. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20121030-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20121113-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2012-11-06 = == Setting == The MiniTOP will be held via telco 22:00 CET (21:00 UTC) Attendees: Magu, Marcus, BenBe, Uli, dirk, robert == Topics == (skip to [[#AGENDA|agenda]]) Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> <> == Agenda == ## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP === 1. Preface === 1. [[https://bugs.cacert.org/view.php?id=922|bug #922]] problem, transfered to critical, Wytze did a rollback || neo, dirk || [[https://bugs.cacert.org/view.php?id=922|bug #922]] missing "certificate about to expire" messages || tested, reviewed by 2, needs 2nd review || {0} || * you can use previous test to also check "certificate about to expire" messages * notification expected: 1d, 15d, 30d, 45d * Uli: Marcus plz test again * Marcus+Uli: plz add serno of cert about to expire into the message text * NEO: added serno on Oct 2nd * Uli: 15d notification rcvd at 5th, 6th Oct, last 1d expiry warning expected: Oct 19, passed ok * moved to 2nd review * BenBe: 922 2nd review, currently busy, feels not ready to review this patch * tested by 2, needs 2nd review, BenBe passed to other SA * -> dirk, assigned * seems to be ok, ready to go * BenBe to transfer to critical team === 2. DEV on bug 1023/1054 "Thawte Patch" === * "Thawte points removal, final step" [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] * bug #1023 Testing (6.php) * last patch transfered to production system 2012-05-30 * what are the next steps for thawte points revoke? * points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts * 15.php needs rename to 10.php * next step in: [[https://bugs.cacert.org/view.php?id=1054|bug #1054]] Review the code regarding the new point calculation in ./includes/general.php (current state: testing) * email debug notification, search for other solution * testing scenarios: see [[https://bugs.cacert.org/view.php?id=1054#c3163|bug note c3163]] * some explanations * assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed * new patches by dirk, pushed to cacert-devel, (update 2012-09-18) * tverify removed (?) * merge conflict with account id 60 (eg email removal), see [[https://bugs.cacert.org/view.php?id=823|bug #823]] * max_points() routine replaced by new max_points() routine * get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points() * received_points() * Status testing ? === 3. 2nd review of remaining patches === ||<#ff8080> '''Software-Assessors task''' || 1. [[https://bugs.cacert.org/view.php?id=1004|bug #1004]] Stats page improvement * stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO * fully re-tested by 2: 2012-08-25 (at froscon) * needs 2nd review * moved out to cron job routine * -> BenBe, assigned * 1004 ... on review by BenBe * checked BenBe * work done by NEO, pushed to cacert-devel, transfered to testserver * needs 2nd review, tested || neo, BenBe || [[https://bugs.cacert.org/view.php?id=1004|bug #1004]] Stats page improvement || tested by 2, needs 2nd review || {0} || ==== defered ==== || gagern, neo || [[https://bugs.cacert.org/view.php?id=440|bug #440]] Problem with subjectAltName || tested, needs 2nd review, rejected, new deployment getcn/getalt procedure, relates to [[https://bugs.cacert.org/view.php?id=1101|bug #1101]] || {r} 2 || === 4. Patches Overview - Testing, Development === 1. [[https://bugs.cacert.org/view.php?id=1054|bug #1054, test 1054.3.6]], [[https://bugs.cacert.org/view.php?id=1035|bug #1035]] * create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs * renew the certs * addtl. tests ? Marcus? Magu? BenBe? * 2012-10-02 dirk: problems with git push #1054, got fixed * DEV on bug 1023/1054 "Thawte Patch" * check last changes by dirk to transfer into test scenarios * [[Software/CurrentTest/bug1054|Bug #1054 test scenarios]] * see reference notes [[https://bugs.cacert.org/view.php?id=1101#c3225|note 3225 on bug #1101]] and [[https://bugs.cacert.org/view.php?id=1101#c3245|note 3245 on bug #1101]] 1. [[https://bugs.cacert.org/view.php?id=964|bug #964]] and [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] {o} , relates also to [[https://bugs.cacert.org/view.php?id=1054|bug #1054, test 1054.3.6]] - Chrome certificate enrollement (relates to #964 "Black Jack") * create client certs, go to signing routine * new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options a. Install the certificate into your browser (tested) a. Download the certificate in PEM format a. Download the certificate in DER format * [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] Chrome certificate enrollement * BenBe will pickup * [[https://bugs.cacert.org/view.php?id=1017|bug #1017]], doing some more tests? * new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options a. Install the certificate into your browser (tested) a. Download the certificate in PEM format a. Download the certificate in DER format * Alex, Marcus doing some more tests 1. Marcus Bugs list * see [[Software/BugsOverview]] * according