. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20120619-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20120703-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2012-06-26 = == Setting == The MiniTOP will be held via telco 22:00 CEST Attendees: michael, magu, benny, marcus, uli, dirk == Topics == (skip to [[#AGENDA|agenda]]) Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> <> == Agenda == ## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP === 1. Preface === 1. Cebit brainstorming * dirk: request for events report * (2012-03-27) Marcus awaiting translation from Marc * (2012-04-03) Marcus will do upcoming (easter) weekend * (2012-04-17) no update * (2012-04-24) no update * (2012-05-29) no update, uli: marcus please translate by yourself * (2012-06-05) no update * (2012-06-12) in the next days * (2012-06-19) Marcus: translation received, will send within the next upcoming days === 2. Permissions Review === 1. dispute cases * new bug: [[https://bugs.cacert.org/view.php?id=1038|bug #1038]] Provide a script for board/tverify reset flags by arbitration a20110118.1 * re [[https://bugs.cacert.org/view.php?id=1003|bug #1003]] Permissions review script, to incorporate new intermediate ruling 1. Permissions review and revoke of board and tverify flag ([[https://bugs.cacert.org/view.php?id=1003|bug #1003]] and [[https://bugs.cacert.org/view.php?id=1038|bug #1038]]) . Michael run the permission preview script. After finding some formating stuff and fixing it, the script was run a second time. . Afterwards Michael run the script revoke of board and tverify flag. The executing report was added as private to [[https://bugs.cacert.org/view.php?id=1003|bug #1003]] . All tester please review your flags and mails on the test server and report ONLY in [[https://bugs.cacert.org/view.php?id=1003|bug #1003]]. 1. fix available, tested, next run close before * last run: 2012-03-30, next run 2012-06-30 * to dirk: 2nd review [[https://bugs.cacert.org/view.php?id=1003|bug#1003]] * dirk: review looks ok * has been tested on testserver, on local testserver by Michael * good to go * part 1: recuring script, ok * part 2: permission reset, notification of users missing, fixed, tested, awaiting 2nd review again 1. 2nd review done by Ted 1. new permission review script incorporated, board, tverify reset script executed by critical team === 3. 2nd review of about 6 patches === ||<#ff8080> '''Software-Assessors task''' || 1. [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix, Editing domain for organisations does not work<
>new update 2011-09-26<
>2 tests, needs 2nd review, deploy<
>more fixes, more testing * 2nd review of 1 patch * Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?) 1. [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918) * invalid key format, no regular error message, something wrong, error code # identified * debugging infos from user + infos from critical team with error code #, was spkac routine * one test done 2011-12-17 by JensK * uli, marcus: more tests: certs routine, weak keys (small keys test), relates to [[https://bugs.cacert.org/view.php?id=540|bug#540]] tests * (week 7) 1. [[https://bugs.cacert.org/view.php?id=540|bug#540]] No key usage attribute in cacert org certs anymore? * also: [[https://bugs.cacert.org/view.php?id=905|bug#905]] * Policy group discussion - Extended key usage -> [[PolicyDecisions#p20111113|p20111113]], motion CARRIED * deployment 1. prepare fixes -> Michael to prepare diffs, against svn 1. sending to testserver 1. transfer to critical system * (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go * Michael did transfer the patch to testserver * signer code update * changes against svn * uli, to add to tester portal, done * uli to inform testers about new tests * test report from kenneth to transfer to report (email from 2011-12-25) * Michael: where to find the report from kenneth? link? * NEO has added the report (written to private dl) * who has adobe 8 for testing? * magu has, please test * next: needs testing (week 6) * uli, marcus: needs full cert create tests * uli (2012-01-25): sent notification to software testers * awaiting testing ... problem FULL test, including all possible variations with certs creation * also to report under [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918) * Testers: test all certs veriations, functions || neo || [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run || tested by 4, ok || 1 {0} || || uli || [[https://bugs.cacert.org/view.php?id=967|bug #967]] OA isassurer check || Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer || 2 {0} || || Michael || [[https://bugs.cacert.org/view.php?id=540|bug #540]] || p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing<
>uli, marcus: needs full cert create tests<
>duplicate report to bug#978 || 3 {0} || || inopiae || [[https://bugs.cacert.org/view.php?id=981|bug #981]] OA overview (dupe of [[https://bugs.cacert.org/view.php?id=943|bug #943]]) || New layout of view for Organisation Administrators in account/id35 || 4 {0} || || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || 5 {0} || || uli, ted || [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix || Editing domain for organisations does not work<
>new update 2011-09-26<
>2 tests, needs 2nd review, deploy<
>more fixes, more testing || 6 {0} || === 4. bug #1023 Testing (6.php) === 1. Thawte points removal, final step * last patch transfered to production system 2012-05-30 1. what are the next steps for thawte points revoke? * points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts * 15.php needs rename to 10.php * cannot move forward without dirk === 5. Marcus Bugs list === * [[https://bugs.cacert.org/view.php?id=1023|bug#1023]] related * [[https://bugs.cacert.org/view.php?id=583|bug#583]] "Assure Somebody" allows future assurance dates * [[https://bugs.cacert.org/view.php?id=648|bug#648]] send message from Assurer to Member * [[https://bugs.cacert.org/view.php?id=802|bug#802]] Name parts should be designated in assurance form * [[https://bugs.cacert.org/view.php?id=870|bug#870]] My Details - My Points show bugus time stamp * [[https://bugs.cacert.org/view.php?id=914|bug#914]] Information about Practice on Name while entering an Assurance * [[https://bugs.cacert.org/view.php?id=930|bug#930]] types