. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20120925-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20121009-S-A-MiniTOP|next meeting]]'''

----

= Minutes of the MiniTOP on the 2012-10-02 =

== Setting ==
The MiniTOP will be held via telco  22:00 CEST

Attendees: BenBe, Marcus, Uli, Michael, dirk


== Topics ==

(skip to [[#AGENDA|agenda]])

Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' 
<<Include(Software/Assessment/ActionItems)>> 



<<Anchor(AGENDA)>>
== Agenda ==

## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP


=== 1. Preface ===

=== 2. DEV on bug 1023/1054 "Thawte Patch" ===
 * "Thawte points removal, final step" [[https://bugs.cacert.org/view.php?id=1023|bug #1023]]
  * bug #1023 Testing (6.php)
 * last patch transfered to production system 2012-05-30
 * what are the next steps for thawte points revoke?
  * points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
  * 15.php needs rename to 10.php
 * next step in: [[https://bugs.cacert.org/view.php?id=1054|bug #1054]] Review the code regarding the new point calculation in ./includes/general.php (current state: testing)
  * email debug notification, search for other solution
  * testing scenarios: see [[https://bugs.cacert.org/view.php?id=1054#c3163|bug note c3163]]
   * some explanations
  * assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed
  * new patches by dirk, pushed to cacert-devel, (update 2012-09-18)
  * tverify removed  (?)
  * merge conflict with account id 60  (eg email removal), see [[https://bugs.cacert.org/view.php?id=823|bug #823]]
  * max_points() routine replaced by new max_points() routine
  * get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points()
  * received_points() 


=== 3. 2nd review of about again 5 remaining patches ===

 ||<#ff8080> '''Software-Assessors task''' ||

 1. Benny pre-views done
  || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<<BR>>duplicate report to bug#540 || 5 {0} ||

  * from meeting 2012-07-17:
   * 5 patches reviewed
   * 3 simple, bugs 540 (fixed), 789 (fixed), 981 (reviewed)
   * 2 with some difficultys, 978 (related to bug#540), complexest one: 1024 (reviewed)

 1. [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918)
  * invalid key format, no regular error message, something wrong, error code # identified
  * debugging infos from user + infos from critical team with error code #, was spkac routine
  * one test done 2011-12-17 by JensK
  * uli, marcus: more tests: certs routine, weak keys (small keys test), relates to [[https://bugs.cacert.org/view.php?id=540|bug#540]] tests
  * (week 7)

 1. [[https://bugs.cacert.org/view.php?id=1004|bug#1004]], stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO
  * fully re-tested by 2: 2012-08-25 (at froscon)

 1. [[https://bugs.cacert.org/view.php?id=1091|bug #1091]] contact assurer improvement
  * 2nd review still started by dirk two times within last 3 weeks

 || neo || [[https://bugs.cacert.org/view.php?id=1091|bug #1091]] contact assurer improvement || tested by 2, needs 2nd review || {0} 1 ||
 || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<<BR>>duplicate report to bug#540 || 5 {0} ||
 || neo || [[https://bugs.cacert.org/view.php?id=1004|bug #1004]] Stats page improvement || tested by 2, needs 2nd review || {0} ||
 || neo || [[https://bugs.cacert.org/view.php?id=860|bug #860]] someone accessed your password and secret questions notification || tested by 2, needs 2nd review || {0} ||
 || gagern, neo || [[https://bugs.cacert.org/view.php?id=440|bug #440]] Problem with subjectAltName || tested, needs 2nd review || {0} ||


=== 4. Patches Overview - Testing ===

 1. [[https://bugs.cacert.org/view.php?id=835|bug #835]] CATS test on testserver [[http://cats1.it-sls.de/]]
  * create client cert
  * go over to [[http://cats1.it-sls.de/]] pass a cats test
  * inform Ted to trigger a transfer of the tests to the testserver
  * check if CATS test passed to testserver
  * test with different accounts
   I. members age GT 18
    a. member < 100 pts, pass the CATS test
    a. member >= 100 pts, pass the CATS test
   I. members age GT 14 and LT 18
    a. member < 100 pts, pass the CATS test
    a. member >= 100 pts, pass the CATS test
   I. members age LT 14
    a. member < 100 pts, pass the CATS test
    a. member >= 100 pts, pass the CATS test
  * finish and report the tests, no need to transfer to production

 1. Problem with subjectAltName: bugs: [[https://bugs.cacert.org/view.php?id=440|bug #440]], [[https://bugs.cacert.org/view.php?id=1054|bug #1054, test 1054.3.6]], [[https://bugs.cacert.org/view.php?id=1035|bug #1035]]
  * create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN  with single SAN and multiple SANs
  * renew the certs

 1. [[https://bugs.cacert.org/view.php?id=922|bug #922]] missing "certificate about to expire" messages
  * you can use previous test to also check "certificate about to expire" messages
  * notification expected: 1d, 15d, 30d, 45d

 1. [[https://bugs.cacert.org/view.php?id=964|bug #964]] and [[https://bugs.cacert.org/view.php?id=1017|bug #1017]], relates also to [[https://bugs.cacert.org/view.php?id=1054|bug #1054, test 1054.3.6]] - Chrome certificate enrollement (relates to #964 "Black Jack")
  * create client certs, go to signing routine
  * new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
   a. Install the certificate into your browser   (tested)
   a. Download the certificate in PEM format
   a. Download the certificate in DER format 

 1. [[https://bugs.cacert.org/view.php?id=1054|bug #1054]] (Thawte patch) tests passed ?