to [[https://bugs.cacert.org/view.php?id=976|Bugs # 976]] * 0000976: List of update request for webdb database structure upgrade with tables / fields * addtl_notes table hasn't been added in [[https://bugs.cacert.org/view.php?id=976|patch bug 976 on 2011-11-25]] * OU info from Org cert not stored * addtl_notes table hasn't been added in [[https://bugs.cacert.org/view.php?id=976|patch bug 976 on 2011-11-25]] * extend org certs table ? new bug? * OU in subject? * includes/account.php (17) * in org certs it is in subject * addtl. field ou ? new bug# ? * used bug #1010 1. new [[https://bugs.cacert.org/view.php?id=1095|bug #1095]] "Problems with creating server sertificate where the csr is created with Java SDK Tools" * cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095 * NEO couldn't reproduce the problem using keytool, tested against production and testserver * identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message 1. [[https://bugs.cacert.org/view.php?id=440|bug #440]], [[https://bugs.cacert.org/view.php?id=1101|bug #1101]] (extract CSR) (back under development) * ASN.1 format * CSR extract: needed for signing: email address, hostname * Timo will write a CSR parser * Current: * CN will be parsed * some information about public key * ASN.1 php library * Whats about UTF-8 ? * IDN's * Policy: [[PolicyDecisions#p20091108|p20091108]] CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets * [[FAQ/Privileges|FAQ Privileges]] * [[http://www.cacert.org/policy/CertificationPracticeStatement.php#p3.1|CPS 3.1.7]] * [[AssuranceHandbook2/SomeMoreInformation|Assurance Handbook - Some more Information]] {{{ Code signing and IDN certificates If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names). Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space. }}} * current only client and server certs, other options currently not selectable, except Code Signing * extensions currently not supported eg jabber * [[https://bugs.cacert.org/view.php?id=530|bug #530]] XMPP extension not present after renewal * [[https://bugs.cacert.org/view.php?id=87|bug #87]] Issuing certificates for Jabber servers/users * parameters: domains, current first becomes CN, others SANs * rebuild subject routine ... to check * Michael: shall we enforce cn from csr? * optional? * enforce copy cn to SAN * asn1 parse procedure, http://lapo.it/asn1js/ * getcn, getalt procedure * docs für extractit() und getcn(): [[https://github.com/timoahummel/CAcert/blob/bug-1101/includes/general.php#L230|general.php line.230]] * felicitus: how someone get "CN" from "commonName"? where is it documented that "CN" is "commonName"? * OID of commonName is 2.5.4.3, but there is nothing about "CN" * BenBE: see Header of OpenSSL-Header 1. [[https://bugs.cacert.org/view.php?id=1101|bug #1101]] refactoring getalt getcn (Timo) * might [[http://bugs.cacert.org/view.php?id=1101#c3225|1101 comment c3225]] * tries to build a php library for openssl parsing replacement a. asn.1 parsing, own library a. ??? * openssl does escaping (per man page) (input? output?) * library test thru unit tests * openssl command for multiple san's ? * undocumented feature? * currently only known with -extfile [[http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/#comment-595|creating-a-certificate-with-multiple-hostnames]] 1. New patches 1. Marcus: OA sql query procedure, NEO to test on testserver * relates to [[https://wiki.cacert.org/Arbitrations/a20110118.1#Part_IV.2_-_Identifying_special_Organisation-Admins|a20110118.1 intermediate ruling Part IV.2]] * also [[https://bugs.cacert.org/view.php?id=512|bug #512]] * line wise readin (eg file read), change is not required * needs 2nd review, testing by NEO 1. [[https://bugs.cacert.org/view.php?id=1097|bug #1097]] "Special characters which have no HTML-entities are not properly escaped" * needs testing, 2nd review, BenBe will check === 5. New SA candidates and Coders === 1. Heino, not yet prepared, needs first contact 1. How to find coders? Experiences from the Gentoo project * [[http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/]] * [[http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code]] * use as blueprint for other recruits? === 6. Long Term Projects === 1. NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] * NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] testing from last week -> error codes * started implementing * how does [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] relate to this bug? * cert signing routine * ie5 ie6 automatic storage of signed key in local keystore * doesn't work under vista, win7 * msi package is to download and import the keys to the local keystore under vista, win7 * relates to [[https://bugs.cacert.org/view.php?id=1099|bug #1099]] but is quite different * neo sent msi package for testing to u60, benbe; test successful passed 1. Marek's sql class project: * is working on charset replacement 1. api project, Carsten continues with portal project not waiting for vendor-api to be delivered * vendor-api delayed * no coders * other projects * related to sql