Minutes of the MiniTOP on the 2012-08-07

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: magu, benny, uli, michael, marcus, dirk

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Software/Assessment/ActionItems

Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected

    {-}

    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage

    {0}

    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy
    rejected

    {-}

    inopiae

    bug #920 Join - single name only (eg Indonesian)

    details under bug number

    {0}

    uli

    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field

    {r}

    Michael

    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open

    {0}

    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development

    {r}

    neo

    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work

    {r}

    dirk

    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work

    {r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task

Testing

  • Testers task

    neo

    bug #1004 Stats page improvement

    tested by 2, needs 2nd review

    {0}

    neo

    Bugs #1159 it might be possible to execute commands on the signing server

    {0}

    inopiae

    bug #1065 Wrong wording when sending mails during the assurance process

    {0}

    inopiae

    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\

    {0}

    inopiae

    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails

    {0}

    inopiae

    bug #988 TTP cap form deployment

    {0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task

    Ted

    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review

    {0}

    Ted

    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review

    {0}

    magu

    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update

    {0}

    inopiae

    bug #1010 Reorder the view on organisation certificates

    tested by 3

    {0}

Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task

    inopiae

    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer

    {0}

Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link

    {g}


Agenda

1. Preface

  1. Cebit brainstorming
    • dirk: request for events report
    • (2012-03-27) Marcus awaiting translation from Marc
    • (2012-06-19) Marcus: translation received, will send within the next upcoming days
    • (2012-06-26) Marcus: not yet finished
    • 2nd draft finished
    • Sat report missing, Uli sent a report 2012-03-22 (with wiki link Assurance/Procedures/RLO

    • Marcus to compile final report
  2. Three patches transfered:
    1. bug #540 Extended Keyusage

      • Michael

        bug #540

        p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
        uli, marcus: needs full cert create tests
        duplicate report to bug#978

        3 {g}

        • transfered to critical
        • report by Ken in dev mailing list
        • Whats about bug #540 Extended Keyusage - related patches

          • report by Ken in dev mailing list
            • potential 2 problems
              1. test before patch comes in effect
              2. root keys from production system not installed
            • differences between production and testserver roots/class3 roots ?
              • production root
                            X509v3 Basic Constraints: critical
                                CA:TRUE
                            X509v3 CRL Distribution Points: 
                                URI:https://www.cacert.org/revoke.crl
                
                            Netscape CA Revocation Url: 
                                https://www.cacert.org/revoke.crl
                            Netscape CA Policy Url: 
                                http://www.cacert.org/index.php?id=10
                            Netscape Comment: 
                                To get your own certificate for FREE head over to http://www.cacert.org
              • testserver root
                            X509v3 Basic Constraints: critical
                                CA:TRUE
                            Authority Information Access: 
                                OCSP - URI:http://ocsp.CAcert.org/
                                CA Issuers - URI:http://www.CAcert.org/ca.crt
                
                            X509v3 Certificate Policies: 
                                Policy: Security
                                  CPS: http://www.CAcert.org/index.php?id=10
                
                            Netscape CA Policy Url: 
                                http://www.CAcert.org/index.php?id=10
                            Netscape Comment: 
                                To get your own certificate for FREE, go to http://www.CAcert.org
              • production class3
                            X509v3 Certificate Policies: 
                                Policy: 1.3.6.1.4.1.18506
                                  CPS: http://www.CAcert.org/index.php?id=10
              • testserver class3
                            X509v3 Certificate Policies: 
                                Policy: Security
                                  CPS: http://www.CAcert.org/index.php?id=10
            • main difference: OCSP / CRL links in root cert
              • test scenario
              • create new root identical to production root
              • existing config file results in the current testserver root, in svn
              • svn copy of config has been added late (Dec 2010)
              • SVN:/CAcert/SystemAdministration/signer/ssl

        • There are references to: bug#905 "Unable to sign PDF file with Acrobat"

          • who can test acrobat ???
        • Can reports from bug #540 also be found under bug #978 bug 978 (weak keys)

        • reference bug #918 Weak keys in certificates (closed)

