. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20120911-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20120925-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2012-09-18 = == Setting == The MiniTOP will be held via telco 22:00 CEST Attendees: Benny, Marcus, Uli, Timo, magu, Michael, dirk == Topics == (skip to [[#AGENDA|agenda]]) Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> <> == Agenda == ## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP === 1. Preface === 1. Cebit brainstorming * dirk: request for events report * (2012-03-27) Marcus awaiting translation from Marc * (2012-06-19) Marcus: translation received, will send within the next upcoming days * (2012-06-26) Marcus: not yet finished * 2nd draft finished * Sat report missing, Uli sent a report 2012-03-22 (with wiki link [[Assurance/Procedures/RLO]] * Marcus to compile final report * will do Froscon report too 1. barbados: /account/index.php 17 - transfer to java 1. dirk proposal: certs w/o roots * add fingerprints of servers to a wiki page * no one understands realy what dirk means .... 1. [[https://lists.cacert.org/wws/arc/cacert-translations/2012-09/msg00000.html|Encoding problem of Simplified Chinese]] {{{ Simplified Chinese version of cacert.org is encoded in GB18030 (an encoding specific to simplified Chinese and incompatible with UTF-8) and lacks a in the . Since most browsers assume UTF-8 encoding nowadays, it causes garbaged text and requires manual adjusting of encoding. This can be fixed by either adding a aforementioned tag or converting to UTF-8 (or better still, do both). }}} === 2. DEV on bug 1023/1054 "Thawte Patch" === * "Thawte points removal, final step" [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] * bug #1023 Testing (6.php) * last patch transfered to production system 2012-05-30 * what are the next steps for thawte points revoke? * points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts * 15.php needs rename to 10.php * next step in: [[https://bugs.cacert.org/view.php?id=1054|bug #1054]] Review the code regarding the new point calculation in ./includes/general.php (current state: testing) * email debug notification, search for other solution * testing scenarios: see [[https://bugs.cacert.org/view.php?id=1054#c3163|bug note c3163]] * some explanations * assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed * ongoing testing === 3. 2nd review of about again 4 remaining patches === ||<#ff8080> '''Software-Assessors task''' || 1. Benny pre-views done || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || 5 {0} || * from meeting 2012-07-17: * 5 patches reviewed * 3 simple, bugs 540 (fixed), 789 (fixed), 981 (reviewed) * 2 with some difficultys, 978 (related to bug#540), complexest one: 1024 (reviewed) 1. [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918) * invalid key format, no regular error message, something wrong, error code # identified * debugging infos from user + infos from critical team with error code #, was spkac routine * one test done 2011-12-17 by JensK * uli, marcus: more tests: certs routine, weak keys (small keys test), relates to [[https://bugs.cacert.org/view.php?id=540|bug#540]] tests * (week 7) || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || 5 {0} || || neo || [[https://bugs.cacert.org/view.php?id=1004|bug #1004]] Stats page improvement || tested by 2, needs 2nd review || {0} || || neo || [[https://bugs.cacert.org/view.php?id=1091|bug #1091]] contact assurer improvement || tested by 2, needs 2nd review || {0} || || neo || [[https://bugs.cacert.org/view.php?id=860|bug #860]] someone accessed your password and secret questions notification || tested by 2, needs 2nd review || {0} || 1. awaiting transfer to production system === 4. Patches Overview - DEV and Testing === 1. Bugs under Testing 1. [[https://bugs.cacert.org/view.php?id=1004|bug#1004]], stats, Marcus + Uli did some tests, one problem identified 1. English Translation Problems * how to handle typing error in web phrase [[Software/TranslationMisspelling]] * "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482 * create shared bug * probably make part a. and b. a. that is clear, b. that is questionable * new [[https://bugs.cacert.org/view.php?id=1086|bug #1086]] 1. Marcus Bugs list * see also [[Software/BugsOverview]] * [[https://bugs.cacert.org/view.php?id=1023|bug#1023]] related * [[https://bugs.cacert.org/view.php?id=583|bug#583]] "Assure Somebody" allows future assurance dates * [[https://bugs.cacert.org/view.php?id=648|bug#648]] send message from Assurer to Member * [[https://bugs.cacert.org/view.php?id=802|bug#802]] Name parts should be designated in assurance form * [[https://bugs.cacert.org/view.php?id=870|bug#870]] My Details - My Points show bugus time stamp * [[https://bugs.cacert.org/view.php?id=914|bug#914]] Information about Practice on Name while entering an Assurance * [[https://bugs.cacert.org/view.php?id=930|bug#930]] types wrong points in "Assure Someone" form * [[https://bugs.cacert.org/view.php?id=931|bug#931]] Date of assurance in future don't throw any exception * [[https://bugs.cacert.org/view.php?id=998|bug#998]] When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing. * [[https://bugs.cacert.org/view.php?id=1000|bug#1000]] Entering an assurance into the system after searching for an assurer causes a pre-filled