class project * portal project continues with a workaround, needs an assurer * arbitration case on locations database orders outsourcing of find-an-assurer asap * with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers) * relation to location database 1. website find an assurer 1. scripted mailing for ATE invitations * user check that data is still valid eg every 1 year * notification at login upto 6 months not online * notification by email if not logged in within last 6 months 1. Automated testing system * Timo: Unit-test testsystem, phpunit jenkins * [[http://ci.partkeepr.org/job/PartKeepr/]] * [[https://github.com/NEOatNHNG/cacert-frontendtests]] * can we merge both environments? frontend tests and unit tests? * Timo: automated testing systems are mergable * frontend test: java, may become a problem, alternate php version? * focus on unittests * dirk: code or screen? * code and screen * frontend and unit tests on one machine? * trial: port frontend tests 1. Timo: monitoring signer, not yet done * Probably Wytze monitors the systems externaly ?!? * see [[SystemAdministration/Systems|Systems overview]] * monitoring system eg Zabbix instead of Nagios? * BenBE: Icinga as alternate? * Zabbix agents: requires to be the same revision as server 1. Timo, Benny: Distro needs upgrade * lenny - support ended Feb 2012 * upgrade etch to lenny was a long running project * squeeze (current stable release) - tests started by critical team * "wheezy close before release date * Michael: email sent 2012-10-09 regarding squeeze upgrade to critical team * response received * testing WIP * move to sun2 proposed === 7. next meeting === * Tuesday, November 13, 2012 22:00 CET == Minutes == 1. Preface 1. Marcus: OA sql query procedure, NEO to test on testserver * relates to [[https://wiki.cacert.org/Arbitrations/a20110118.1#Part_IV.2_-_Identifying_special_Organisation-Admins|a20110118.1 intermediate ruling Part IV.2]] * also [[https://bugs.cacert.org/view.php?id=512|bug #512]] * line wise readin (eg file read), change is not required * needs 2nd review, testing by NEO * no news 1. [[https://bugs.cacert.org/view.php?id=922|bug #922]] problem, transfered to critical, Wytze did a rollback * no news since about Friday last week * testserver less data then production system * potential problem distinct clause in query * whats about proposals by Timo? * [[https://lists.cacert.org/wws/arc/cacert-devel/2012-11/msg00012.html|proposal 12/11/02 by Timo]] * data count: 1000 on testserver, 900.000 on production * create a test set of 900k certs in database? * tables used, record counts: domaincerts 74, domlink 75, domains 52 * which tables, table structure, db format: default myisam * domain*, email*, users * to contact critical team with general infos about above tables 1. [[https://bugs.cacert.org/view.php?id=1097|bug #1097]] "Special characters which have no HTML-entities are not properly escaped" * needs testing, 2nd review, BenBe will check * first test variations shows: there are remaining problems 1. debug messages on testserver (1054) * test account 1 * variant 1 (pwd login): points3 (185/100) * variant 2 (cert login): points3 (185/100)points4 (185/100) * first value relates to wot.php?id=10 count of pts * test account 2 * points3 (350/394)points4 (350/394) * 484 AP, anderer weg 64 * 100 * test account 3 * points3 (200/662) * problem identified, fix transfered to testserver 1. [[https://bugs.cacert.org/view.php?id=1004|bug #1004]] Stats page improvement * current state: * open issues a. How are deleted users handled? a. Isn't "verified_certs" misleading as the affected tables also contain certs that failed to be signed? a. User Statistics don't take removed assurances into account (???) a. Why not calculate backwards in the year-dependent loop from the already known values? The loop runs backwards already anyway. * the latter is still open 1. [[https://bugs.cacert.org/view.php?id=1025|bug #1025]] Domain Dispute issue * BenBe will pickup for 2nd review 1. next meeting * Tuesday, November 13, 2012 22:00 CET ==== Fixed Action Items since last or within meeting ==== || neo, BenBe || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || {g} || || uli || [[https://bugs.cacert.org/view.php?id=977|bug #977]] admin console text fix || admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue || {g} || || || [[https://bugs.cacert.org/view.php?id=1080|bug #1080]] 0001080: The link on page to iso code on account.php?id=24 show no result || || {g} || || || [[https://bugs.cacert.org/view.php?id=1083|bug #1083]] 0001083: Resize comment field for adding new organisation administrators || || {g} || || neo, BenBe || [[https://bugs.cacert.org/view.php?id=860|bug #860]] someone accessed your password and secret questions notification || tested by 2, needs 2nd review || {g} || || neo, dirk || [[https://bugs.cacert.org/view.php?id=922|bug #922]] missing "certificate about to expire" messages || tested, reviewed by 2, needs 2nd review || {o} ??? || ==== Action Items New ==== Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' ---- . CategorySoftwareAssessment