2. 2nd review of about 3 remaining patches

3. Patches Overview - DEV and Testing

  1. bug #1023 Testing (6.php)
    1. Thawte points removal, final step
      • last patch transfered to production system 2012-05-30
      • what are the next steps for thawte points revoke?
        • points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
        • 15.php needs rename to 10.php
        • cannot move forward without dirk
      • when?
        • blocked by software-reviews
        • Marcus: reviews dirk is doing only in meetings
        • upcoming week ?
  2. Bugs under Testing
  3. English Translation Problems
    • how to handle typing error in web phrase Software/TranslationMisspelling

      • "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
      • create shared bug
      • probably make part a. and b. a. that is clear, b. that is questionable
      • new bug #1086

  4. Marcus Bugs list
    • see also Software/BugsOverview

    • bug#1023 related

      • bug#583 "Assure Somebody" allows future assurance dates

      • bug#648 send message from Assurer to Member

      • bug#802 Name parts should be designated in assurance form

      • bug#870 My Details - My Points show bugus time stamp

      • bug#914 Information about Practice on Name while entering an Assurance

      • bug#930 types wrong points in "Assure Someone" form

      • bug#931 Date of assurance in future don't throw any exception

      • bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.

      • bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field

    • Others
      • bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed

      • bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed

      • bug#489 Pb on rewarding 2 points for an assurance

      • bug#567 case sensitive email: tested by 2, cannot be confirmed, closed

      • bug#767 Single-quotes escaped in Web-of-Trust contact form.

    • info pages to wiki pages
      • starting bug #671. there still exist a bug# bug #740 (How to become an assurer is missleading)

    • bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected

      •   * username/password half of the combination is known to potential attacker
          * login prevents login to several email addresses
          * acceptance to several email addresses is prevented
          * no notification if primary email address has been changed
          * note regarding Policy Group
          * dirk: proposal: response email address exists, but isn't primary email ?
           * create new account results in "email address exists"
           * what is a proper response?
           * requestor has to be an assurer for assure someone
          * neo: for registration process chaptcha required
          * no good solution
          * for assurance only primary, for all other services allow also secondary addresses
           * search needs enhancement: search not only primary, also secondary
    • bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix

        * primary and secondary email addresses are shown in admin console
    • bug #591 "CPS has to be improved for audit." - proposes: Closed

        * CPS is a working revision also DRAFT revision included
        * relates to policy repository bug# final place finding
    • addtl. groups:
      1. OA
      2. CCA rollout
      3. TTP
  5. bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked

    • wrong description, problem removing domains, bugfix solves this problem
    • async removal of certs by signer
    • needs review and testing
    • inopiae will try testing on upcoming weekend
    • to test: email- and domain dispute
  6. bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked

    • patch seems to be ok
    • white spaces cleanup
    • includes/account.php var $id shall be fixed within recursion, new bug #1078

    • 2 tests initiated by inopiae and u60
    • principle ok, but very confusing
    • test reports Marcus:
      • discussions, Marcus got 71 or 72 notifications
      • Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
    • bug #922 test report / review

      • one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
      • 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
      • needs further inspection
    • Bug Testing / Reporting bug #922 difficult
      • Marcus writes a tool to collect Email infos from TMS
  7. bug #1019 "Contact form does not work when logged in"

    • Michael: rework contact form
      • usability: 1 form, option box with public/support delivery, default support
      • current form 1: public, form 2: private
      • spam prevention via java, on disabled java the mail is marked [possible spam]
    • mass mailing possible if adding multiple emails separated by commas
    • account.php - email address from sender, no address validation, several other places it passes address validation
    • neo: why not use primary email address?
      • works only if logged-in
    • index?id=11 has also been changed
    • url was hardcoded
    • account.php?id=14
    • sendmail() routine in includes/mysql.php
  8. Findings from David
    1. (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
      • todo: doing whitelist of allowable chars
      • \xA0 is a problem too (at least in Win32/64)
      • todo: file a new bug#
    2. subjectAltName is occasionally not checked for problems
      • todo: file a new bug#

4. Benny reviews

5. New SA candidates and Coders

  1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel

  2. ABC David
  3. Heino, not yet prepared, needs first contact
  4. How to find coders? Experiences from the Gentoo project

6. Long Term Projects

  1. NEO: "BlackJack" bug #964

    • 2012-07-17 NEO: has finished IE patch, http://cacert.nhng.de/IEkeygen/keygen.html

