Minutes of the MiniTOP on the 2012-08-14

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, magu, uli, benny, Michael, dirk

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Software/Assessment/ActionItems

Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected

    {-}

    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage

    {0}

    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy
    rejected

    {-}

    inopiae

    bug #920 Join - single name only (eg Indonesian)

    details under bug number

    {0}

    uli

    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field

    {r}

    Michael

    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open

    {0}

    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development

    {r}

    neo

    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work

    {r}

    dirk

    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work

    {r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task

Testing

  • Testers task

    neo

    bug #1004 Stats page improvement

    tested by 2, needs 2nd review

    {0}

    neo

    Bugs #1159 it might be possible to execute commands on the signing server

    {0}

    inopiae

    bug #1065 Wrong wording when sending mails during the assurance process

    {0}

    inopiae

    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\

    {0}

    inopiae

    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails

    {0}

    inopiae

    bug #988 TTP cap form deployment

    {0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task

    Ted

    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review

    {0}

    Ted

    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review

    {0}

    magu

    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update

    {0}

    inopiae

    bug #1010 Reorder the view on organisation certificates

    tested by 3

    {0}

Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task

    inopiae

    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer

    {0}

Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link

    {g}


Agenda

1. Preface

  1. Cebit brainstorming
    • dirk: request for events report
    • (2012-03-27) Marcus awaiting translation from Marc
    • (2012-06-19) Marcus: translation received, will send within the next upcoming days
    • (2012-06-26) Marcus: not yet finished
    • 2nd draft finished
    • Sat report missing, Uli sent a report 2012-03-22 (with wiki link Assurance/Procedures/RLO

    • Marcus to compile final report

2. Testing session on bug 1070

  1. Testing working session of bug #1070

    • all

      bug #1070 Certain account passwords are logged in web server error log

      patch applied on production and testserver
      arbitration still open a20120614.1
      2nd review done by dirk
      Testing working session for agenda of upcoming meeting

      {0}

3. DEV on bug 1023

4. 2nd review of about 1 remaining patches

5. Patches to transfer to production

6. Patches Overview - DEV and Testing

  1. Bugs under Testing
  2. English Translation Problems
    • how to handle typing error in web phrase Software/TranslationMisspelling

      • "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
      • create shared bug
      • probably make part a. and b. a. that is clear, b. that is questionable
      • new bug #1086

  3. Marcus Bugs list
    • see also Software/BugsOverview

    • bug#1023 related

      • bug#583 "Assure Somebody" allows future assurance dates

      • bug#648 send message from Assurer to Member

      • bug#802 Name parts should be designated in assurance form

      • bug#870 My Details - My Points show bugus time stamp

      • bug#914 Information about Practice on Name while entering an Assurance

      • bug#930 types wrong points in "Assure Someone" form

      • bug#931 Date of assurance in future don't throw any exception

      • bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.

      • bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field

    • Others
      • bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed

      • bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed

      • bug#489 Pb on rewarding 2 points for an assurance

      • bug#567 case sensitive email: tested by 2, cannot be confirmed, closed

      • bug#767 Single-quotes escaped in Web-of-Trust contact form.

    • info pages to wiki pages
      • starting bug #671. there still exist a bug# bug #740 (How to become an assurer is missleading)

    • bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected

      •   * username/password half of the combination is known to potential attacker
          * login prevents login to several email addresses
          * acceptance to several email addresses is prevented
          * no notification if primary email address has been changed
          * note regarding Policy Group
          * dirk: proposal: response email address exists, but isn't primary email ?
           * create new account results in "email address exists"
           * what is a proper response?
           * requestor has to be an assurer for assure someone
          * neo: for registration process chaptcha required
          * no good solution
          * for assurance only primary, for all other services allow also secondary addresses
           * search needs enhancement: search not only primary, also secondary
    • bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix

        * primary and secondary email addresses are shown in admin console
    • bug #591 "CPS has to be improved for audit." - proposes: Closed

        * CPS is a working revision also DRAFT revision included
        * relates to policy repository bug# final place finding
    • addtl. groups:
      1. OA
      2. CCA rollout
      3. TTP
  4. bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked

    • wrong description, problem removing domains, bugfix solves this problem
    • async removal of certs by signer
    • needs review and testing
    • inopiae will try testing on upcoming weekend
    • to test: email- and domain dispute
  5. bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked

    • patch seems to be ok
    • white spaces cleanup
    • includes/account.php var $id shall be fixed within recursion, new bug #1078

    • 2 tests initiated by inopiae and u60
    • principle ok, but very confusing
    • test reports Marcus:
      • discussions, Marcus got 71 or 72 notifications
      • Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
    • bug #922 test report / review

      • one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
      • 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
      • needs further inspection
    • Bug Testing / Reporting bug #922 difficult
      • Marcus writes a tool to collect Email infos from TMS
    • benny will try to debug mass mailing problem with local image

  6. bug #1019 "Contact form does not work when logged in"