location field * Others * [[https://bugs.cacert.org/view.php?id=118|bug#118]] Secure TTP Form upload - outdated, conflicts with new procedure, closed * [[https://bugs.cacert.org/view.php?id=428|bug#428]] Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed * [[https://bugs.cacert.org/view.php?id=489|bug#489]] Pb on rewarding 2 points for an assurance * [[https://bugs.cacert.org/view.php?id=567|bug#567]] case sensitive email: tested by 2, cannot be confirmed, closed * [[https://bugs.cacert.org/view.php?id=767|bug#767]] Single-quotes escaped in Web-of-Trust contact form. * info pages to wiki pages * starting [[https://bugs.cacert.org/view.php?id=671|bug #671]]. there still exist a bug# [[https://bugs.cacert.org/view.php?id=740|bug #740]] (How to become an assurer is missleading) * [[https://bugs.cacert.org/view.php?id=491|bug #491]] "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected {{{ * username/password half of the combination is known to potential attacker * login prevents login to several email addresses * acceptance to several email addresses is prevented * no notification if primary email address has been changed * note regarding Policy Group * dirk: proposal: response email address exists, but isn't primary email ? * create new account results in "email address exists" * what is a proper response? * requestor has to be an assurer for assure someone * neo: for registration process chaptcha required * no good solution * for assurance only primary, for all other services allow also secondary addresses * search needs enhancement: search not only primary, also secondary }}} * [[https://bugs.cacert.org/view.php?id=571|bug #571]] "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix {{{ * primary and secondary email addresses are shown in admin console }}} * [[https://bugs.cacert.org/view.php?id=591|bug #591]] "CPS has to be improved for audit." - proposes: Closed {{{ * CPS is a working revision also DRAFT revision included * relates to policy repository bug# final place finding }}} * addtl. groups: a. OA a. CCA rollout a. TTP 1. [[https://bugs.cacert.org/view.php?id=1025|bug #1025]] "Domain Dispute strange behaviour / Domain Dispute issue", checked * wrong description, problem removing domains, bugfix solves this problem * async removal of certs by signer * needs review and testing * inopiae will try testing on upcoming weekend * to test: email- and domain dispute * bug 1025, needs testing 1. [[https://bugs.cacert.org/view.php?id=922|bug #922]] "CAcert application code problem causing missing 'certificate about to expire' messages", checked * patch seems to be ok * white spaces cleanup * includes/account.php var $id shall be fixed within recursion, new [[https://bugs.cacert.org/view.php?id=1078|bug #1078]] * 2 tests initiated by inopiae and u60 * principle ok, but very confusing * test reports Marcus: * discussions, Marcus got 71 or 72 notifications * Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d * [[https://bugs.cacert.org/view.php?id=922|bug #922]] test report / review * one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!) * 15 reminders checked, 1 for client cert, 14 for server cert (!!!) * needs further inspection * Bug Testing / Reporting bug #922 difficult * Marcus writes a tool to collect Email infos from TMS * benny will try to debug mass mailing problem with [[SystemAdministration/Systems/Development|local image]] * bug #922 debugging * probably distinct missing in sql query * continue testing * current production: notifications not rcvd * emails on ca-mgr1 reset, done 1. Findings from David 1. (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs * todo: doing whitelist of allowable chars * \xA0 is a problem too (at least in Win32/64) * todo: file a new bug# 1. subjectAltName is occasionally not checked for problems * todo: file a new bug# 1. Thawte patch part II || dirk || [[https://bugs.cacert.org/view.php?id=1054|bug #1054]] 0001054: Review the code regarding the new point calculation || Thawte patch part II || {0} || * Uli, Marcus: continued Thawte patch part II [[https://bugs.cacert.org/view.php?id=1054|bug #1054]] testing * according to [[Software/CurrentTest/bug1054|bug #1054 test matrix]] * still ongoing * requires action by Ted to transfer CATS results from ca-mgr1 to cacert1 testserver, done 1. [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] Chrome certificate enrollement (relates to #964 "Black Jack") * updated * /account.php?id=6 list 3 options a. Install the certificate into your browser a. Download the certificate in PEM format a. Download the certificate in DER format 1. new [[https://bugs.cacert.org/view.php?id=1095|bug #1095]] "Problems with creating server sertificate where the csr is created with Java SDK Tools" * cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095 * NEO couldn't reproduce the problem using keytool, tested against production and testserver === 5. Benny reviews === === 6. New SA candidates and Coders === 1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel * [[Arbitrations/a20120703.1|ABC Benny]] * potential dates: 2012-09-08 mrmcd or 2012-09-15 Itzehoe * ABC Benny, Philipp picked up, interview Uli can do F2F at weekend 14-16 Sept., but needs instructed by PD * interview passed 1. Heino, not yet prepared, needs first contact 1. How to find coders? Experiences from the Gentoo project * [[http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/]] * [[http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code]] * use as blueprint for other recruits? 