wrong points in "Assure Someone" form * [[https://bugs.cacert.org/view.php?id=931|bug#931]] Date of assurance in future don't throw any exception * [[https://bugs.cacert.org/view.php?id=998|bug#998]] When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing. * [[https://bugs.cacert.org/view.php?id=1000|bug#1000]] Entering an assurance into the system after searching for an assurer causes a pre-filled location field * Others * [[https://bugs.cacert.org/view.php?id=118|bug#118]] Secure TTP Form upload - outdated, conflicts with new procedure, closed * [[https://bugs.cacert.org/view.php?id=428|bug#428]] Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed * [[https://bugs.cacert.org/view.php?id=489|bug#489]] Pb on rewarding 2 points for an assurance * [[https://bugs.cacert.org/view.php?id=567|bug#567]] case sensitive email: tested by 2, cannot be confirmed, closed * [[https://bugs.cacert.org/view.php?id=767|bug#767]] Single-quotes escaped in Web-of-Trust contact form. * info pages to wiki pages * starting [[https://bugs.cacert.org/view.php?id=671|bug #671]]. there still exist a bug# [[https://bugs.cacert.org/view.php?id=740|bug #740]] (How to become an assurer is missleading) * see also [[Software/BugsOverview]] === 6. Benny's buglist === * 1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked * 922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked * 1019 "Contact form does not work when logged in" * Michael: rework contact form * usability: 1 form, option box with public/support delivery, default support * current form 1: public, form 2: private * spam prevention via java, on disabled java the mail is marked [possible spam] === 7. next meeting === * Tuesday, July 3rd, 2012 22:00 CEST == Minutes == 1. Cebit brainstorming * (2012-06-19) Marcus: translation received, will send within the next upcoming days * not yet finished 1. Permissions Review 1. dispute cases * new bug: [[https://bugs.cacert.org/view.php?id=1038|bug #1038]] Provide a script for board/tverify reset flags by arbitration a20110118.1 * re [[https://bugs.cacert.org/view.php?id=1003|bug #1003]] Permissions review script, to incorporate new intermediate ruling 1. problem with ttpadmin flag removal, needs new board motion or workaround with old board motions [[https://community.cacert.org/board/motions.php?motion=m20090912.1|m20090912.1]] and finaly [[https://community.cacert.org/board/motions.php?motion=m20090914.2|m20090914.2]] 1. new intermediate ruling in arbitration case 1. uli in role as AO prepares ttpadmin members list, sends to OAO 1. OAO confirms and sends to list to support 1. Support executes the request 1. 2nd review of about 6 patches * without dirk no success 1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before . 2012-08-10 - 2012-08-11 BarCamp kiel 1. ATE-DU preparations 1. Benny reviews * [[https://bugs.cacert.org/view.php?id=1025|bug #1025]] "Domain Dispute strange behaviour / Domain Dispute issue", checked * wrong description, problem removing domains, bugfix solves this problem * async removal of certs by signer * needs review and testing * inopiae will try testing on upcoming weekend * to test: email- and domain dispute * [[https://bugs.cacert.org/view.php?id=922|bug #922]] "CAcert application code problem causing missing 'certificate about to expire' messages", checked * patch seems to be ok * white spaces cleanup * includes/account.php var $id shall be fixed within recursion, new bug #1078 * 2 tests initiated by inopiae and u60 * principle ok, but very confusing * [[https://bugs.cacert.org/view.php?id=1019|bug #1019]] "Contact form does not work when logged in" * Michael: rework contact form * usability: 1 form, option box with public/support delivery, default support * current form 1: public, form 2: private * spam prevention via java, on disabled java the mail is marked [possible spam] * mass mailing possible if adding multiple emails separated by commas * account.php - email address from sender, no address validation, several other places it passes address validation * neo: why not use primary email address? * works only if logged-in * index?id=11 has also been changed * url was hardcoded * account.php?id=14 * sendmail() routine in includes/mysql.php 1. Marcus buglist * [[https://bugs.cacert.org/view.php?id=491|bug #491]] "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected * username/password half of the combination is known to potential attacker * login prevents login to several email addresses * acceptance to several email addresses is prevented * no notification if primary email address has been changed * note regarding Policy Group * dirk: proposal: response email address exists, but isn't primary email ? * create new account results in "email address exists" * what is a proper response? * requestor has to be an assurer for assure someone * neo: for registration process chaptcha required * no good solution * for assurance only primary, for all other services allow also secondary addresses * search needs enhancement: search not only primary, also secondary * [[https://bugs.cacert.org/view.php?id=571|bug #571]] "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix * primary and secondary email addresses are shown in admin console * [[https://bugs.cacert.org/view.php?id=591|bug #591]] "CPS has to be improved for audit." - proposes: Closed * CPS is a working revision also DRAFT revision included * relates to policy repository bug# final place finding 1. neo: win7/vista BlackJack * certs codesigning * trusted sites * one component not secured for scripting * cannot be added to trusted sites * rtfm answer: registry key to set, on request by IE special answer, does not work * certenroll lib cannot be activated * [[https://cacert.nhng.de/IEkeygen/]] 1. next meeting * Tuesday, July 3rd, 2012 22:00 CEST ==== Fixed Action Items since last or within meeting ==== || Michael || [[https://bugs.cacert.org/view.php?id=1003|bug #1003]] Provide a possibility to regularly review the permissions in the system || also [[https://bugs.cacert.org/view.php?id=1038|bug #1038]] Provide a script for board/tverify reset flags by arbitration [[Arbitrations/a20110118.1|a20110118.1]] || 1 {g} || ==== Action Items New ==== Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' ---- . CategorySoftwareAssessment