2012-03-27) back on testserver: bug #1023 (6.php), has a bug, needs work
* 2 new bugs within meeting 2012-03-27
* (2012-04-03) bugs analyze, empty results analyse, new patch transfered to testserver
=== 4. testing of certs patches ===
* 2012-02-21 meeting test series by uli
* 2012-03-27 adobe8 test candidate, magu has a contact
1. [[https://bugs.cacert.org/view.php?id=540|bug#540]] No key usage attribute in cacert org certs anymore?
* also: [[https://bugs.cacert.org/view.php?id=905|bug#905]]
* Policy group discussion - Extended key usage -> [[PolicyDecisions#p20111113|p20111113]], motion CARRIED
* deployment
1. prepare fixes -> Michael to prepare diffs, against svn
1. sending to testserver
1. transfer to critical system
* (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
* Michael did transfer the patch to testserver
* signer code update
* changes against svn
* uli, to add to tester portal, done
* uli to inform testers about new tests
* test report from kenneth to transfer to report (email from 2011-12-25)
* Michael: where to find the report from kenneth? link?
* NEO has added the report (written to private dl)
* who has adobe 8 for testing?
* magu has, please test
* next: needs testing (week 6)
* uli, marcus: needs full cert create tests
* uli (2012-01-25): sent notification to software testers
* awaiting testing ... problem FULL test, including all possible variations with certs creation
* also to report under [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918)
* Testers: test all certs veriations, functions
1. [[https://bugs.cacert.org/view.php?id=440|bug#440]] Problem with subjectAltName (CSR, renew certs)
* "There seems to be a problem with the subjectAltName. Dupes, missing entries, and more"
* patch by gagern
* Software-Assessors: needs 1st review + transfer to testserver (week 4)
* (2012-01-23) michael picked up
1. [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918)
* invalid key format, no regular error message, something wrong, error code # identified
* debugging infos from user + infos from critical team with error code #, was spkac routine
* one test done 2011-12-17 by JensK
* uli, marcus: more tests: certs routine, weak keys (small keys test), relates to [[https://bugs.cacert.org/view.php?id=540|bug#540]] tests
* (week 7)
1. [[https://bugs.cacert.org/view.php?id=812|bug #812]] CAcert certificate not working with Windows Encrypting Filesystem (EFS)
1. [[https://bugs.cacert.org/view.php?id=905|bug #905]] Unable to sign PDF file with Acrobat
=== 5. 2nd review of 3 patches ===
||<#ff8080> '''Software-Assessors task''' ||
|| uli, ted || [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix || Editing domain for organisations does not work<<BR>>new update 2011-09-26<<BR>>2 tests, needs 2nd review, deploy<<BR>>more fixes, more testing || 6 {0} ||
|| Michael || [[https://bugs.cacert.org/view.php?id=1002|bug #1002]] || 0001002: Contact Assurer form leaves a funny comment after sending || {0} ||
|| Michael || [[https://bugs.cacert.org/view.php?id=1011|bug #1011]] problem fix || needs review by Software-Assessor - priority: high {-} <<BR>>untestable, needs 2nd review || {0} ||
* 2nd review of 3 patches
* Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?)
=== 6. continue BlackJack coding by Michael ===
1. [[https://bugs.cacert.org/view.php?id=964|bug#964]], [[https://bugs.cacert.org/view.php?id=918|bug#918 (Part II)]] Codename "BlackJack" - VBscript for Vista/Win7 (select keysize >= 1024)
|| x^1^ Dirk, new [[https://bugs.cacert.org/view.php?id=964|bug#964]]<<BR>>DEV: [[https://bugs.cacert.org/view.php?id=918|bug#918 (Part II)]] ([[Arbitrations/a20110312.1|a20110312.1]]) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' || current state: test /account/4.php added to testserver<<BR>>Marcus will do detailed tests on Wed<<BR>>some references added to [[https://bugs.cacert.org/view.php?id=964|bug#964]] || {0} ||
* as part of
* x^1^ Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] Weak keys [[https://bugs.cacert.org/view.php?id=918|bug #918]] / [[https://bugs.cacert.org/view.php?id=954|bug #954]] / [[https://bugs.cacert.org/view.php?id=964|bug#964]]
* Current state:
|| {g} || pre mailing sent ||
|| {g} || keys revocation script to bulk revoke weak keys, new [[https://bugs.cacert.org/view.php?id=954|bug #954]], finished ||
|| {-} || dirk: DEV: [[Arbitrations/a20110312.1|a20110312.1]] [[https://bugs.cacert.org/view.php?id=918|bug#918]] Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' <<BR>>vbscript needs to be improved with select box key size and lower limit to 2048 (based on [[https://wiki.mozilla.org/CA:MD5and1024]])<<BR>>Api CertEnroll (MS crypto provider)<<BR>>new [[https://bugs.cacert.org/view.php?id=964|bug#964]]<<BR>>current state: test /account/4.php added to testserver<<BR>>Marcus will do detailed tests on Wed<<BR>>some references added to [[https://bugs.cacert.org/view.php?id=964|bug#964]] - codename "BlackJack" ||
|| {g} || Weak keys blog post, published ||
|| {g} || Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30) ||
|| {b} || weak keys: problems with cryptostick (to test at [[events/FrOSCon2011|Froscon]] with Juergen ?) ||
* cert enroll infos under [[https://bugs.cacert.org/view.php?id=964|bug#964]]
* vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation
* [[http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx]]
* Marcus: added notes for Win7 [[https://bugs.cacert.org/view.php?id=964#c2249]]
* dirk: has not started the virtual machine
* Question from Marcus: did someone contacted illuminat?
