Minutes of the MiniTOP on the 2013-04-30

Setting

The MiniTOP will be held via telco 22:00 CEST (20:00 UTC)

Attendees: BenBE, Magu, Marcus, Uli, Michael

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Software/Assessment/ActionItems

Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected

    {-}

    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage

    {0}

    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy
    rejected

    {-}

    inopiae

    bug #920 Join - single name only (eg Indonesian)

    details under bug number

    {0}

    uli

    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field

    {r}

    Michael

    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open

    {0}

    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development

    {r}

    neo

    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work

    {r}

    dirk

    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work

    {r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task

Testing

  • Testers task

    neo

    bug #1004 Stats page improvement

    tested by 2, needs 2nd review

    {0}

    neo

    Bugs #1159 it might be possible to execute commands on the signing server

    {0}

    inopiae

    bug #1065 Wrong wording when sending mails during the assurance process

    {0}

    inopiae

    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\

    {0}

    inopiae

    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails

    {0}

    inopiae

    bug #988 TTP cap form deployment

    {0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task

    Ted

    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review

    {0}

    Ted

    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review

    {0}

    magu

    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update

    {0}

    inopiae

    bug #1010 Reorder the view on organisation certificates

    tested by 3

    {0}

Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task

    inopiae

    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer

    {0}

Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link

    {g}


Agenda

1. Preface

  1. Sponsoring for new Infrastructure Server
    • at the secure-u meeting at Linuxtag Berlin 2012, one suggestion for using the server was the testserver host or as machine for the non-critical infrastructure separation. The latter migration has been finalized by move to Infra01

    • as the testserver host moved to another location and Andreas is trying to replace the machine with a less power consumption hardware, the testserver host equipment requires rethinking
    • ship the machine to BIT, Ede, NL ? build up the testserver host at BIT? in non-critical infrastructure environment, use the sponsored machine for other purposes?
    • What do Infrastructure team and Critical team says?
    • Todo: make a plan for proposed usage, ordering, shipment, installation, migrations
      • From last meeting:
        • new hosting center means addtl. hosting costs, that may become a problem, new project
        • the new server should serve as infrastructure host as we are running low on resources (especially disk space) there
        • testserver host: andreas is thinking of a replacement for current machine with a low power consumption machine
        • question is whether we actually need a separate machine for testing as the test server is mostly idle and that means there is a continuous power consumption just for idling
        • so probably ship the new hardware to bit ede, use as non-critical infra02 .. and move over testhost to infra02 + some guests from infra01 ?!?
        • don't know yet, we would have to ask infrastructure team or sysadmins in general
  2. request to NEO: reduce keysize, increase expiration time on CACERT1 (current state), requires reset
  3. current state of bugs (from last meeting)
    1. 1159 at critical, requires work by critical admin, requires bit visit
    2. 922 ready to deploy
    3. 918 defered, requires sample certs (1024bit, longtime expires for master account)
    4. 1017 defered, IE problem, to be pickedup by NEO
    5. 1165 needs review
    6. 47 needs review
    7. 1121, merge conflict pushed to NEO
    8. 1122, dependent 1121
    9. 1154 needs review
    10. 1112 awaits response from critical - transfered
    11. 1099 awaits response from critical - transfered
    12. 569 needs review by NEO
    13. 1124 requires review
  4. work queue for today
    • to test: 1017, 918, 740, 922, (1159?)
    • needs review: 1008, 569, 1154, 1124
    • transfer to production: 1121, 1122

2. Documentations

  1. Documentation - Review / Changes to add (relates to Policy Group SP review)
  2. Documentation - To-Do (relates to Policy Group SP review)

3. DEV on bug 1023/1054 "Thawte Patch"

4. requires transfer to production

5. 2nd review of remaining patches

5.1 Michael's/Dirk's Task 2nd review

6. Patches Overview - Testing, Development

  1. needs further testing
    1. 918 .. keysize
      • Middle security mostly relates to keysize 1024, High security to 2048 but this all relates to crypto provider
      • needs testing
    2. 740 .. How to become an assurer is missleading
      • needs testing
    3. 1099 .. Root Keys installer on Root Certificates .. Homepage integration
  2. summary - state of patches
    1. 922 needs work (returned from production)
    2. 782 needs work
    3. 440 needs work (NEO) (see also below)
      • Patch bug #440 was defered (timo addtl. work), but this project stalls. What to do with bug #440 ?

