. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20130709-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20130723-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2013-07-16 = == Setting == The MiniTOP will be held via telco 22:00 CEST (20:00 UTC) Participants: BenBE, Magu, Marcus, Mario, Michael, Uli == Topics == (skip to [[#AGENDA|agenda]]) Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> <> == Agenda == ## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP === 1. Preface === 1. Looking at bug Bug:1184 to determine what to do about it (hex2bin) . was conclusion reached in meeting 2013-07-02 ? 1. tk-server / testserver system hosting * plans for moving testserver over from current location over to BIT Ede, NL new non-critical infrastructure? * What are the testserver host requirements? as current non-critical infrastructure runs on LXC and testserver runs under VMware esxi 3.5 a. piped serial interface configuration a. isolating port 25 for testservers (local firewall?) * Plans are: using VirtualBox 1. emergency fix, normal way * fixed bug Bug:1190 did follow the [[Software/Assessment/Documentation/EmergencyPatches|Emergency Patches]] procedure 1. Emergency patches fast path strategy * proposed "fixed within 24 hours" didn't made it, but transfering a patch within 3 days is a first good result and gives us a first practicle result how fast the "fast path strategy" may work * despite the fact bug Bug:1190 missed the "critical" patch state, the goal with this patch was to move the patch asap onto production as the news display routine becomes broken on the main website after the recent upgrade of the blog system. * Once the bug Bug:1190 was reported first 2013-07-13 10am, 3 developers started sending-in patches, testers tested the patches localy and on the testserver, 2 Software-Assessors reviewed continuously patches and re-fixes, so the finaly tested and reviewed patch has been sent Mon 2013-07-15 23:30 over to the critical team that deployed it Tue 2013-07-16 10am onto production. * Some analyze of the process (for optimisation purposes) * In the start phase, receiving the bug report and starting analyze / sending in the first patches, we had around 24 hours of inactivity * From sending the patch from Software-Assessment to Critical team, we had a 10 hours delay * 72 hours total go from reporting to apply final patch * ''Summary'' * in an emergency case, we are able to wake up all involved parties to start asap with analysis and patch development -> 72 - 24 = 48 hours to go. * In the final phase, the transfer to Critical team can be optimized by give the critical team a phone call, once the patch has been sent to critical team -> 48 - 10 = 38 hours. * With 38 hours from reporting to fix applied we're nearby the proposed "Emergency patches fast path strategy" * To speed up the process requires extensive usage of all available communication and reporting channels (phone, irc, email) === 2. Documentations === 1. Documentation - Review / Changes to add (relates to Policy Group SP review) * [[https://wiki.cacert.org/Software/Assessment/Documentation/UpdateCycle|Description of Software Development Update Cycle]] * further review required 1. Documentation - To-Do (relates to Policy Group SP review) * developer git repos under github * [[https://github.com/BenBE/CAcert/commits/bug-1131|bug #1131 history @ github]] * [[https://github.com/CAcertOrg|CAcertOrg @ github]] * see also [[Software/Assessment/ActionItems]] * relates to [[Software/DevelopmentWorkflow]] * Details documentation started under: [[Software/Assessment/Documentation/UpdateCycle/step1]] === 3. DEV on bug 1023/1054 "Thawte Patch" === * "Thawte points removal, final step" [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] * bug #1023 Testing (6.php) * last patch transfered to production system 2012-05-30 * what are the next steps for thawte points revoke? * points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts * 15.php needs rename to 10.php * next step in: [[https://bugs.cacert.org/view.php?id=1054|bug #1054]] Review the code regarding the