Minutes of the MiniTOP on the 2012-04-17


The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, Uli, Magu, dirk, Michael


(skip to agenda)

Action items from last meeting Meeting Action Items


Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected


    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage


    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy



    bug #920 Join - single name only (eg Indonesian)

    details under bug number



    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field



    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open


    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development



    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work



    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work


Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task


  • Testers task


    bug #1004 Stats page improvement

    tested by 2, needs 2nd review



    Bugs #1159 it might be possible to execute commands on the signing server



    bug #1065 Wrong wording when sending mails during the assurance process



    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\



    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails



    bug #988 TTP cap form deployment


Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task


    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review



    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review



    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update



    bug #1010 Reorder the view on organisation certificates

    tested by 3


Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task


    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer


Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link



1. Preface

  1. dirk topics
    1. Cebit brainstorming
      • dirk: request for events report
      • (2012-03-27) Marcus awaiting translation from Marc
      • (2012-04-03) Marcus will do upcoming (easter) weekend
  2. github
  3. new bug#1031 security issue?

2. Software-Assessors candidates

3. bug #1023 Testing (6.php)

  1. Thawte points removal, final step
    • relates to 6.php
    • this also relates to TTP
    • dirk will work on this last weekend (2012-01-21)
    • current state: not yet finished
      • expected finishing? upcoming weekend (2012-01-23 to 2012-01-30)
      • not finished, upcoming weekend 2012-02-06?
      • not finished, last weekend 2012-03-12?
      • 2012-03-13: new bug#1023 bug#1023

      • transfered to git cacert
      • to test:
        • assure someone
        • w/ and w/o ttp
        • in all variations
      • Added to testserver Tue 13.3., Wed 14.3.


      bug #1023 Consolidate changes into the Assure Someone page

      6.php global re-design project
      assurance, wot area (Thawte points removal effective)


    • current state: patch removed from testserver, needs work (DEV)
    • (2012-03-27) back on testserver: bug #1023 (6.php), has a bug, needs work
    • 2 new bugs within meeting 2012-03-27
    • (2012-04-03) bugs analyze, empty results analyse, new patch transfered to testserver

4. testing of certs patches

5. 2nd review of 3 patches

6. continue BlackJack coding by Michael

  1. bug#964, bug#918 (Part II) Codename "BlackJack" - VBscript for Vista/Win7 (select keysize >= 1024)

    • x1 Dirk, new bug#964
      DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

      current state: test /account/4.php added to testserver
      Marcus will do detailed tests on Wed
      some references added to bug#964


    • as part of
    • x1 Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964

    • Current state:
      • {g}

        pre mailing sent


        keys revocation script to bulk revoke weak keys, new bug #954, finished


        dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
        vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
        Api CertEnroll (MS crypto provider)
        new bug#964
        current state: test /account/4.php added to testserver
        Marcus will do detailed tests on Wed
        some references added to bug#964 - codename "BlackJack"


        Weak keys blog post, published


        Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)


        weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

    • cert enroll infos under bug#964

    • vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation

    • dirk: has not started the virtual machine
    • Question from Marcus: did someone contacted illuminat?
      • No, Marcus: to contact illuminat
      • illuminat will give it a try, first needs download of testserver image
    • Update?
      • marcus: illuminat not yet seen last time
      • baseline requirement - keyssize >= 2048 to fix till end of 2011

      • how to proceed?
      • dirk: 1st step, to bring win test server localy online
      • marcus: to contact illuminat
      • Do we have other developers who may pick up this project?
    • Marcus -> dirk: announcement of vbscript bug to developers mailing list

      • change keysize
      • merge 2 scripts to one
      • fix on script 1 needs fix in 2nd script too, solutions: include, one file, or comment fix script 2 too
    • interrupt: bug#964 -> codename "BlackJack"

      • relates to IE8 problem, that certs cannot be created
      • is there a security issue with available fix? also bug#918

      • related 927, 901, 847
      • a patch is online on testserver, but cannot found
      • related patch files, /pages/account/ 3,4,16,17; /include/account.php
      • there are other vbscript pages: ../account/ 6 + 19
    • Brian bug#964

      • Michael: Marcus to test with IE
      • IE select provider only
    • code from Brian needs some corrections, corrections to do, 4 + 17 inclusions, checkin
      • notification to Brian, done
      • quickfix has problems too
      • next step(s)
        • check error codes / debug routines
        • open developer mode, create cert
          • resulting error: line 213, put length, wrong parameter
            Zeile: 213
            Fehler: CertEnroll::CX509PrivateKey::put_Length: Falscher Parameter. 0x80070057 (WIN32: 87)
            Zeile 213:  objPrivateKey.Length = &h08000000
    • current state: an undef error with current patch
      • we need someone who has experience with vbscript, to come into telco, reviews interface/api beforehand
        • illuminat: not before eastern
        • marcus: will ask users on assurance party Wed 18th Jan
    • 2012-01-23:
      • also cabforum requirement, keysize under IE limited to 1024
      • how to find programmers ?
        • windows webserver programmers: Outlook, Citrix portals
      • new API's can use java, new apis have web-enabled
      • splitting vbscript for os revisions < vista, java for os revisions >= vista ?

    • NEO started development, not yet finished
    • next: for XP: rewrite vbscript to JavaScript

7. next meeting


  1. Cebit brainstorming
    • request for events report
    • (2012-04-03) Marcus will do upcoming (easter) weekend
    • no update
  2. OA stuff
  3. bug #1023 Testing (6.php)
    • Thawte points removal, final step
    • current state
    • dirk: didn't we concluded 14 days ago, that the current patch state is the revision similar on the production system
    • potential bugs on production system can be identified against wot.php on testserver (-> diff wot.php, if no difference bugs are also in production system)

    • Michael: diff is empty, this means wot.php is identical between production and testserver
    • Michael: didn't pushed one patch, as it has at least one error
    • Michael: fix and push to git / testserver, patch is transfered to testserver
    • testing: failures occured
    • last time we've added method transfer
      • if board=1, method empty -> results in garbage in database

    • new bug, that methods aren't checked that needs to be checked bug#1032

    • req by Marcus to add maxpoints limit definition: 35 assurance points (by AP) in a f2f meeting, upto 50 assurance points possible though a subpolicy (currently none available), new bug bug#1033

  4. bug #1027 Testing (donations / booking.com)
    • invitation to magu
  5. github
  6. new bug#1031 security issue?

    • no high risc, but should be fixed
    • problem is multibyte encoding related (currently not used)
    • alternate coding: each sql statement needs to be reviewed (prepared statements)
  7. Software-Assessors candidates
    • Problem:
      • 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive
    • candidate to contact by ...
      • kotek? (-> neo) - neo is doing reviewing

      • aphexer? (-> ?)

      • bjoern? (-> magu) - what attracts programming for CAcert?

      • willm (-> neo) (xing contact, developer), will contact next

      • stephan (-> marcus)

    • reactivte PG?
    • how we get SA attractive?
      • Marcus: blockers? eg. dpa
      • dirk: newsletters, last one last year
      • open dpa discussion (uli: added to next board meeting agenda)
  8. next meeting
    • Tue April, 24th

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

Software/Assessment/20120417-S-A-MiniTOP (last edited 2012-04-18 00:44:41 by UlrichSchroeter)