 1. Marcus Bugs list
  * see [[Software/BugsOverview]]


 1. new [[https://bugs.cacert.org/view.php?id=1095|bug #1095]] "Problems with creating server sertificate where the csr is created with Java SDK Tools"
  * cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
  * NEO couldn't reproduce the problem using keytool, tested against production and testserver
  * identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message

=== 5. New SA candidates and Coders ===

 1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel
  * [[Arbitrations/a20120703.1|ABC Benny]] passed/closed, added to board meeting agenda upcoming meeting
 1. Heino, not yet prepared, needs first contact
 1. How to find coders? Experiences from the Gentoo project
  * [[http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/]]
  * [[http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code]]
  * use as blueprint for other recruits?
 1. report from last board meeting - topic Arbitration
  * is added to upcoming [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20120819|board meeting 2012-08-19]]

=== 6. Long Term Projects ===

 1. NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]]
  * NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] testing from last week -> error codes
   * started implementing
  * how does [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] relate to this bug?
   * cert signing routine
   * ie5 ie6 automatic storage of signed key in local keystore
   * doesn't work under vista, win7
   * msi package is to download and import the keys to the local keystore under vista, win7
   * relates to [[https://bugs.cacert.org/view.php?id=1099|bug #1099]] but is quite different
   * neo sent msi package for testing to u60, benbe; test successful passed

 1. Marek's sql class project:
  * is working on charset replacement

 1. api project, Carsten continues with portal project not waiting for vendor-api to be delivered
  * vendor-api delayed
   * no coders
   * other projects
   * related to sql class project
  * portal project continues with a workaround, needs an assurer
   * arbitration case on locations database orders outsourcing of find-an-assurer asap
   * with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
   * relation to location database
    1. website find an assurer
    1. scripted mailing for ATE invitations
   * user check that data is still valid eg every 1 year
    * notification at login upto 6 months not online
    * notification by email if not logged in within last 6 months

 1. Automated testing system
  * Timo: Unit-test testsystem, phpunit jenkins
  * [[http://ci.partkeepr.org/job/PartKeepr/]]
  * [[https://github.com/NEOatNHNG/cacert-frontendtests]]
  * can we merge both environments? frontend tests and unit tests?

=== 7. next meeting ===
 * Tuesday, October 9, 2012 22:00 CEST


== Minutes ==

 1. Preface
  * BenBe: saw interesting report [[https://bugs.cacert.org/view.php?id=1101#c3225|bug #1101 comment 3225]]
  * Uli: msi package tested successful ([[https://bugs.cacert.org/view.php?id=1099|bug #1099]])
   * Michael: shall we add another menu item?
 1. Problem with subjectAltName: bugs: [[https://bugs.cacert.org/view.php?id=440|bug #440]]
  * addtl. tests ?  Marcus: no
 1. [[https://bugs.cacert.org/view.php?id=922|bug #922]] CAcert application code problem causing missing "certificate about to expire" messages
  * Uli: Marcus plz test again
  * Marcus+Uli: plz add serno of cert about to expire into the message text
 1. [[https://bugs.cacert.org/view.php?id=1091|bug #1091]] Improve message to Assurer
  * BenBe, Michael text deployed
   {{{
 $body  = sprintf(_("Hi %s,"), $user['fname'])."\n\n";
 	$body .= sprintf(_("%s %s has sent you a message via the ".
 			"contact an Assurer form on CAcert.org."),
 			$_SESSION['profile']['fname'],
 			$_SESSION['profile']['lname'])."\n\n";
 	$body .= sprintf(_("Subject: %s"), $_REQUEST['subject'])."\n";
 	$body .= _("Message:")."\n";
 	$body .= $_REQUEST['message']."\n\n";
 	$body .= "------------------------------------------------\n\n";
 	$body .= _("Please note, that this is NOT a message on behalf ".
 			"of CAcert but another CAcert community member. If ".
 			"you suspect that the contact form might been abused, ".
 			"please write to support@cacert.org")."\n\n";
 	$body .= _("Best regards")."\n";
 	$body .= _("CAcert Support Team");
}}}
  * prevent injections
  * Neo: commited #1091 and transfered to testserver
  * first tests (with special chars and code in text, eg "." ... text is missing after "."
  * php.ini: magic quotes gpn is on
 1. dirk: problems with git push #1054, got fixed
 1. DEV on bug 1023/1054 "Thawte Patch"
  * check last changes by dirk to transfer into test scenarios
 1. next meeting
  * Tuesday, October 9, 2012 22:00 CEST



==== Fixed Action Items since last or within meeting ====


==== Action Items New ====



Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]'''

----
 . CategorySoftwareAssessment