new point calculation in ./includes/general.php (current state: testing) * email debug notification, search for other solution * testing scenarios: see [[https://bugs.cacert.org/view.php?id=1054#c3163|bug note c3163]] * some explanations * assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed * new patches by dirk, pushed to cacert-devel, (update 2012-09-18) * tverify removed (?) * merge conflict with account id 60 (eg email removal), see [[https://bugs.cacert.org/view.php?id=823|bug #823]] * max_points() routine replaced by new max_points() routine * get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points() * received_points() * Status testing ? * debug messages on testserver (1054) * test account 1 * variant 1 (pwd login): points3 (185/100) * variant 2 (cert login): points3 (185/100)points4 (185/100) * first value relates to wot.php?id=10 count of pts * test account 2 * points3 (350/394)points4 (350/394) * 484 AP, anderer weg 64 * 100 * test account 3 * points3 (200/662) * problem identified, fix transfered to testserver * current state: runs in debug mode points1, points2, points3, points4 that reflects conditions * conditions points1 and points2 yet undefined * [[Software/Assessment/20121211-S-A-MiniTOP|meeting 2012-12-11]] * identified points1 + points2 debug points in routine * Logged-in, My Details, Edit, change something, submit changes * calculate points will be used to select edit mode for name, dob * if points==0 edit allowed, otherwise edit prevented * Patch moved out from testserver * new testserver branch stable * reason: more and more merge conflicts caused by bug #1054 * patches to add: 1070 + 782 (?) * 2013-02-05 DEV on bug 1023/1054 "Thawte Patch" - no update * 2013-02-12 - no update * 2013-02-19 - no update * 2013-02-26 - no update * 2013-03-05 - no update * 15.php needs update: all ttp points starting 2013-01-01 with new ttp-assurance method 1. 1054 plan B ? 1. analyze -> identify all places where points calculation is referenced a. assure someone a. receive assurance a. is assurer? assurer status a. revoked assurance a. create certs (new points calculation, 0 pts, 50 pts, 100 pts) a. multitasking aware (revoke assurance, assurer assures but have required pts revoked) a. lazy value (eg menu rendering) a. session validate? (if database related) 1. bug-1177 Combine wot.inc.php, notary.inc..php and temp-function.php ## === 4. requires transfer to production === === 4. 2nd review of remaining patches === ||<#ff8080> '''Software-Assessors task''' || 1. need 2nd Review by Michael 1. Enqueue bug Bug:893 ## ==== 5.1 Michael's/Dirk's Task 2nd review ==== === 5. Patches Overview - Testing, Development === 1. needs further testing 1. 918 .. keysize * Middle security mostly relates to keysize 1024, High security to 2048 but this all relates to crypto provider * needs testing 1. summary - state of patches 1. 782 needs work 1. 440 needs work (NEO) (see also below) * Patch bug #440 was defered (timo addtl. work), but this project stalls. What to do with bug #440 ? || gagern, neo || [[https://bugs.cacert.org/view.php?id=440|bug #440]] Problem with subjectAltName || tested, needs 2nd review, rejected, new deployment getcn/getalt procedure, relates to [[https://bugs.cacert.org/view.php?id=1101|bug #1101]] || {r} 2 || 1. 1004 needs work by neo 1. 1113 needs work by benbe, transfered to cacert-devel 1. 1017 needs work by neo 1. 1025 needs testing 1. [[https://bugs.cacert.org/view.php?id=1023|Bugs #1023]] re-opened * [[https://bugs.cacert.org/view.php?id=1112|Bugs #1112]] Exchange the text on the TTP page according to the new TTP programm, deployed 2013-04-24 * needs update of patch 1023 (new points calculation routine) * [[https://bugs.cacert.org/view.php?id=1023|Bugs #1023]] re-opened 1. Policy text and Arbitration ruling bug# fixes 1. Policy text changes * new [[https://bugs.cacert.org/view.php?id=1131|bug #1131]] Replace all policies from php to html || Inopiae || [[https://bugs.cacert.org/view.php?id=1131|Bugs #1131]] Rename PolicyOnPolicy.php and other Policies too to .html || || {0} || * dirk to review * PoP update