        gagern, neo

        bug #440 Problem with subjectAltName

        tested, needs 2nd review, rejected, new deployment getcn/getalt procedure, relates to bug #1101

        {r} 2

    4. 1004 needs work by neo
    5. 1113 needs work by benbe, transfered to cacert-devel
    6. 1017 needs work by neo
    7. 1025 needs testing
    8. 1124 needs rework
      • inopiae

        Bugs #1124 Selection of additional languages, sorting is somewhat strange

        {0}

      • Michael review ok
      • needs testing
      • sorting order strange under "addtl. language"
      • proposed: language, country
      • 2013-02-19 needs new patch
      • proposal BenBE: display locale language country
        • [de-AT] Deutschland (Östereich)
        • [de-AT] Deutsch (Östereich)
    9. 1112 needs confirmation of 2nd review, then ready to deploy
      • inopiae

        Bugs #1112 Exchange the text on the TTP page according to the new TTP programm

        live testing, probs with form (if pts < 100)

        {0}

      • 1112, tested by 3, needs 2nd review
      • Michael reviewed
      • 1112, did some rework (TTP text changes)
      • current state: 2nd review, some changes, BenBE to confirm 2nd review and deploy
      • BenBE, 2nd review -> ack

      • last activity/last changes
      • at least one essential change (get-count-ttp-assurances) changed search from "assurances-from" to "assurances-to"
      • dated 2013-02-26

      • 3 tests have been made after 2013-02-26
      • ready to deploy
      • needs update of patch 1023 (new points calculation routine)
      • Bugs #1023 re-opened

    10. copied to cacert-devel, on testserver
      • available 740 fix isn't in compliance to bug #671

      • related bug #1112 is also in question

        inopiae

        bug #740 How to become an assurer is missleading wot 2+4 fixes

        needs testing and 2nd review

        {0}

      • contrary discussion
    11. BenBE: bug #569 pushed to testserver (2013-02-19)
      • inopiae

        Bugs #569 569: output order when removing email address

        {0}

  3. Policy text and Arbitration ruling bug# fixes
    1. Policy text changes
      • new bug #1131 Replace all policies from php to html

        Inopiae

        Bugs #1131 Rename PolicyOnPolicy.php and other Policies too to .html

        {0}

      • dirk to review
      • PoP update running under Policy Decisions #p20130223

      • proposal to await final decision dated 2013-03-08
      • to wait until end of p20130223 -> 2013-03-08

      • POLICY images to transfer from www.cacert.org/images to www.cacert.org/policy/images -> img src="images/.."

      • url link
      • BenBE: needs patches 1146, 1147, 1131
      • all 3 patches attached as complete archive under bug #1131 as zip

        • BenBE: wants them in git
          • git guru: take over this task
    2. Arbitration ruling text fixes
      1. bug #879

        • CAcert must update the web page on disputes, and include an explanation how to file a dispute (a20091206.1)
  4. bug #922 problem, transfered to critical, Wytze did a rollback

    • neo, dirk

      bug #922 missing "certificate about to expire" messages

      tested, reviewed by 2, needs 2nd review

      {0}

    • you can use previous test to also check "certificate about to expire" messages
    • notification expected: 1d, 15d, 30d, 45d
    • Uli: Marcus plz test again
    • Marcus+Uli: plz add serno of cert about to expire into the message text
    • NEO: added serno on Oct 2nd
    • Uli: 15d notification rcvd at 5th, 6th Oct, last 1d expiry warning expected: Oct 19, passed ok
    • moved to 2nd review
    • BenBe: 922 2nd review, currently busy, feels not ready to review this patch

    • tested by 2, needs 2nd review, BenBe passed to other SA

    • -> dirk, assigned

    • seems to be ok, ready to go
    • BenBe to transfer to critical team

    • patch transfered, but rolled back. reason: patch brings critical system to hung
      • Analysis
        • testserver less data then production system
        • potential problem distinct clause in query
        • whats about proposals by Timo?
        • data count: 1000 on testserver, 900.000 on production
          • create a test set of 900k certs in database?
        • tables used, record counts: domaincerts 74, domlink 75, domains 52
          • which tables, table structure, db format: default myisam
          • domain*, email*, users
          • to contact critical team with general infos about above tables
      • wytze, timo, dirk, benbe, michael discussion by email
        • proposal to wytze, to add indixes (all tables selected by where clauses created, modified, expired, revoke)
        • confirmation by 2nd SA
    • 2013-01-22: still open
    • discuss with NEO
    • database modifications, index modifications
    • performance issues, needs applied into a patch
    • sql query proposal see https://bugs.cacert.org/view.php?id=922#c3347