    • Michael: rework contact form
      • usability: 1 form, option box with public/support delivery, default support
      • current form 1: public, form 2: private
      • spam prevention via java, on disabled java the mail is marked [possible spam]
    • mass mailing possible if adding multiple emails separated by commas
    • account.php - email address from sender, no address validation, several other places it passes address validation
    • neo: why not use primary email address?
      • works only if logged-in
    • index?id=11 has also been changed
    • url was hardcoded
    • account.php?id=14
    • sendmail() routine in includes/mysql.php
  7. Findings from David
    1. (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
      • todo: doing whitelist of allowable chars
      • \xA0 is a problem too (at least in Win32/64)
      • todo: file a new bug#
    2. subjectAltName is occasionally not checked for problems
      • todo: file a new bug#

7. Benny reviews

  1. bug #922 debugging

8. New SA candidates and Coders

  1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel

  2. ABC David
    • ABC David

    • at board meeting 2012-08-05 ATE-Melbourne report by Ian the interview was probably named as ABC interview
    • Philipp will pickup ABC David a20120721.1

    • Case closed: 2012-08-10
    • Ruling:
      Since this Arbitration has been aborted, no conclusions are reached. David is a person who could help CAcert a lot. Doing so in a security sensitive are is not recommended at this time.
  3. Heino, not yet prepared, needs first contact
  4. How to find coders? Experiences from the Gentoo project
  5. report from last board meeting - topic Arbitration

9. Long Term Projects

  1. NEO: "BlackJack" bug #964

    • 2012-07-17 NEO: has finished IE patch, http://cacert.nhng.de/IEkeygen/keygen.html

    • meeting 2012-07-24: working session: testing "Black Jack"
      • marcus: tested chrome
      • marcus, uli: enable-login flag set after key has been signed with unset flag on request, fixed
    • 2012-07-24 working session
      1. NEO: (964) enable-login flag fixed, to transfer to testserver
      2. NEO: org-certs prob
      3. ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
      4. magu: tests bug #964
        • error messages:
          • available key sizes: 512-1024 Bit (in 64 Bit steps)
          • Schlumberger CSP, Keysize 1024 --> 2146435043

          • Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962)
    • NEO: "BlackJack" bug #964 testing from last week -> error codes

      • started implementing
  2. Marek's sql class project:
    • is working on charset replacement
  3. api project, Carsten continues with portal project not waiting for vendor-api to be delivered
    • potential candidates for development
      1. Marek's sql class proposal
        • needs probably db upgrades
        • needs addtl. indices
        • needs testing
      2. archaios
        • builds daemon as unpreviliged user
    • vendor-api delayed
      • no coders
      • other projects
      • related to sql class project
    • portal project continues with a workaround, needs an assurer
      • arbitration case on locations database orders outsourcing of find-an-assurer asap
      • with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
      • relation to location database
        1. website find an assurer
        2. scripted mailing for ATE invitations
      • user check that data is still valid eg every 1 year
        • notification at login upto 6 months not online
        • notification by email if not logged in within last 6 months

10. next meeting

Minutes

  1. Benny tried to get dev vm running
    • had problems with network settings, finaly fixed
  2. "BlackJack" bug #964

    • error "key length too short" don't redirects to new page, so session environment gets lost
    • testing default crypto providers
    • testing gooze crypto stick
  3. cacert git repository requires update
  4. bug #1024 passed to production

    • dfference seen under wot?id=1 (hidden stat)
    • displays users as "is assurer: yes" and "is assurer: not yet (in red)"
  5. Marcus testing bug #964

    • some error messages fixed
  6. Testing working session of bug #1070

    • all

      bug #1070 Certain account passwords are logged in web server error log

      patch applied on production and testserver
      arbitration still open a20120614.1
      2nd review done by dirk
      Testing working session for agenda of upcoming meeting

      {0}

    • from testing side, good to go
    • pass back to arbitration
  7. bug #922 debugging
    • probably distinct missing in sql query
    • current production: notifications not rcvd
    • emails on ca-mgr1 reset, done
  8. blog post for bug #1024 ?
    • Marcus will do
  9. Marcus: cap, ttpcap generation outsourcing to portal server?
  10. New SA candidates and Coders
    1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel

      • ABC Benny

      • ABC Benny, no fixed date set yet
      • potential dates: 2012-09-08 mrmcd or 2012-09-15 Itzehoe
    2. ABC David
      • ABC David

      • at board meeting 2012-08-05 ATE-Melbourne report by Ian the interview was probably named as ABC interview
      • Philipp will pickup ABC David a20120721.1

      • Case closed: 2012-08-10
      • Ruling:
        Since this Arbitration has been aborted, no conclusions are reached. David is a person who could help CAcert a lot. Doing so in a security sensitive are is not recommended at this time.
  11. next meeting
    • Tuesday, August 21st, 2012 22:00 CEST

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items


Software/Assessment/20120814-S-A-MiniTOP (last edited 2012-08-15 00:05:40 by UlrichSchroeter)