running under [[https://wiki.cacert.org/PolicyDecisions#p20130223|Policy Decisions #p20130223]] * proposal to await final decision dated 2013-03-08 * to wait until end of p20130223 -> 2013-03-08 * POLICY images to transfer from www.cacert.org/images to www.cacert.org/policy/images -> img src="images/.." * url link * current: 3 variations a. href="//www.cacert.org/policy/PolicyOnPolicy.html" vs. a. href="http://www.cacert.org/policy/PolicyOnPolicy.html" vs. a. href="PolicyOnPolicy.html" * proposal a. absolute url * a. or b. ? * // ... after download http missing * so therefor https * b. as https://.. * BenBE: needs patches 1146, 1147, 1131 * all 3 patches attached as complete archive under [[https://bugs.cacert.org/view.php?id=1131|bug #1131]] as zip * BenBE: wants them in git * git guru: take over this task * Fix available: [[https://bugs.cacert.org/view.php?id=1131|bug #1131]] * https://github.com/magujs/cacert-devel/tree/bug-1131/www/policy * bug Bug:1131 ready for 2nd review 1. Arbitration ruling text fixes 1. [[https://bugs.cacert.org/view.php?id=879|bug #879]] . CAcert must update the web page on disputes, and include an explanation how to file a dispute (a20091206.1) 1. [[https://bugs.cacert.org/view.php?id=1004|bug #1004]] Stats page improvement || neo, BenBe || [[https://bugs.cacert.org/view.php?id=1004|bug #1004]] Stats page improvement || tested by 2, needs 2nd review || {0} || * stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO * fully re-tested by 2: 2012-08-25 (at froscon) * needs 2nd review * moved out to cron job routine * -> BenBe, assigned * 1004 ... on review by BenBe * checked BenBe * work done by NEO, pushed to cacert-devel, transfered to testserver * needs 2nd review, tested * current state: * open issues a. How are deleted users handled? a. Isn't "verified_certs" misleading as the affected tables also contain certs that failed to be signed? a. User Statistics don't take removed assurances into account (???) a. Why not calculate backwards in the year-dependent loop from the already known values? The loop runs backwards already anyway. * the latter is still open 1. [[https://bugs.cacert.org/view.php?id=1025|bug #1025]] Domain Dispute issue * BenBe will pickup for 2nd review * needs further testing * magu, inopiae, u60 -> testing https://bugs.cacert.org/view.php?id=1025 * several test accounts, variations of one or more email addresses, 0 or 1 domain added * test the full disputes procedure for all variations * tested by u60 1. [[https://bugs.cacert.org/view.php?id=1054|bug #1054, test 1054.3.6]], [[https://bugs.cacert.org/view.php?id=1035|bug #1035]] * create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs * renew the certs * addtl. tests ? Marcus? Magu? BenBe? * 2012-10-02 dirk: problems with git push #1054, got fixed * DEV on bug 1023/1054 "Thawte Patch" * check last changes by dirk to transfer into test scenarios * [[Software/CurrentTest/bug1054|Bug #1054 test scenarios]] * see reference notes [[https://bugs.cacert.org/view.php?id=1101#c3225|note 3225 on bug #1101]] and [[https://bugs.cacert.org/view.php?id=1101#c3245|note 3245 on bug #1101]] 1. [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] {o} , relates also to [[https://bugs.cacert.org/view.php?id=1054|bug #1054, test 1054.3.6]] - Chrome certificate enrollement (relates to #964 "Black Jack") --([[https://bugs.cacert.org/view.php?id=964|bug #964]])-- * create client certs, go to signing routine * new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options a. Install the certificate into your browser (tested) a. Download the certificate in PEM format a. Download the certificate in DER format * [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] Chrome certificate enrollement * BenBe will pickup * [[https://bugs.cacert.org/view.php?id=1017|bug #1017]], doing some more tests? * new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options a. Install the certificate into your browser (tested) a. Download the certificate in PEM format a. Download the certificate in DER format * Alex, Marcus doing some more tests * BenBE to review * review