    • [2013-04-16]
      • rejected patch, update queries, indices, re-deploy patch (#922)
      • is in testserver stable
  5. bug #1004 Stats page improvement

    • neo, BenBe

      bug #1004 Stats page improvement

      tested by 2, needs 2nd review

      {0}

    • stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO
    • fully re-tested by 2: 2012-08-25 (at froscon)
    • needs 2nd review
    • moved out to cron job routine
    • -> BenBe, assigned

    • 1004 ... on review by BenBe

    • checked BenBe

    • work done by NEO, pushed to cacert-devel, transfered to testserver
    • needs 2nd review, tested
    • current state:
    • open issues
      1. How are deleted users handled?
      2. Isn't "verified_certs" misleading as the affected tables also contain certs that failed to be signed?
      3. User Statistics don't take removed assurances into account (???)
      4. Why not calculate backwards in the year-dependent loop from the already known values? The loop runs backwards already anyway.
    • the latter is still open
  6. bug #1025 Domain Dispute issue

    • BenBe will pickup for 2nd review

    • needs further testing
    • magu, inopiae, u60 -> testing https://bugs.cacert.org/view.php?id=1025

      • several test accounts, variations of one or more email addresses, 0 or 1 domain added
      • test the full disputes procedure for all variations
      • tested by u60
  7. bug #1054, test 1054.3.6, bug #1035

    • create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs

    • renew the certs
    • addtl. tests ? Marcus? Magu? BenBe?

    • 2012-10-02 dirk: problems with git push #1054, got fixed
    • DEV on bug 1023/1054 "Thawte Patch"
    • see reference notes note 3225 on bug #1101 and note 3245 on bug #1101

  8. bug #1017 {o} , relates also to bug #1054, test 1054.3.6 - Chrome certificate enrollement (relates to #964 "Black Jack") bug #964

    • create client certs, go to signing routine
    • new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
      1. Install the certificate into your browser (tested)
      2. Download the certificate in PEM format
      3. Download the certificate in DER format
    • bug #1017 Chrome certificate enrollement

      • BenBe will pickup

      • bug #1017, doing some more tests?

        • new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
          1. Install the certificate into your browser (tested)
          2. Download the certificate in PEM format
          3. Download the certificate in DER format
        • Alex, Marcus doing some more tests
    • BenBE to review
    • review bug #964 by Michael
    • bug #964 transfered, still open: bug #1017
      • bug #1017 Chrome certificate enrollement

      • needs testing (lost by transfer to testserver stable)
      • commited 2012-09-04
      • new commited 2013-02-13
      • 964 create cert works, install into browser doesn't work
  9. Marcus Bugs list
    • see Software/BugsOverview

    • according to Bugs # 976

      • 0000976: List of update request for webdb database structure upgrade with tables / fields
      • addtl_notes table hasn't been added in patch bug 976 on 2011-11-25

      • OU info from Org cert not stored
      • addtl_notes table hasn't been added in patch bug 976 on 2011-11-25

      • extend org certs table ? new bug?
      • OU in subject?
      • includes/account.php (17)
      • in org certs it is in subject
      • addtl. field ou ? new bug# ?
      • used bug #1010
  10. new bug #1095 "Problems with creating server sertificate where the csr is created with Java SDK Tools"

    • cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
    • NEO couldn't reproduce the problem using keytool, tested against production and testserver
    • identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message
  11. bug #440, bug #1101 (extract CSR) (back under development)

    • ASN.1 format
    • CSR extract: needed for signing: email address, hostname
    • Timo will write a CSR parser
    • Current:
      • CN will be parsed
      • some information about public key
    • ASN.1 php library
    • Whats about UTF-8 ?
    • IDN's
      • Policy: p20091108 CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets

      • FAQ Privileges

      • CPS 3.1.7

      • Assurance Handbook - Some more Information

        • Code signing and IDN certificates
          If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names).
          Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space.
    • current only client and server certs, other options currently not selectable, except Code Signing
      • extensions currently not supported eg jabber
      • bug #530 XMPP extension not present after renewal

      • bug #87 Issuing certificates for Jabber servers/users

    • parameters: domains, current first becomes CN, others SANs
    • rebuild subject routine ... to check
    • Michael: shall we enforce cn from csr?
      • optional?
      • enforce copy cn to SAN
    • asn1 parse procedure, http://lapo.it/asn1js/