* No, Marcus: to contact illuminat
* illuminat will give it a try, first needs download of testserver image
* Update?
* marcus: illuminat not yet seen last time
* baseline requirement - keyssize >= 2048 to fix till end of 2011
* how to proceed?
* dirk: 1st step, to bring win test server localy online
* marcus: to contact illuminat
* Do we have other developers who may pick up this project?
* Marcus -> dirk: announcement of vbscript bug to developers mailing list
* change keysize
* merge 2 scripts to one
* fix on script 1 needs fix in 2nd script too, solutions: include, one file, or comment fix script 2 too
* interrupt: [[https://bugs.cacert.org/view.php?id=964|bug#964]] -> codename "BlackJack"
* relates to IE8 problem, that certs cannot be created
* is there a security issue with available fix? also [[https://bugs.cacert.org/view.php?id=918|bug#918]]
* related 927, 901, 847
* a patch is online on testserver, but cannot found
* related patch files, /pages/account/ 3,4,16,17; /include/account.php
* there are other vbscript pages: ../account/ 6 + 19
* Brian [[https://bugs.cacert.org/view.php?id=964|bug#964]]
* Michael: Marcus to test with IE
* IE select provider only
* code from Brian needs some corrections, corrections to do, 4 + 17 inclusions, checkin
* notification to Brian, done
* quickfix has problems too
* next step(s)
* check error codes / debug routines
* open developer mode, create cert
* resulting error: line 213, put length, wrong parameter
{{{
Zeile: 213
Fehler: CertEnroll::CX509PrivateKey::put_Length: Falscher Parameter. 0x80070057 (WIN32: 87)
Zeile 213: objPrivateKey.Length = &h08000000
}}}
* current state: an undef error with current patch
* we need someone who has experience with vbscript, to come into telco, reviews interface/api beforehand
* illuminat: not before eastern
* marcus: will ask users on assurance party Wed 18th Jan
* 2012-01-23:
* also cabforum requirement, keysize under IE limited to 1024
* how to find programmers ?
* windows webserver programmers: Outlook, Citrix portals
* new API's can use java, new apis have web-enabled
* splitting vbscript for os revisions < vista, java for os revisions >= vista ?
* NEO started development, not yet finished
* next: for XP: rewrite vbscript to JavaScript
=== 7. next meeting ===
* Tuesday, April 24, 2012 22:00 CEST
== Minutes ==
1. Cebit brainstorming
* request for events report
* (2012-04-03) Marcus will do upcoming (easter) weekend
* no update
1. OA stuff
1. bug #1023 Testing (6.php)
* Thawte points removal, final step
* current state
* dirk: didn't we concluded 14 days ago, that the current patch state is the revision similar on the production system
* potential bugs on production system can be identified against wot.php on testserver (-> diff wot.php, if no difference bugs are also in production system)
* Michael: diff is empty, this means wot.php is identical between production and testserver
* Michael: didn't pushed one patch, as it has at least one error
* Michael: fix and push to git / testserver, patch is transfered to testserver
* testing: failures occured
* last time we've added method transfer
* if board=1, method empty -> results in garbage in database
* new bug, that methods aren't checked that needs to be checked [[https://bugs.cacert.org/view.php?id=1032|bug#1032]]
* req by Marcus to add maxpoints limit definition: 35 assurance points (by AP) in a f2f meeting, upto 50 assurance points possible though a subpolicy (currently none available), new bug [[https://bugs.cacert.org/view.php?id=1033|bug#1033]]
1. bug #1027 Testing (donations / booking.com)
* invitation to magu
1. github
* question from Michael:
* some forks are running
* from update proposal git on it-sls.de is the Software-Assessors limited write access repository
* git.it-sls.de needs administration, who?
* see sample: [[https://github.com/k1c14k/cacert-devel/commit/c722a807f661d1177d85cbe08de3df9518fc513f]]
1. new [[https://bugs.cacert.org/view.php?id=1031|bug#1031]] security issue?
* no high risc, but should be fixed
* problem is multibyte encoding related (currently not used)
* alternate coding: each sql statement needs to be reviewed (prepared statements)
1. Software-Assessors candidates
* Problem:
. 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive
* candidate to contact by ...
* kotek? (-> neo) - neo is doing reviewing
* aphexer? (-> ?)
* bjoern? (-> magu) - what attracts programming for CAcert?
* willm (-> neo) (xing contact, developer), will contact next
* stephan (-> marcus)
* reactivte PG?
* how we get SA attractive?
* Marcus: blockers? eg. dpa
* dirk: newsletters, last one last year
* open dpa discussion (uli: added to next board meeting agenda)
1. next meeting
* Tue April, 24th
==== Fixed Action Items since last or within meeting ====
|| uli || image backup ca-mgr1, git-cacert, for planned system maintenance || {g} ||
|| critical team || system maintenance cacert1 (and others), remove stamp.cacert.org || {g} ||
|| uli || create new dev image from cacert1 || {g} ||
----
==== Action Items New ====
Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]'''
----
. CategorySoftwareAssessment