bug #964 by Michael * bug #964 transfered, still open: bug #1017 * [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] Chrome certificate enrollement * needs testing (lost by transfer to testserver stable) * commited 2012-09-04 * new commited 2013-02-13 * 964 create cert works, install into browser doesn't work 1. Marcus Bugs list * see [[Software/BugsOverview]] * according to [[https://bugs.cacert.org/view.php?id=976|Bugs # 976]] * 0000976: List of update request for webdb database structure upgrade with tables / fields * addtl_notes table hasn't been added in [[https://bugs.cacert.org/view.php?id=976|patch bug 976 on 2011-11-25]] * OU info from Org cert not stored * addtl_notes table hasn't been added in [[https://bugs.cacert.org/view.php?id=976|patch bug 976 on 2011-11-25]] * extend org certs table ? new bug? * OU in subject? * includes/account.php (17) * in org certs it is in subject * addtl. field ou ? new bug# ? * used bug #1010 1. new [[https://bugs.cacert.org/view.php?id=1095|bug #1095]] "Problems with creating server sertificate where the csr is created with Java SDK Tools" * cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095 * NEO couldn't reproduce the problem using keytool, tested against production and testserver * identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message 1. [[https://bugs.cacert.org/view.php?id=440|bug #440]], [[https://bugs.cacert.org/view.php?id=1101|bug #1101]] (extract CSR) (back under development) * ASN.1 format * CSR extract: needed for signing: email address, hostname * Timo will write a CSR parser * Current: * CN will be parsed * some information about public key * ASN.1 php library * Whats about UTF-8 ? * IDN's * Policy: [[PolicyDecisions#p20091108|p20091108]] CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets * [[FAQ/Privileges|FAQ Privileges]] * [[http://www.cacert.org/policy/CertificationPracticeStatement.php#p3.1|CPS 3.1.7]] * [[AssuranceHandbook2/SomeMoreInformation|Assurance Handbook - Some more Information]] {{{ Code signing and IDN certificates If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names). Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space. }}} * current only client and server certs, other options currently not selectable, except Code Signing * extensions currently not supported eg jabber * [[https://bugs.cacert.org/view.php?id=530|bug #530]] XMPP extension not present after renewal * [[https://bugs.cacert.org/view.php?id=87|bug #87]] Issuing certificates for Jabber servers/users * parameters: domains, current first becomes CN, others SANs * rebuild subject routine ... to check * Michael: shall we enforce cn from csr? * optional? * enforce copy cn to SAN * asn1 parse procedure, http://lapo.it/asn1js/ * getcn, getalt procedure * docs für extractit() und getcn(): [[https://github.com/timoahummel/CAcert/blob/bug-1101/includes/general.php#L230|general.php line.230]] * felicitus: how someone get "CN" from "commonName"? where is it documented that "CN" is "commonName"? * OID of commonName is 2.5.4.3, but there is nothing about "CN" * BenBE: see Header of OpenSSL-Header * Patch bug #440 was defered (timo's addtl. work), but this project stalls. What to do with bug #440 ? || gagern, neo || [[https://bugs.cacert.org/view.php?id=440|bug #440]] Problem with subjectAltName || tested, needs 2nd review, rejected, new deployment getcn/getalt procedure, relates to [[https://bugs.cacert.org/view.php?id=1101|bug #1101]] || {r} 2 || * comments [[https://bugs.cacert.org/view.php?id=440#c3243]], [[https://bugs.cacert.org/view.php?id=440#c3251]] checked? * Neo started some fixes (getcn and ...), to be continued * ASN.1 parser - planned: incorporate asn.1 from openssl 1. [[https://bugs.cacert.org/view.php?id=1101|bug #1101]] refactoring getalt getcn (Timo) * might [[http://bugs.cacert.org/view.php?id=1101#c3225|1101 comment c3225]] * tries to build a php library for openssl parsing replacement a. asn.1 parsing, own library a. ??? * openssl does escaping (per man page) (input? output?) * library test thru unit tests * openssl command for multiple san's ? * undocumented feature? * currently only known with -extfile [[http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/#comment-595|creating-a-certificate-with-multiple-hostnames]] 1. New patches 1. [[https://bugs.cacert.org/view.php?id=782|bug #782]] Add "notes" field to certificate information || inopiae || [[https://bugs.cacert.org/view.php?id=782|bug #782]] Add "notes" field to certificate information || || {0} || * moved to testserver * Client certs * Current: . Renew/Revoke/Delete | Status | Email Address | SerialNumber | Comment | Revoked | Expires | Login * move comment to end . Renew/Revoke/Delete | Status | Email Address | SerialNumber | Revoked | Expires | Login | Comment | edit * create new cert below all mandatory fields? * [[https://bugs.cacert.org/view.php?id=782|bug #782]] - Review by Benny * Field name mismatch between submitted field and value queried for store operation * Not deployed on testserver * fixed missing underscore * 2013-05-07: Review OK * 2013-05-14: review by benbe * reject * update by inopiae * 2013-06-11: [[https://bugs.cacert.org/view.php?id=782|bug #782]] Comment fields for certificates * merge conflicts, repairing branches * 2013-07-02: Having a closer look at bug Bug:782 to prepare for sending it to critical * tested by 3, good for 2nd review * need 2nd Review by Michael, Enqueue bug Bug:782 * bug Bug:782 2nd review by Michael * bug Bug:454 and bug Bug:822 closed, covered by patch bug Bug:782 (ready to deploy) * bug Bug:782 rejected {{{ The patch for #782 has been rejected, because it could not be installed cleanly on the production server. The diffs provided for the file includes/account.php did not fully match the production version of this file. See the attached logs for details of the failure. In order to back out the (partial) application of this broken patch, the web service on the production server has been taken offline for a few minutes. Please resubmit a fixed version of this patch after verifying it against the current production source code. }}} 1. GPG bugs 1. delete/revoke GPG keys (eg [[https://bugs.cacert.org/view.php?id=1079|bug #1079]] ) * trust signatures can be revoked * CRL's have to be added to keyservers, but no one will check * revocation: 5 reasons given * should be possible, but project needs a developer 1. GPG bugs * OpenGPG parser project, reviewed by Michael last weekend * Michael remark: using 3x = (===) instead of 2x = (==) * unpack (N) 32bit unsigned may become a problem * relates to hardware platforms, signer has been replaced about 2 years ago, but needs to be used on both sides (webserver + signer). Webserver upgrade is WIP * in principle ok 1. BenBE: GPG/PGP parser * revoke gpg keys implemented * [[https://xkcd.com/1181/|1181]] 1. [[https://bugs.cacert.org/view.php?id=279|bug #279]] bad domains * .*top.* * regexp list * database table exist * update procedure? * whats about recuring distribution of update files via cabforum? * arbitration? * SE console for update? * critical admins? * check routine on add-domain * add domain under OA should be possible ... * one-time check of current existing domains ? 1. first time check against full filter list 1. individual check in event add domain 1. global check in event add entry to filter list 1. replace/update full filter list (case 1 + 4) * meta infos: a. datasources a. attributes (?) a. creation date a. delete entry / revocation date 1. [[https://bugs.cacert.org/view.php?id=1135|bug #1135]] SE activity audit tables * addtl. recording of arbitration numbers to members * results in long discussions * requirements, thought cases (eg name change request while another arbitration is running (-> uncritical)) * delete account requests handled under precedent case [[Arbitrations/a20111128.3|a20111128.3]]), one "critical" case (certs misusage) is turned in procedure: arbitrator has to follow "emergency case" procedure and to keep track of open "delete account" cases * interferance/interaction of 2 of the 3 powers (executive, judicate) (arbitration has to act as executive to forward all new cases to support team with list of