      • getcn, getalt procedure
      • docs für extractit() und getcn(): general.php line.230

      • felicitus: how someone get "CN" from "commonName"? where is it documented that "CN" is "commonName"?
      • OID of commonName is 2.5.4.3, but there is nothing about "CN"
        • BenBE: see Header of OpenSSL-Header
    • Patch bug #440 was defered (timo's addtl. work), but this project stalls. What to do with bug #440 ?
    • ASN.1 parser - planned: incorporate asn.1 from openssl
  12. bug #1101 refactoring getalt getcn (Timo)

    • might 1101 comment c3225

    • tries to build a php library for openssl parsing replacement
      1. asn.1 parsing, own library
      2. ???
    • openssl does escaping (per man page) (input? output?)
    • library test thru unit tests
    • openssl command for multiple san's ?
  13. New patches
    1. bug #782 Add "notes" field to certificate information

      • inopiae

        bug #782 Add "notes" field to certificate information

        {0}

      • moved to testserver
      • Client certs
      • Current:
        • Renew/Revoke/Delete | Status | Email Address | SerialNumber | Comment | Revoked | Expires | Login

      • move comment to end
        • Renew/Revoke/Delete | Status | Email Address | SerialNumber | Revoked | Expires | Login | Comment | edit

      • create new cert below all mandatory fields?
  14. GPG bugs
    1. import prob (eg bug #992 )

    2. delete/revoke GPG keys (eg bug #1079 )

      • trust signatures can be revoked
      • CRL's have to be added to keyservers, but no one will check
      • revocation: 5 reasons given
      • should be possible, but project needs a developer
    3. GPG bugs
      • OpenGPG parser project, reviewed by Michael last weekend
      • Michael remark: using 3x = (===) instead of 2x = (==)
      • unpack (N) 32bit unsigned may become a problem
      • relates to hardware platforms, signer has been replaced about 2 years ago, but needs to be used on both sides (webserver + signer). Webserver upgrade is WIP
      • in principle ok
    4. BenBE: GPG/PGP parser
      • revoke gpg keys implemented
      • 1181

  15. bug #279 bad domains

    • .*top.*
    • regexp list
    • database table exist
    • update procedure?
    • whats about recuring distribution of update files via cabforum?
    • arbitration?
    • SE console for update?
    • critical admins?
    • check routine on add-domain
    • add domain under OA should be possible ...
    • one-time check of current existing domains ?
      1. first time check against full filter list
      2. individual check in event add domain
      3. global check in event add entry to filter list
      4. replace/update full filter list (case 1 + 4)
    • meta infos:
      1. datasources
      2. attributes (?)
      3. creation date
      4. delete entry / revocation date
  16. bug #1121 and bug #1122

    • Assure Someone change request (result from 1122: assure someone, CCA acceptance in Assure someone process)
      1. question: where is the CCA acceptance path of an Assurer?
        • AP defines, Member has accepted CCA by joining CAcert and create an account
        • but there are also "old" assurers who didn't accepted CCA yet
        • 2 known requirements to become an Assurer: 100 APs, CATS passed
        • 3rd yet unverified: CCA acceptance
        • Assurance to be AP conform references to AP
        • Assurance statement gives no statement, that Assurer has accepted CCA
        • AP 4.5 only requests CCA acceptance from Assuree
        • CATS test requires a valid client cert. Client certs can be created without CCA acceptance!!!
        • There is no addtl. CCA acceptance check under CATS
        • so in effect:
          1. an assurer may have created an account before the CCA acceptance request was added to the join form
          2. an assurer may have received upto 100 APs + 50 EPs before CAcert's policy days
          3. giving an assurance doesn't request a CCA acceptance from the Assurer, only the request that assurance is AP compliant
        • so there is no straight verification path that an assurer has accepted CCA except receiving new assurances by -> passive CCA acceptance

      2. assure someone form enhancement
        1. New I verify that the Assuree accepted CCA
        2. Location
        3. Date
        4. assertion
        5. Ap
        6. New I accept CCA
        7. Policies
        8. Points
        9. text (a): I have read and understood the Assurance Policy, the Assurance Handbook and the CCA and am making this Assurance subject to and in compliance with the policy, handbook and CCA.
        10. text (b): I have read and understood the CCA, the Assurance Policy and the Assurance Handbook. I am making this Assurance subject to and in compliance with the CCA, policy and handbook.
        11. AH AP CCA & & dup dup read understood comply.

