Minutes of the MiniTOP on the 2012-11-20

Setting

The MiniTOP will be held via telco 22:00 CET (21:00 UTC)

Attendees: BenBe, Marcus, Uli, Michael, magu, dirk

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Software/Assessment/ActionItems

Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected

    {-}

    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage

    {0}

    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy
    rejected

    {-}

    inopiae

    bug #920 Join - single name only (eg Indonesian)

    details under bug number

    {0}

    uli

    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field

    {r}

    Michael

    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open

    {0}

    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development

    {r}

    neo

    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work

    {r}

    dirk

    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work

    {r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task

Testing

  • Testers task

    neo

    bug #1004 Stats page improvement

    tested by 2, needs 2nd review

    {0}

    neo

    Bugs #1159 it might be possible to execute commands on the signing server

    {0}

    inopiae

    bug #1065 Wrong wording when sending mails during the assurance process

    {0}

    inopiae

    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\

    {0}

    inopiae

    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails

    {0}

    inopiae

    bug #988 TTP cap form deployment

    {0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task

    Ted

    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review

    {0}

    Ted

    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review

    {0}

    magu

    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update

    {0}

    inopiae

    bug #1010 Reorder the view on organisation certificates

    tested by 3

    {0}

Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task

    inopiae

    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer

    {0}

Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link

    {g}


Agenda

1. Preface

  1. BenBe: request: htttps header on bugtracker

  2. New CATS questions, new French version
    1. forward to French translators who assisted in Class3 and Nov 2011 PR mailing
  3. patches conflicts
    • by transfer of bug #978 merge conflicts did happen, new findings
    • https://lists.cacert.org/wws/arc/cacert-devel/2012-11/msg00024.html

      • >> [...]
        >>      require_once("../includes/loggedin.php");
        >>
        >>      loadem("account");
        >>
        >> --- 16,22 ----
        >> [...]
        >>      require_once("../includes/loggedin.php");
        >> +    require_once('lib/check_weak_key.php');
        >>
        >>      loadem("account");
        >>
        >> [...]
        
        OK, here's the situation as I see it in the repository:
        In January the line was introduced into the live system as part of the
        release of bug 985 and the changes were also merged into our release
        branch, so everything right here. But the branch for 978 was already
        started before so it did not contain the changes from 985. What we
        should have done is merge the changes that already were on release into
        the 978 branch before creating the patch.

2. DEV on bug 1023/1054 "Thawte Patch"

3. 2nd review of remaining patches

defered

4. Patches Overview - Testing, Development

  1. Policy text and Arbitration ruling bug# fixes
    1. Policy text changes
      1. OAP bug #1009

      2. DRP - no bug# yet
      3. bug #1111

        • Change the text on the TTP page according to the new TTP programm
        • BenBe moved to testserver

    2. Arbitration ruling text fixes
      1. bug #879

        • CAcert must update the web page on disputes, and include an explanation how to file a dispute (a20091206.1)
    3. Board orders
      1. bug #1114

        • Change CAcert postal address to the current one on index/11.php
          • BenBe moved to testserver

  2. bug #922 problem, transfered to critical, Wytze did a rollback

    • neo, dirk

      bug #922 missing "certificate about to expire" messages

      tested, reviewed by 2, needs 2nd review

      {0}

    • you can use previous test to also check "certificate about to expire" messages
    • notification expected: 1d, 15d, 30d, 45d
    • Uli: Marcus plz test again
    • Marcus+Uli: plz add serno of cert about to expire into the message text
    • NEO: added serno on Oct 2nd
    • Uli: 15d notification rcvd at 5th, 6th Oct, last 1d expiry warning expected: Oct 19, passed ok
    • moved to 2nd review
    • BenBe: 922 2nd review, currently busy, feels not ready to review this patch

    • tested by 2, needs 2nd review, BenBe passed to other SA

    • -> dirk, assigned

    • seems to be ok, ready to go
    • BenBe to transfer to critical team

    • patch transfered, but rolled back. reason: patch brings critical system to hung
      • Analysis
        • testserver less data then production system
        • potential problem distinct clause in query
        • whats about proposals by Timo?
        • data count: 1000 on testserver, 900.000 on production
          • create a test set of 900k certs in database?
        • tables used, record counts: domaincerts 74, domlink 75, domains 52
          • which tables, table structure, db format: default myisam
          • domain*, email*, users
          • to contact critical team with general infos about above tables
      • wytze, timo, dirk, benbe, michael discussion by email
        • proposal to wytze, to add indixes (all tables selected by where clauses created, modified, expired, revoke)
        • confirmation by 2nd SA
  3. bug #1004 Stats page improvement

