To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2012-07-17
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: Marcus, Uli, Benny, dirk, Michael, (David via irc)
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
![/!\](/moin_static199/cacert/img/alert.png "/!\")
Full testing {0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}
Agenda
1. Preface
- Cebit brainstorming
- dirk: request for events report
- (2012-03-27) Marcus awaiting translation from Marc
- (2012-06-19) Marcus: translation received, will send within the next upcoming days
- (2012-06-26) Marcus: not yet finished
- 2nd draft finished
- Sat report missing
- Bennys c.o address
- wip
2. 2nd review of about 5 patches
Software-Assessors task
bug #789 OA edit domain fix, Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy
more fixes, more testing- 2nd review of 1 patch
- Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?)
bug #789 reviewed: 2012-07-10
- what is /pages/account/29.php for? edit org domain
- (pc vm crashed)
- 2nd review of 1 patch
bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
- (week 7)
bug#540 No key usage attribute in cacert org certs anymore?
also: bug#905
Policy group discussion - Extended key usage -> p20111113, motion CARRIED
- deployment
prepare fixes -> Michael to prepare diffs, against svn
- sending to testserver
- transfer to critical system
- (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
- Michael did transfer the patch to testserver
- signer code update
- changes against svn
- uli, to add to tester portal, done
- uli to inform testers about new tests
- test report from kenneth to transfer to report (email from 2011-12-25)
- Michael: where to find the report from kenneth? link?
- NEO has added the report (written to private dl)
- who has adobe 8 for testing?
- magu has, please test
- next: needs testing (week 6)
- uli, marcus: needs full cert create tests
- uli (2012-01-25): sent notification to software testers
- awaiting testing ... problem FULL test, including all possible variations with certs creation
also to report under bug #978 bug 978 (weak keys) (bug 918)
- Testers: test all certs veriations, functions
- dirk 2nd review of patches, reviewed 2012-07-10
- diff line 23ff unclear, what does section ($root==2) mean?
also unclear: else section $CRLUrl="http://crl.cacert.org/root${root}.crl";
skipped
bug #1024 reviewed 2012-07-10
server.pl, too much changes to review in a working session, skipped
neo
bug #1024 Assurer flag is not set correctly on updatesort.php run
tested by 4, ok
2 {0}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#9783 {0}
inopiae
New layout of view for Organisation Administrators in account/id35
4 {0}
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#5405 {0}
uli, ted
bug #789 OA edit domain fix
Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy
more fixes, more testing6 {0}
3. bug #1023 Testing (6.php)
- Thawte points removal, final step
- last patch transfered to production system 2012-05-30
- what are the next steps for thawte points revoke?
- points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
- cannot move forward without dirk
4. Marcus Bugs list
see also Software/BugsOverview
bug#1023 related
bug#583 "Assure Somebody" allows future assurance dates
bug#648 send message from Assurer to Member
bug#802 Name parts should be designated in assurance form
bug#870 My Details - My Points show bugus time stamp
bug#914 Information about Practice on Name while entering an Assurance
bug#930 types wrong points in "Assure Someone" form
bug#931 Date of assurance in future don't throw any exception
bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.
bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field
- Others
bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed
bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed
bug#489 Pb on rewarding 2 points for an assurance
bug#567 case sensitive email: tested by 2, cannot be confirmed, closed
bug#767 Single-quotes escaped in Web-of-Trust contact form.
- info pages to wiki pages
bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected
* username/password half of the combination is known to potential attacker * login prevents login to several email addresses * acceptance to several email addresses is prevented * no notification if primary email address has been changed * note regarding Policy Group * dirk: proposal: response email address exists, but isn't primary email ? * create new account results in "email address exists" * what is a proper response? * requestor has to be an assurer for assure someone * neo: for registration process chaptcha required * no good solution * for assurance only primary, for all other services allow also secondary addresses * search needs enhancement: search not only primary, also secondary
bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix
* primary and secondary email addresses are shown in admin console
bug #591 "CPS has to be improved for audit." - proposes: Closed
* CPS is a working revision also DRAFT revision included * relates to policy repository bug# final place finding
- addtl. groups:
- OA
- CCA rollout
- TTP
5. Benny reviews
bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked
- wrong description, problem removing domains, bugfix solves this problem
- async removal of certs by signer
- needs review and testing
- inopiae will try testing on upcoming weekend
- to test: email- and domain dispute
bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked
- patch seems to be ok
- white spaces cleanup
includes/account.php var $id shall be fixed within recursion, new bug #1078
- 2 tests initiated by inopiae and u60
- principle ok, but very confusing
- test reports Marcus:
- discussions, Marcus got 71 or 72 notifications
- Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
bug #922 test report / review
- one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
- 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
- needs further inspection
bug #1019 "Contact form does not work when logged in"
- Michael: rework contact form
- usability: 1 form, option box with public/support delivery, default support
- current form 1: public, form 2: private
- spam prevention via java, on disabled java the mail is marked [possible spam]
- mass mailing possible if adding multiple emails separated by commas
- account.php - email address from sender, no address validation, several other places it passes address validation
- neo: why not use primary email address?