        12. text (c): I have read and understood the CCA, the Assurance Policy (AP) and the Assurance Handbook (AH). I am making this Assurance subject to and in compliance with the CCA, AP and AH.
    • see also top 4
    • [2013-04-16] bug #1121 reviewed by dirk: ok

      • sidenote by dirk:
      • on continuous dev the remove-function requires an addtl. modification
      • but this isn't deployment critical to this current bug
    • [2013-04-16] bug #1122 reviewed by dirk: ok

  17. bug #1135 SE activity audit tables

    • addtl. recording of arbitration numbers to members
    • results in long discussions
      • requirements, thought cases (eg name change request while another arbitration is running (-> uncritical))

      • delete account requests handled under precedent case a20111128.3), one "critical" case (certs misusage) is turned in procedure: arbitrator has to follow "emergency case" procedure and to keep track of open "delete account" cases

      • interferance/interaction of 2 of the 3 powers (executive, judicate) (arbitration has to act as executive to forward all new cases to support team with list of open/running arbitration cases)
    • all ends on (arbitration) "critical" cases
    • "critical" cases will be handled under Arbitration eg. a20111128.3 within reasonable (eg 48 hours) window

    • discussion defered
    • 1135 (BenBe) 2nd review by another SA before moving to testserver

    • Michael to review
      1. bug #1135 Extend database table AdminLog et al

  18. bug #1136 SE console, delete all certs of a member (instead of highjack an account)

    • probably 1 requirement: addtl. verification step
    • 2013-02-26:
      • bug #1136 - revoke certs doesn't work
      • server log shows no errors
      • and the fix: cacert-devel: testserver-stable 90bdd8cb Timestamp: 2013-02-26 23:32:07
    • added to testers portal, needs testing, 2nd review
    • doesn't work as expected, needs work
  19. bug #893 Extend Delete account feature for support

    • inopiae

      bug #893 Delete account rev 3 procedure

      needs testing and 2nd review

      {0}

      • test 893 (delete account) with existing server certs, also gpg certs
      • gpg revocation is currently not avail ...
        • manual procedure: currently we hadn't such a case in manualy procedure
        • proposal: in production: set on hold until gpg key expires
        • for testing: gpg keys not expired -> stop procedure if remaining gpg keys not expired

      • if account is locked -> no special exception

      • org admin flag set -> procedure stop (includes Org certs avail)

      • related dispute bugs 1136? 1045?
  20. bug #1137 Record the CCA acception for entering an assurance

    • inopiae

      bug #1137 Record the CCA acception for entering an assurance

      needs testing and 2nd review

      {0}

    • 1137 "Record the CCA acception for entering an assurance" needs review testing
  21. bug #740 How to become an assurer is missleading

    • according to bug #671 all text pages should be banned within webdb and redirected to a wiki page

    • available 740 fix isn't in compliance to bug #671

    • contrary discussion
    • 2nd review by dirk (started), [2013-03-12] 2nd review ok
    • needs further testing
  22. bug #1141 If i delete Domains, no Servercerts for this domains are listet, even not the revoked

    • moved to testserver

      NEO

      bug #1141 If i delete Domains, no Servercerts for this domains are listet, even not the revoked

      needs testing

      {0}

    • discusssions: arb case? privacy (eg PP 10.), data retention (-> Australien DPA)

    • Marcus to contact Benedikt
  23. bug #1008 View for SE to see if user is Organisation Admin for which Organisation Accounts

  24. what to do with bug #1143 Web site doesn't scale vertically

  25. Advertisement
    • permission review script doesn't include ADadmin
    • relates to bug #1003 and Arbitration case a20110118.1

    • board motion? treasurer? adadmin?
    • Answers given by Intermediate ruling #7 under a20110118.1

    • Michael to pickup
  26. bug #901 Renewal of certificate with WIN 7 and IE8

  27. Marcus: bug #1160 "Unable to import personal cert/key into Tunderbird or Evolution, hence unable to encrypt mail with CACert certificates" - needs feedback

    • does this have to do with the last patch install ?
      • Since install of patch bug #964 (Black Jack) automatic client cert installation and renew into FF doesn't work (install to IE5 button doesn't work)

      • signed public client cert will be presented in ascii for copy and paste into a file, but this cert doesn't include the private key part, so the signed public key has to be marriaged with the private key
      • see also FAQ client certs Renew Client Certs under FF

      • patch bug #1017 includes an automatic install into Mozilla keystore, current code on production doesn't

