. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20120731-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20120814-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2012-08-07 = == Setting == The MiniTOP will be held via telco 22:00 CEST Attendees: magu, benny, uli, michael, marcus, dirk == Topics == (skip to [[#AGENDA|agenda]]) Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> <> == Agenda == ## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP === 1. Preface === 1. Cebit brainstorming * dirk: request for events report * (2012-03-27) Marcus awaiting translation from Marc * (2012-06-19) Marcus: translation received, will send within the next upcoming days * (2012-06-26) Marcus: not yet finished * 2nd draft finished * Sat report missing, Uli sent a report 2012-03-22 (with wiki link [[Assurance/Procedures/RLO]] * Marcus to compile final report 1. Three patches transfered: 1. [[https://bugs.cacert.org/view.php?id=540|bug #540]] Extended Keyusage || Michael || [[https://bugs.cacert.org/view.php?id=540|bug #540]] || p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing<
>uli, marcus: needs full cert create tests<
>duplicate report to bug#978 || 3 {g} || * transfered to critical * report by Ken in dev mailing list * Whats about [[https://bugs.cacert.org/view.php?id=540|bug #540]] Extended Keyusage - related patches * report by Ken in dev mailing list * potential 2 problems 1. test before patch comes in effect 1. root keys from production system not installed * differences between production and testserver roots/class3 roots ? * production root {{{ X509v3 Basic Constraints: critical CA:TRUE X509v3 CRL Distribution Points: URI:https://www.cacert.org/revoke.crl Netscape CA Revocation Url: https://www.cacert.org/revoke.crl Netscape CA Policy Url: http://www.cacert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE head over to http://www.cacert.org }}} * testserver root {{{ X509v3 Basic Constraints: critical CA:TRUE Authority Information Access: OCSP - URI:http://ocsp.CAcert.org/ CA Issuers - URI:http://www.CAcert.org/ca.crt X509v3 Certificate Policies: Policy: Security CPS: http://www.CAcert.org/index.php?id=10 Netscape CA Policy Url: http://www.CAcert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE, go to http://www.CAcert.org }}} * production class3 {{{ X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.18506 CPS: http://www.CAcert.org/index.php?id=10 }}} * testserver class3 {{{ X509v3 Certificate Policies: Policy: Security CPS: http://www.CAcert.org/index.php?id=10 }}} * main difference: OCSP / CRL links in root cert * test scenario * create new root identical to production root * existing config file results in the current testserver root, in svn * svn copy of config has been added late (Dec 2010) * SVN:/CAcert/SystemAdministration/signer/ssl * There are references to: [[https://bugs.cacert.org/view.php?id=905|bug#905]] "Unable to sign PDF file with Acrobat" * who can test acrobat ??? * Can reports from bug #540 also be found under [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) * reference [[https://bugs.cacert.org/view.php?id=918|bug #918]] Weak keys in certificates (closed) === 2. 2nd review of about 3 remaining patches === ||<#ff8080> '''Software-Assessors task''' || 1. Benny pre-views done || neo || [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run || tested by 4, ok || 2 {0} || || inopiae || [[https://bugs.cacert.org/view.php?id=981|bug #981]] OA overview (dupe of [[https://bugs.cacert.org/view.php?id=943|bug #943]]) || New layout of view for Organisation Administrators in account/id35 || 4 {0} || || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || 5 {0} || * from meeting 2012-07-17: * 5 patches reviewed * 3 simple, bugs 540 (fixed), 789 (fixed), 981 * 2 with some difficultys, 978 (related to bug#540), complexest one: 1024 1. [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918) * invalid key format, no regular error message, something wrong, error code # identified * debugging infos from user + infos from critical team with error code #, was spkac routine * one test done 2011-12-17 by JensK * uli, marcus: more tests: certs routine, weak keys (small keys test), relates to [[https://bugs.cacert.org/view.php?id=540|bug#540]] tests * (week 7) 1. [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] reviewed 2012-07-10 * server.pl, too much changes to review in a working session, skipped /!