open/running arbitration cases) * all ends on (arbitration) "critical" cases * "critical" cases will be handled under Arbitration eg. [[Arbitrations/a20111128.3|a20111128.3]] within reasonable (eg 48 hours) window * discussion defered * 1135 (BenBe) 2nd review by another SA before moving to testserver * Michael to review 1. [[https://bugs.cacert.org/view.php?id=1135|bug #1135]] Extend database table AdminLog et al 1. [[https://bugs.cacert.org/view.php?id=1136|bug #1136]] SE console, delete all certs of a member (instead of highjack an account) * probably 1 requirement: addtl. verification step * 2013-02-26: * bug #1136 - revoke certs doesn't work * server log shows no errors * and the fix: cacert-devel: testserver-stable 90bdd8cb Timestamp: 2013-02-26 23:32:07 * added to testers portal, needs testing, 2nd review * doesn't work as expected, needs work * bug-1136 ready to test. Error fixed * tested by magu * bug Bug:1136 review tests * u60: requires some rework [[https://bugs.cacert.org/view.php?id=1136#c4112|report #4112]] * inopiae: patch delivered, merged into testserver * re-tests started 1. [[https://bugs.cacert.org/view.php?id=893|bug #893]] Extend Delete account feature for support || inopiae || [[https://bugs.cacert.org/view.php?id=893|bug #893]] Delete account rev 3 procedure || needs testing and 2nd review || {0} || * test 893 (delete account) with existing server certs, also gpg certs * gpg revocation is currently not avail ... * manual procedure: currently we hadn't such a case in manualy procedure * proposal: in production: set on hold until gpg key expires * for testing: gpg keys not expired -> stop procedure if remaining gpg keys not expired * if account is locked -> no special exception * org admin flag set -> procedure stop (includes Org certs avail) * related dispute bugs 1136? 1045? * from meeting 2013-04-30 * requires regexp to check validity: /^[a-z]\d{8}\.\d+\.\d+$/i * several tests and updates made 1. [[https://bugs.cacert.org/view.php?id=1137|bug #1137]] Record the CCA acception for entering an assurance || inopiae || [[https://bugs.cacert.org/view.php?id=1137|bug #1137]] Record the CCA acception for entering an assurance || needs testing and 2nd review || {0} || * 1137 "Record the CCA acception for entering an assurance" needs review testing * bug-1137 ready to test. Error fixed * (2013-06-11) [[https://bugs.cacert.org/view.php?id=1137|bug #1137]] pushed to test server by BenBE 1. [[https://bugs.cacert.org/view.php?id=1162|bug #1162]] pushed to test server by BenBE 1. [[https://bugs.cacert.org/view.php?id=1141|bug #1141]] If i delete Domains, no Servercerts for this domains are listet, even not the revoked * moved to testserver || NEO || [[https://bugs.cacert.org/view.php?id=1141|bug #1141]] If i delete Domains, no Servercerts for this domains are listet, even not the revoked || needs testing || {0} || * discusssions: arb case? privacy (eg PP 10.), data retention (-> Australien DPA) * Marcus to contact Benedikt 1. what to do with [[https://bugs.cacert.org/view.php?id=1143|bug #1143]] Web site doesn't scale vertically 1. Advertisement * permission review script doesn't include ADadmin * relates to [[https://bugs.cacert.org/view.php?id=1003|bug #1003]] and Arbitration case [[Arbitrations/a20110118.1|a20110118.1]] * board motion? treasurer? adadmin? * Answers given by Intermediate ruling #7 under [[Arbitrations/a20110118.1|a20110118.1]] * Michael to pickup * 2013-06-11: reminder for NEO * [[https://bugs.cacert.org/view.php?id=1003|Bug #1003]] permissions review script * next run: 2013-06-30 * patch transfered to testserver, initiated schedule, mails sent * still problems? 