- works only if logged-in
- index?id=11 has also been changed
- url was hardcoded
- account.php?id=14
- sendmail() routine in includes/mysql.php
- Michael: rework contact form
- patches 2nd review, Benny to do pre-view
neo
bug #1024 Assurer flag is not set correctly on updatesort.php run
tested by 4, ok
2 {0}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#9783 {0}
inopiae
New layout of view for Organisation Administrators in account/id35
4 {0}
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#5405 {0}
uli, ted
bug #789 OA edit domain fix
Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy6 {0}
- for #540 uli has sent a short summary to dirk
6. New SA candidates and Coders
ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel
- Whats with ABC over archaios?
- How to find coders? Experiences from the Gentoo project
7. English Translation Problems
how to handle typing error in web phrase Software/TranslationMisspelling
- "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
8. Long Term Projects
NEO: "BlackJack"
info from NEO: "BlackJack" moved forward
- Marek's sql class project:
- is working on charset replacement
- api project, Carsten continues with portal project not waiting for vendor-api to be delivered
- potential candidates for development
- Marek's sql class proposal
- needs probably db upgrades
- needs addtl. indices
- needs testing
- archaios
- builds daemon as unpreviliged user
- Marek's sql class proposal
- vendor-api delayed
- no coders
- other projects
- related to sql class project
- portal project continues with a workaround, needs an assurer
- arbitration case on locations database orders outsourcing of find-an-assurer asap
- with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
- potential candidates for development
9. next meeting
- Tuesday, July 24, 2012 22:00 CEST
Minutes
- Preface
- Bug Testing / Reporting bug #922 difficult
- Marcus writes a tool to collect Email infors from TMS
- Bennys reviews
- 5 patches reviewed
- 3 simple, bugs 540 (mostly check policy text), 789, 981
- 2 with some difficultys, complexest one: 1024
- Bennys c.o address
- is active, finished
- ABC Benny, no fixed date set yet
- NEO: default pem coded signed key output, chrome expects der
- How TMS email works: NEO: TMS connects via imap and collects and displays mails
- Bug Testing / Reporting bug #922 difficult
- dirk review bug 540
- gitdiff origin/release..origin/bug540
- dirk 2nd review of patches, reviewed 2012-07-10
- diff line 23ff unclear, what does section ($root==2) mean?
- class 3 server (in signer), comm module, each root client certs, there is a config #, root=0 class1, root=1 class3, root=2 newroots project class3s.crl (from 2008 new roots project)
- root=2 not avail on current system
also unclear: else section $CRLUrl="http://crl.cacert.org/root${root}.crl";
- 5 root vars defined (in client.pl)
- crl for other keys, not class1, class3. all other keys not active on current system
- server.pl: root.crl, class3, class3s, for further still unused keys
related policy decision: https://wiki.cacert.org/PolicyDecisions#p20111113
- review ok
- config files not reviewed, 2nd review not finished
- dirk 2nd review of patches, reviewed 2012-07-10
- gitdiff origin/release..origin/bug540
bug #1075 cap form link wrong under pages/wot/6.php
neo
bug #1075 cap form link wrong under pages/wot/6.php
cap link removed, moved to testserver
{0}
- data protection problem to pickup user data before assurance f2f meeting starts
- what does assurance process means? assurance "process" starts from request of assuree to an assurer to do an assurance over assuree
- problem in ttp process too, to have a view over data before f2f meeting and signed cap is in the hands of an assurer. ttp-admin can request confirmation from ttp-user to access online data
- simple patch: remove links
- edited by NEO: transfered to testserver
- dirk review bug 789, OA edit domain fix, Editing domain for organisations does not work
- gitdiff origin/release..origin/bug789
bug #789 reviewed: 2012-07-10
- what is /pages/account/29.php for? edit org domain
- phone accu breaks
NEO: has finished IE patch, http://cacert.nhng.de/IEkeygen/keygen.html
- will prepare a working patch and will transfer to testserver within the next 7 days
NEO: git diff origin/release...origin/bug-XXX -> search all differences since last release
- How to find coders? Experiences from the Gentoo project
http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/
- use as blueprint for all recruits?
- some discussions
- English Translation Problems
how to handle typing error in web phrase Software/TranslationMisspelling
- "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
- create shared bug
- probably make part a. and b. a. that is clear, b. that is questionable
- David's posts in irc
- there is no checks for \00, er, \0
the \0 check will be done in signer (-> CommModule client and/or server.pl)
- server.pl lines 494+495
- blacklist for domain names for new signer
- (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
- todo: doing whitelist of allowable chars
- \xA0 is a problem too (at least in Win32/64)
- subjectAltName is occasionally not checked for problems
- file a new bug
- there is no checks for \00, er, \0
- FF prob with favicon verification
- some discussion
- next meeting
- Tuesday, July 24, 2012 22:00 CEST
Fixed Action Items since last or within meeting
Action Items New
Action items: Meeting Action Items