\ * dirk 2nd review: [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run * michael: fix assurer flag from library * with userid for one special user * w/o userid, for all users * to continue upcoming week * see also 3.1 "Thawte points removal, final step" || neo || [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run || tested by 4, ok || 2 {0} || || inopiae || [[https://bugs.cacert.org/view.php?id=981|bug #981]] OA overview (dupe of [[https://bugs.cacert.org/view.php?id=943|bug #943]]) || New layout of view for Organisation Administrators in account/id35 || 4 {0} || || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || 5 {0} || === 3. Patches Overview - DEV and Testing === 1. bug #1023 Testing (6.php) 1. Thawte points removal, final step * last patch transfered to production system 2012-05-30 * what are the next steps for thawte points revoke? * points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts * 15.php needs rename to 10.php * cannot move forward without dirk * when? * blocked by software-reviews * Marcus: reviews dirk is doing only in meetings * upcoming week ? 1. Bugs under Testing 1. English Translation Problems * how to handle typing error in web phrase [[Software/TranslationMisspelling]] * "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482 * create shared bug * probably make part a. and b. a. that is clear, b. that is questionable * new [[https://bugs.cacert.org/view.php?id=1086|bug #1086]] 1. Marcus Bugs list * see also [[Software/BugsOverview]] * [[https://bugs.cacert.org/view.php?id=1023|bug#1023]] related * [[https://bugs.cacert.org/view.php?id=583|bug#583]] "Assure Somebody" allows future assurance dates * [[https://bugs.cacert.org/view.php?id=648|bug#648]] send message from Assurer to Member * [[https://bugs.cacert.org/view.php?id=802|bug#802]] Name parts should be designated in assurance form * [[https://bugs.cacert.org/view.php?id=870|bug#870]] My Details - My Points show bugus time stamp * [[https://bugs.cacert.org/view.php?id=914|bug#914]] Information about Practice on Name while entering an Assurance * [[https://bugs.cacert.org/view.php?id=930|bug#930]] types wrong points in "Assure Someone" form * [[https://bugs.cacert.org/view.php?id=931|bug#931]] Date of assurance in future don't throw any exception * [[https://bugs.cacert.org/view.php?id=998|bug#998]] When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing. * [[https://bugs.cacert.org/view.php?id=1000|bug#1000]] Entering an assurance into the system after searching for an assurer causes a pre-filled location field * Others * [[https://bugs.cacert.org/view.php?id=118|bug#118]] Secure TTP Form upload - outdated, conflicts with new procedure, closed * [[https://bugs.cacert.org/view.php?id=428|bug#428]] Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed * [[https://bugs.cacert.org/view.php?id=489|bug#489]] Pb on rewarding 2 points for an assurance * [[https://bugs.cacert.org/view.php?id=567|bug#567]] case sensitive email: tested by 2, cannot be confirmed, closed * [[https://bugs.cacert.org/view.php?id=767|bug#767]] Single-quotes escaped in Web-of-Trust contact form. * info pages to wiki pages * starting [[https://bugs.cacert.org/view.php?id=671|bug #671]]. there still exist a bug# [[https://bugs.cacert.org/view.php?id=740|bug #740]] (How to become an assurer is missleading) * [[https://bugs.cacert.org/view.php?id=491|bug #491]] "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected {{{ * username/password half of the combination is known to potential attacker * login prevents login to several email addresses * acceptance to several email addresses is prevented * no notification if primary email address has been changed * note regarding Policy Group * dirk: proposal: response email address exists, but isn't primary email ? * create new account results in "email address exists" * what is a proper response? * requestor has to be an assurer for assure someone * neo: for registration process chaptcha required * no good solution * for assurance only primary, for all other services allow also secondary addresses * search needs enhancement: search not only primary, also secondary }}} * [[https://bugs.cacert.org/view.php?id=571|bug #571]] "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix {{{ * primary and secondary email addresses are shown in admin console }}} * [[https://bugs.cacert.org/view.php?id=591|bug #591]] "CPS has to be improved for audit." - proposes: Closed {{{ * CPS is a working revision also DRAFT revision included * relates to policy repository bug# final place finding }}} * addtl. groups: a. OA a. CCA rollout a. TTP 1. [[https://bugs.cacert.org/view.php?id=1025|bug #1025]] "Domain Dispute strange behaviour / Domain Dispute issue", checked * wrong description, problem removing domains, bugfix solves this problem * async removal of certs by signer * needs review and testing * inopiae will try testing on upcoming weekend * to test: email- and domain dispute 1. [[https://bugs.cacert.org/view.php?id=922|bug #922]] "CAcert application code problem causing missing 'certificate about to expire' messages", checked * patch seems to be ok * white spaces cleanup * includes/account.php var $id shall be fixed within recursion, new [[https://bugs.cacert.org/view.php?id=1078|bug #1078]] * 2 tests initiated by inopiae and u60 * principle ok, but very confusing * test reports Marcus: * discussions, Marcus got 71 or 72 notifications * Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d * [[https://bugs.cacert.org/view.php?id=922|bug #922]] test report / review * one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!) * 15 reminders checked, 1 for client cert, 14 for server cert (!!!) * needs further inspection * Bug Testing / Reporting bug #922 difficult * Marcus writes a tool to collect Email infos from TMS 1. [[https://bugs.cacert.org/view.php?id=1019|bug #1019]] "Contact form does not work when logged in" * Michael: rework contact form * usability: 1 form, option box with public/support delivery, default support * current form 1: public, form 2: private * spam prevention via java, on disabled java the mail is marked [possible spam] * mass mailing possible if adding multiple emails separated by commas * account.php - email address from sender, no address validation, several other places it passes address validation * neo: why not use primary email address? * works only if logged-in * index?id=11 has also been changed * url was hardcoded * account.php?id=14 * sendmail() routine in includes/mysql.php 1. Findings from David 1. (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs * todo: doing whitelist of allowable chars * \xA0 is a problem too (at least in Win32/64) * todo: file a new bug# 1. subjectAltName is occasionally not checked for problems * todo: file a new bug# === 4. Benny reviews === === 5. New SA candidates and Coders === 1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel * [[Arbitrations/a20120703.1|ABC Benny]] * ABC Benny, no fixed date set yet 1. ABC David * [[Arbitrations/a20120721.1|ABC David]] 1. Heino, not yet prepared, needs first contact 1. How to find coders? Experiences from the Gentoo project * [[http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/]] * [[http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code]] * use as blueprint for other recruits? === 6. Long Term Projects === 1. NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] * 2012-07-17 NEO: has finished IE patch, [[http://cacert.nhng.de/IEkeygen/keygen.html]] * meeting 2012-07-24: working session: testing "Black Jack" * marcus: tested chrome * marcus, uli: enable-login flag set after key has been signed with unset flag on request, fixed * 2012-07-24 working session 1. NEO: (964) enable-login flag fixed, to transfer to testserver 1. NEO: org-certs prob 1. ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger." * "Fehler: Nachricht (0x80000095 / -2147.....)" * error messages on ms website: [[ http://msdn.microsoft.com/en-us/library/ms953432.aspx#smartcardcspcook_topic3]] 1. magu: tests bug #964 * error messages: * available key sizes: 512-1024 Bit (in 64 Bit steps) * Schlumberger CSP, Keysize 1024 --> 2146435043 * Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962) * NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] testing from last week -> error codes * not yet implemented 1. Marek's sql class project: * is working on charset replacement 1. api project, Carsten continues with portal project not waiting for vendor-api to be delivered * potential candidates for development 1. Marek's sql class proposal * needs probably db upgrades * needs addtl. indices * needs testing 1. archaios * builds daemon as unpreviliged user * vendor-api delayed * no coders * other projects * related to sql class project * portal project continues with a workaround, needs an assurer * arbitration case on locations database orders outsourcing of find-an-assurer asap * with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers) === 7. next meeting === * Tuesday, August 14th, 2012 22:00 CEST == Minutes == 1. Preface * report from last board meeting - topic Arbitration * is added to upcoming [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20120819|board meeting 2012-08-19]] * Philipp not yet handled according [[Arbitrations/Training/Lesson60|Appointment of Case Managers and Arbitrators procedure]] * uli: done within meeting 1. NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] 1. ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger." * "Fehler: Nachricht (0x80000095 / -2147.....)" * error messages on ms website: [[ http://msdn.microsoft.com/en-us/library/ms953432.aspx#smartcardcspcook_topic3]] 1. magu: tests bug #964 * error messages: * available key sizes: 512-1024 Bit (in 64 Bit steps) * Schlumberger CSP, Keysize 1024 --> 2146435043 * Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962) 1. NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] testing from last week -> error codes * started implementing 1. [[https://bugs.cacert.org/view.php?id=540|bug #540]] Extended Keyusage * Ken report - how to move forward? * Michael: cannot debug * so probably no move forward * uli: added report links from devel list, changed state to needs feedback 1. ABC interview David * state unknown * probably Philipp will pickup the case * at board meeting the interview was probably named as ABC interview 1. dirk 2nd review: || neo || [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run || tested by 4, ok || 2 {0} || * [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] reviewed 2012-07-10 * server.pl, too much changes to review in a working session, skipped /!\ * dirk 2nd review: [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run * michael: fix assurer flag from library * with userid for one special user * w/o userid, for all users * to continue upcoming week * see also 3.1 "Thawte points removal, final step" * restarted review * is ok, tested by 4 1. Portal deployment * Needs an assurer * relation to location database 1. website find an assurer 1. scripted mailing for ATE invitations * user check that data is still valid eg every 1 year * notification at login upto 6 months not online * notification by email if not logged in within last 6 months 1. [[https://bugs.cacert.org/view.php?id=922|bug #922]] "CAcert application code problem causing missing 'certificate about to expire' messages", checked * patch seems to be ok * white spaces cleanup * includes/account.php var $id shall be fixed within recursion, new [[https://bugs.cacert.org/view.php?id=1078|bug #1078]] * 2 tests initiated by inopiae and u60 * principle ok, but very confusing * test reports Marcus: * discussions, Marcus got 71 or 72 notifications * Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d * [[https://bugs.cacert.org/view.php?id=922|bug #922]] test report / review * one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!) * 15 reminders checked, 1 for client cert, 14 for server cert (!!!) * needs further inspection * Bug Testing / Reporting bug #922 difficult * Marcus writes a tool to collect Email infos from TMS * benny will try to debug mass mailing problem with [[SystemAdministration/Systems/Development|local image]] 1. dirk to continue with 2nd review: || inopiae || [[https://bugs.cacert.org/view.php?id=981|bug #981]] OA overview (dupe of [[https://bugs.cacert.org/view.php?id=943|bug #943]]) || New layout of view for Organisation Administrators in account/id35 || 4 {0} || * what is the difference before / after patch? * Org-Admin view own org infos * displays Organisations, their domains, admins, state, city and others * dirk: coding is ok, if tested ok, good to go 1. recommendation to check for patch [[https://bugs.cacert.org/view.php?id=1070|bug #1070]] "0001070: Certain account passwords are logged in web server error log" * arbitration still open [[Arbitrations/a20120614.1|a20120614.1]] * needs testing * added to [[Software/CurrentTest|Current Tests]] 1. dirk to continue with 2nd review: || neo || [[https://bugs.cacert.org/view.php?id=1070|bug #1070]] Certain account passwords are logged in web server error log || patch applied on production and testserver || {0} || * dirk: review ok, good to go if tested * still needs testing ... for agenda of upcoming meeting 1. next meeting * Tuesday, August 14th, 2012 22:00 CEST ==== Fixed Action Items since last or within meeting ==== ==== Action Items New ==== || benny || [[https://bugs.cacert.org/view.php?id=922|bug #922]] will try to debug mass mailing problem with [[SystemAdministration/Systems/Development|local image]] || {0} || || all || [[https://bugs.cacert.org/view.php?id=1070|bug #1070]] Certain account passwords are logged in web server error log<
>2nd review done by dirk<
>Testing working session for agenda of upcoming meeting || {0} || Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' ---- . CategorySoftwareAssessment