  28. Marcus: server.pl - bug #1159 - it might be possible to execute commands on the signing server

    • answered by Wytze
    • NEO tries a patch
    • server.pl issue .. review by Ben finished, ready to deploy bug #1159

  29. Marcus: patch avail bug #1154 Failed client cert login message talks about wrong menu item "Normal Login" instead of "Password Login"

    • $_SESSION['_config']['normalhostname'] = "www.cacert.org";

7. Long Term Projects

  1. NEO: "BlackJack" bug #964

    • NEO: "BlackJack" bug #964 testing from last week -> error codes

      • started implementing
    • how does bug #1017 relate to this bug?

      • cert signing routine
      • ie5 ie6 automatic storage of signed key in local keystore
      • doesn't work under vista, win7
      • msi package is to download and import the keys to the local keystore under vista, win7
      • relates to bug #1099 but is quite different

      • neo sent msi package for testing to u60, benbe; test successful passed
      • bug #964 passed, #1017 still open
      • bug 964, has been passed to production, key generation works, transfer into browser not
      • BenBE: reviewed bug #1099 roots installer

      • Root Certificates

      • displays: "Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows)"
      • some ideas to move the installer to own section
      • Michael: reworks bug #1099 (roots download page)

      • needs testing
  2. Marek's sql class project:
    • is working on charset replacement
  3. api project, Carsten continues with portal project not waiting for vendor-api to be delivered
    • vendor-api delayed
      • no coders
      • other projects
      • related to sql class project
    • portal project continues with a workaround, needs an assurer
      • arbitration case on locations database orders outsourcing of find-an-assurer asap
      • with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
      • relation to location database
        1. website find an assurer
        2. scripted mailing for ATE invitations
      • user check that data is still valid eg every 1 year
        • notification at login upto 6 months not online
        • notification by email if not logged in within last 6 months
  4. Automated testing system
  5. Timo: monitoring signer, not yet done
    • Probably Wytze monitors the systems externaly ?!?
    • see Systems overview

    • monitoring system eg Zabbix instead of Nagios?
    • BenBE: Icinga as alternate?
    • Zabbix agents: requires to be the same revision as server
  6. Timo, Benny: Distro needs upgrade
    • lenny - support ended Feb 2012
    • upgrade etch to lenny was a long running project
    • squeeze (current stable release) - tests started by critical team
      • "wheezy close before release date
    • Michael: email sent 2012-10-09 regarding squeeze upgrade to critical team
      • response received
      • testing WIP
      • move to sun2 proposed
  7. TLS project
    • BenBe/Wytze talked @ fosdem
    • risks fairly low, awaiting fix
  8. CAcert installer project
    • Michael got codesigning and tries to add the cert to crypto stick
    • also related "Black Jack" project
    • profiling of use cases for different cert types (client, server, org client, org server)
    • cont. working code signing cert into crypto token for software assessment releases code signing
    • to build new revision of CAcert installer with all lang translations to sign via key on crypto token
  9. secure boot project (required steps?) (also relates to New Roots & Escrow)

    • we have
      • risk analyze
      • new roots procedure
    • required steps?
      • Escrow method to select
      • subroot under eg. org++
      • cps changes
      • new roots?
      • new signer?
      • indirect crl's

8. next meeting

Minutes

  1. Preface
    1. request to NEO: reduce keysize, increase expiration time on CACERT1 (current state), requires reset
      • current settings aren't as expected (see bug #918)
      • fixed in meeting
        • type

          min keysize

          expires

          client certs

          1024 {g}

          2 years {g}

          server certs

          1024 {g}

          2 years {g}

          org client certs

          1024 {g}

          1 year {g}

          org server certs

          1024 {g}

          1 year {g}

  2. Patches to test:
    1. 1017 - total fail on IE
    2. 918 - basis missing, keysize limit per patch raised to 2048, for testing lowered to 1024
    3. 893
      • requires regexp to check validity: /^[a-z]\d{8}\.\d+\.\d+$/i
      • several tests and updates
    4. 1137
    5. 602 - report from Werner is status quo in current system, 2nd test required
  3. bug #988
  4. discussion about topic CAcert logo / styleguide
  5. MySQL -> transactional

    • move isam to innodb
    • new: bug #1172
    • Switch MySQL to MariaDB ?

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items


Software/Assessment/20130430-S-A-MiniTOP (last edited 2013-05-05 08:42:41 by UlrichSchroeter)