    • meeting 2012-07-24: working session: testing "Black Jack"
      • marcus: tested chrome
      • marcus, uli: enable-login flag set after key has been signed with unset flag on request, fixed
    • 2012-07-24 working session
      1. NEO: (964) enable-login flag fixed, to transfer to testserver
      2. NEO: org-certs prob
      3. ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
      4. magu: tests bug #964
        • error messages:
          • available key sizes: 512-1024 Bit (in 64 Bit steps)
          • Schlumberger CSP, Keysize 1024 --> 2146435043

          • Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962)
    • NEO: "BlackJack" bug #964 testing from last week -> error codes

      • not yet implemented
  2. Marek's sql class project:
    • is working on charset replacement
  3. api project, Carsten continues with portal project not waiting for vendor-api to be delivered
    • potential candidates for development
      1. Marek's sql class proposal
        • needs probably db upgrades
        • needs addtl. indices
        • needs testing
      2. archaios
        • builds daemon as unpreviliged user
    • vendor-api delayed
      • no coders
      • other projects
      • related to sql class project
    • portal project continues with a workaround, needs an assurer
    • arbitration case on locations database orders outsourcing of find-an-assurer asap
    • with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)

7. next meeting

Minutes

  1. Preface
  2. NEO: "BlackJack" bug #964

    1. ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
    2. magu: tests bug #964
      • error messages:
        • available key sizes: 512-1024 Bit (in 64 Bit steps)
        • Schlumberger CSP, Keysize 1024 --> 2146435043

        • Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962)
    3. NEO: "BlackJack" bug #964 testing from last week -> error codes

      • started implementing
  3. bug #540 Extended Keyusage

    • Ken report - how to move forward?
    • Michael: cannot debug
    • so probably no move forward
    • uli: added report links from devel list, changed state to needs feedback
  4. ABC interview David
    • state unknown
    • probably Philipp will pickup the case
    • at board meeting the interview was probably named as ABC interview
  5. dirk 2nd review:
    • neo

      bug #1024 Assurer flag is not set correctly on updatesort.php run

      tested by 4, ok

      2 {0}

    • bug #1024 reviewed 2012-07-10

    • server.pl, too much changes to review in a working session, skipped /!\

    • dirk 2nd review: bug #1024 Assurer flag is not set correctly on updatesort.php run

      • michael: fix assurer flag from library
        • with userid for one special user
        • w/o userid, for all users
      • to continue upcoming week
      • see also 3.1 "Thawte points removal, final step"
    • restarted review
    • is ok, tested by 4
  6. Portal deployment
    • Needs an assurer
    • relation to location database
      1. website find an assurer
      2. scripted mailing for ATE invitations
    • user check that data is still valid eg every 1 year
      • notification at login upto 6 months not online
      • notification by email if not logged in within last 6 months
  7. bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked

    • patch seems to be ok
    • white spaces cleanup
    • includes/account.php var $id shall be fixed within recursion, new bug #1078

    • 2 tests initiated by inopiae and u60
    • principle ok, but very confusing
    • test reports Marcus:
      • discussions, Marcus got 71 or 72 notifications
      • Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
    • bug #922 test report / review

      • one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
      • 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
      • needs further inspection
    • Bug Testing / Reporting bug #922 difficult
      • Marcus writes a tool to collect Email infos from TMS
    • benny will try to debug mass mailing problem with local image

  8. dirk to continue with 2nd review:
    • inopiae

      bug #981 OA overview (dupe of bug #943)

      New layout of view for Organisation Administrators in account/id35

      4 {0}

    • what is the difference before / after patch?
    • Org-Admin view own org infos
      • displays Organisations, their domains, admins, state, city and others
    • dirk: coding is ok, if tested ok, good to go
  9. recommendation to check for patch bug #1070 "0001070: Certain account passwords are logged in web server error log"

  10. dirk to continue with 2nd review:
    • neo

      bug #1070 Certain account passwords are logged in web server error log

      patch applied on production and testserver

      {0}

    • dirk: review ok, good to go if tested
    • still needs testing ... for agenda of upcoming meeting
  11. next meeting
    • Tuesday, August 14th, 2012 22:00 CEST

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items


Software/Assessment/20120807-S-A-MiniTOP (last edited 2012-08-07 23:25:21 by UlrichSchroeter)