    • neo, BenBe

      bug #1004 Stats page improvement

      tested by 2, needs 2nd review

      {0}

    • stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO
    • fully re-tested by 2: 2012-08-25 (at froscon)
    • needs 2nd review
    • moved out to cron job routine
    • -> BenBe, assigned

    • 1004 ... on review by BenBe

    • checked BenBe

    • work done by NEO, pushed to cacert-devel, transfered to testserver
    • needs 2nd review, tested
    • current state:
    • open issues
      1. How are deleted users handled?
      2. Isn't "verified_certs" misleading as the affected tables also contain certs that failed to be signed?
      3. User Statistics don't take removed assurances into account (???)
      4. Why not calculate backwards in the year-dependent loop from the already known values? The loop runs backwards already anyway.
    • the latter is still open
  4. bug #1025 Domain Dispute issue

    • BenBe will pickup for 2nd review

  5. bug #1054, test 1054.3.6, bug #1035

    • create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs

    • renew the certs
    • addtl. tests ? Marcus? Magu? BenBe?

    • 2012-10-02 dirk: problems with git push #1054, got fixed
    • DEV on bug 1023/1054 "Thawte Patch"
    • see reference notes note 3225 on bug #1101 and note 3245 on bug #1101

  6. bug #964 and bug #1017 {o} , relates also to bug #1054, test 1054.3.6 - Chrome certificate enrollement (relates to #964 "Black Jack")

    • create client certs, go to signing routine
    • new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
      1. Install the certificate into your browser (tested)
      2. Download the certificate in PEM format
      3. Download the certificate in DER format
    • bug #1017 Chrome certificate enrollement

      • BenBe will pickup

      • bug #1017, doing some more tests?

        • new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
          1. Install the certificate into your browser (tested)
          2. Download the certificate in PEM format
          3. Download the certificate in DER format
        • Alex, Marcus doing some more tests
  7. Marcus Bugs list
    • see Software/BugsOverview

    • according to Bugs # 976

      • 0000976: List of update request for webdb database structure upgrade with tables / fields
      • addtl_notes table hasn't been added in patch bug 976 on 2011-11-25

      • OU info from Org cert not stored
      • addtl_notes table hasn't been added in patch bug 976 on 2011-11-25

      • extend org certs table ? new bug?
      • OU in subject?
      • includes/account.php (17)
      • in org certs it is in subject
      • addtl. field ou ? new bug# ?
      • used bug #1010
  8. new bug #1095 "Problems with creating server sertificate where the csr is created with Java SDK Tools"

    • cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
    • NEO couldn't reproduce the problem using keytool, tested against production and testserver
    • identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message
  9. bug #440, bug #1101 (extract CSR) (back under development)

    • ASN.1 format
    • CSR extract: needed for signing: email address, hostname
    • Timo will write a CSR parser
    • Current:
      • CN will be parsed
      • some information about public key
    • ASN.1 php library
    • Whats about UTF-8 ?
    • IDN's
      • Policy: p20091108 CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets

      • FAQ Privileges

      • CPS 3.1.7

      • Assurance Handbook - Some more Information

        • Code signing and IDN certificates
          If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names).
          Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space. 
    • current only client and server certs, other options currently not selectable, except Code Signing
      • extensions currently not supported eg jabber
      • bug #530 XMPP extension not present after renewal

      • bug #87 Issuing certificates for Jabber servers/users

    • parameters: domains, current first becomes CN, others SANs
    • rebuild subject routine ... to check
    • Michael: shall we enforce cn from csr?
      • optional?
      • enforce copy cn to SAN
    • asn1 parse procedure, http://lapo.it/asn1js/

      • getcn, getalt procedure
      • docs für extractit() und getcn(): general.php line.230

      • felicitus: how someone get "CN" from "commonName"? where is it documented that "CN" is "commonName"?
      • OID of commonName is 2.5.4.3, but there is nothing about "CN"
        • BenBE: see Header of OpenSSL-Header
  10. bug #1101 refactoring getalt getcn (Timo)