1. report from last board meeting - topic Arbitration * is added to upcoming [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20120819|board meeting 2012-08-19]] === 7. Long Term Projects === 1. NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] * 2012-07-17 NEO: has finished IE patch, [[http://cacert.nhng.de/IEkeygen/keygen.html]] * meeting 2012-07-24: working session: testing "Black Jack" * marcus: tested chrome * marcus, uli: enable-login flag set after key has been signed with unset flag on request, fixed * 2012-07-24 working session 1. NEO: (964) enable-login flag fixed, to transfer to testserver 1. NEO: org-certs prob 1. ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger." * "Fehler: Nachricht (0x80000095 / -2147.....)" * error messages on ms website: [[ http://msdn.microsoft.com/en-us/library/ms953432.aspx#smartcardcspcook_topic3]] 1. magu: tests bug #964 * error messages: * available key sizes: 512-1024 Bit (in 64 Bit steps) * Schlumberger CSP, Keysize 1024 --> 2146435043 * Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962) * NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] testing from last week -> error codes * started implementing * Marcus testing [[https://bugs.cacert.org/view.php?id=964|bug #964]] in meeting [[Software/Assessment/20120814-S-A-MiniTOP|2012-08-14]] * some error messages fixed * Magu to test 1. Marek's sql class project: * is working on charset replacement 1. api project, Carsten continues with portal project not waiting for vendor-api to be delivered * potential candidates for development 1. Marek's sql class proposal * needs probably db upgrades * needs addtl. indices * needs testing 1. archaios * builds daemon as unpreviliged user * vendor-api delayed * no coders * other projects * related to sql class project * portal project continues with a workaround, needs an assurer * arbitration case on locations database orders outsourcing of find-an-assurer asap * with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers) * relation to location database 1. website find an assurer 1. scripted mailing for ATE invitations * user check that data is still valid eg every 1 year * notification at login upto 6 months not online * notification by email if not logged in within last 6 months === 8. next meeting === * Tuesday, September 25th, 2012 22:00 CEST == Minutes == 1. Preface 1. Marcus Event reports, not yet finished 1. bug #1019 passed to production this week 1. csr request for portal, for www.cacert.eu and cacert.eu passed 1. Neo: who has msi experiences? * relates to Install Roots plugin 1. 2nd reviews: next || neo || [[https://bugs.cacert.org/view.php?id=1091|bug #1091]] contact assurer improvement || tested by 2, needs 2nd review || {0} || * 1091: unclean EOL, give info to support in case of spamming/pishing 1. DEV on bug 1023/1054 "Thawte Patch" * checked open test scenarios [[Software/CurrentTest/bug1054|bug 1054 test matrix]] 1. DEV on bug 1054 "Thawte Patch" (update 2012-09-18) * new patches by dirk, pushed to cacert-devel, testserver * tverify removed * merge conflict with account id 60 (eg email removal), see [[https://bugs.cacert.org/view.php?id=823|bug #823]] * max_points() routine replaced by new max_points() routine * get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points() * received_points() 1. general rewrite of get info from csr routine in includes/general.php (bug 1054, bug 440) * Timo will check 1. Timo: Unit-test testsystem, phpunit jenkins * [[http://ci.partkeepr.org/job/PartKeepr/]] * [[https://github.com/NEOatNHNG/cacert-frontendtests]] * can we merge both environments? frontend tests and unit tests? 1. dirk proposal: certs w/o roots * add fingerprints of servers to a wiki page * no one understands realy what dirk means .... * for each webserver you can approve the server cert individualy * proposal to list fingerprints of default webservers from CAcert * Neo: much work, unsecure link (to the wiki), to get the fingerprints needs a secure channel * wiki page with list of issued certs (admin page exist), but "unsecure" page * general boot straping problem * proposal: download cert over unsecure channel, check fingerprint, then you can use the secure channel * pages to update: www, secure, wiki, community under [[https://wiki.cacert.org/SystemAdministration/CertificateList|Current Cerctificate List]] 1. NEO: bug #1097 fix avail, to test || neo || [[https://bugs.cacert.org/view.php?id=1097|bug #1097]] Special characters which have no HTML-entities are not properly escaped || needs testing || {0} || 1. crypto stick * xca not simple usable, not dau compatible * under linux not simple usable, install ppa's, initialize and so on, not dau compatible 1. 1054 next tests a. continue with open test cases a. add new test scenarios of 2010-09-18 update 1. next meeting: * Tuesday, September 25th, 2012 22:00 CEST ==== Fixed Action Items since last or within meeting ==== || neo || [[https://bugs.cacert.org/view.php?id=1019|bug #1019]] Contact form does not work when logged in || tested by 3, needs 2nd review || {g} || ==== Action Items New ==== Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' ---- . CategorySoftwareAssessment