    • might 1101 comment c3225

    • tries to build a php library for openssl parsing replacement
      1. asn.1 parsing, own library
      2. ???
    • openssl does escaping (per man page) (input? output?)
    • library test thru unit tests
    • openssl command for multiple san's ?
  11. New patches
    1. Marcus: OA sql query procedure, NEO to test on testserver
    2. bug #782 Add "notes" field to certificate information

      • inopiae

        bug #782 Add "notes" field to certificate information

        {0}

      • moved to testserver
      • Client certs
      • Current:
        • Renew/Revoke/Delete | Status | Email Address | SerialNumber | Comment | Revoked | Expires | Login

      • move comment to end
        • Renew/Revoke/Delete | Status | Email Address | SerialNumber | Revoked | Expires | Login | Comment | edit

      • create new cert below all mandatory fields?
  12. bug #1097 "Special characters which have no HTML-entities are not properly escaped"

    • needs testing, 2nd review, BenBe will check

    • first test variations shows: there are remaining problems

5. New SA candidates and Coders

  1. Heino, not yet prepared, needs first contact
  2. How to find coders? Experiences from the Gentoo project

6. Long Term Projects

  1. NEO: "BlackJack" bug #964

    • NEO: "BlackJack" bug #964 testing from last week -> error codes

      • started implementing
    • how does bug #1017 relate to this bug?

      • cert signing routine
      • ie5 ie6 automatic storage of signed key in local keystore
      • doesn't work under vista, win7
      • msi package is to download and import the keys to the local keystore under vista, win7
      • relates to bug #1099 but is quite different

      • neo sent msi package for testing to u60, benbe; test successful passed
  2. Marek's sql class project:
    • is working on charset replacement
  3. api project, Carsten continues with portal project not waiting for vendor-api to be delivered
    • vendor-api delayed
      • no coders
      • other projects
      • related to sql class project
    • portal project continues with a workaround, needs an assurer
      • arbitration case on locations database orders outsourcing of find-an-assurer asap
      • with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
      • relation to location database
        1. website find an assurer
        2. scripted mailing for ATE invitations
      • user check that data is still valid eg every 1 year
        • notification at login upto 6 months not online
        • notification by email if not logged in within last 6 months
  4. Automated testing system
  5. Timo: monitoring signer, not yet done
    • Probably Wytze monitors the systems externaly ?!?
    • see Systems overview

    • monitoring system eg Zabbix instead of Nagios?
    • BenBE: Icinga as alternate?
    • Zabbix agents: requires to be the same revision as server
  6. Timo, Benny: Distro needs upgrade
    • lenny - support ended Feb 2012
    • upgrade etch to lenny was a long running project
    • squeeze (current stable release) - tests started by critical team
      • "wheezy close before release date
    • Michael: email sent 2012-10-09 regarding squeeze upgrade to critical team
      • response received
      • testing WIP
      • move to sun2 proposed

7. next meeting

Minutes

  1. preface
    1. patches conflicts
      • by transfer of bug #978 merge conflicts did happen, new findings
  2. patches on agenda
    • 1113, 1114, 1025, 782, 1109, 977, 590
    • current state on testserver: 1111, 1114
    • 782 on testserver
    • 1109 on testserver
    • needs 2nd review: 1114
    • 1111: tested by 2, needs 2nd review
    • 512 transfered
  3. cert auto install procedure
    • msi, ff
    • long discussion
  4. info from timo, apologies, cannot make it today and the next time
  5. AGM notifications discussions
  6. from last meeting: BenBe: request: htttps header on bugtracker bug #1116

  7. "Thawte points removal, final step" bug #1054

    • current state: runs in debug mode points1, points2, points3, points4 that reflects conditions
    • conditions points1 and points2 yet undefined
  8. needs 2nd review
    • 1109 Neo, 2nd review
    • 1114 Neo, 2nd review
    • 1111 Neo, 2nd review
  9. summary - state of patches
    1. 512 scripting OA -> software untestable => NEO

    2. 1109 Neo, 2nd review
    3. 1114 Neo, 2nd review
    4. 1111 Neo, 2nd review
    5. 977 Neo, 2nd review
    6. 922 needs work
    7. 782 needs work
    8. 440 needs work
    9. 1004 needs work by neo
    10. 1113 needs work by benbe
    11. 1097 needs work by neo
    12. 590 solved, was fixed back in 2009, another main bug 505 is still in work queue
    13. 1017 needs work by neo
    14. 1025 needs testing

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items


Software/Assessment/20121120-S-A-MiniTOP (last edited 2012-11-21 00:59:25 by UlrichSchroeter)