1. [[https://bugs.cacert.org/view.php?id=901|bug #901]] Renewal of certificate with WIN 7 and IE8 1. Marcus: [[https://bugs.cacert.org/view.php?id=1160|bug #1160]] "Unable to import personal cert/key into Tunderbird or Evolution, hence unable to encrypt mail with CACert certificates" - needs feedback * does this have to do with the last patch install ? * Since install of patch [[https://bugs.cacert.org/view.php?id=964|bug #964]] (Black Jack) automatic client cert installation and renew into FF doesn't work (install to IE5 button doesn't work) * signed public client cert will be presented in ascii for copy and paste into a file, but this cert doesn't include the private key part, so the signed public key has to be marriaged with the private key * see also FAQ client certs [[https://wiki.cacert.org/Technology/KnowledgeBase/ClientCerts#Renew_Client_Certs_under_FF|Renew Client Certs under FF]] * patch [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] includes an automatic install into Mozilla keystore, current code on production doesn't 1. Marcus: server.pl - [[https://bugs.cacert.org/view.php?id=1159|bug #1159]] - it might be possible to execute commands on the signing server * answered by Wytze * NEO tries a patch * server.pl issue .. review by Ben finished, ready to deploy [[https://bugs.cacert.org/view.php?id=1159|bug #1159]] 1. [[http://bugs.cacert.org/view.php?id=1172|bug #1172]] MySQL -> transactional, move isam to innodb * Switch MySQL to MariaDB ? * 2013-06-11: [[https://bugs.cacert.org/view.php?id=1172|bug #1172]] Move the database engine from myISAM to InnoDB - and other plans for DB migrations * also long term project: "sql class project" * ongoing discussions about using stored procedures or not * voted: result: 1 aye, 4 naye, 1 abstain 1. [[https://bugs.cacert.org/view.php?id=1094|bug #1094]] Wrong information shown when disputing a domain that is part of a organisation account - Review by Michael * Review by Michael + Test by Magu 1094 - OK. 1. [[https://bugs.cacert.org/view.php?id=28|bug #28]] Wrong language for ''you've been assured'' & ''[CAcert.org] Client Certificate'' emails - Review by Michael * Review 28 by Michael doesn't work. * Additional work required: Doc Comments in include/lib/l10n.php * Repaired by Benny for bug 28 * Ported patch by Marcus * Fixed parameter name and class refs in include/lib/l10n.php 1. [[https://bugs.cacert.org/view.php?id=872|bug #872]] Discuss over Software changes for PoJAM Policy 1. (BenBE) * UI with checkbox for PoJAM seen * for old cases take "not seen" as default * do mass-mailing for all PoJAM related to ask assurers to confirm they saw the Parental Consent form * ignore points from assurances under PoJAM (even after 18th birthday) when calculating permissions if no confirmation is present 1. Marcus * check only one case of PoJAM acceptions per user * once one is present count all assurances as valid 1. Michael * 2 or more Checked PoJAM Assurances for CAcert High Products 1. SQL query to critical: * Users below 18th birthday grouped by date -> counts of assurance points * From arb [[Arbitrations/a20091221.1 | a20091221.1]] 1. Uli (AO) * PoJAM assurance points received handling according to [[PolicyDrafts/LegacyPolicy#PoJAM|Legacy Policy - PoJAM]] 1. bug 872 for statiscs for PoJAM * file a dispute - SQLquery {{{#!highlight mysql SELECT count( `temp`.`no` ) as AffectedUsers, sum( `temp`.`assurances` ) as AffectedAssurances, if(points = 0, "No points", IF(points < 50, "1 < x < 50", IF(points < 100, "50 <= x < 100", "100 <= x"))) as ReceivedPoints FROM ( SELECT 1 AS no, count( 1 ) AS assurances, sum( `notary`.`points` ) AS points FROM `users`, `notary` WHERE YEAR(`users`.`dob`)>=1995 and `users`.`id`=`notary`.`to` GROUP BY `users`.`id` ) AS `temp` group by ReceivedPoints }}} 1. [[https://bugs.cacert.org/view.php?id=1140|bug #1140]] needs testing || Ted || [[https://bugs.cacert.org/view.php?id=1140|bug #1140]] Show if a test is passed in learnprogress || tested by 3, requires review || {0} || 1. [[https://bugs.cacert.org/view.php?id=500|bug #500]] needs testing || Ted || [[https://bugs.cacert.org/view.php?id=500|bug #500]] Get contact mail adress after resolving test || requires testing || tested by 3, requires review || {0} || 1. [[https://bugs.cacert.org/view.php?id=1139|bug #1139]] moved to ready to deploy || inopiae || [[https://bugs.cacert.org/view.php?id=1139|bug #1139]] Add new fields to the database || tests through #500 and #1140, 2nd review done, requires transfer || {0} || 1. 2013-06-11: [[https://bugs.cacert.org/view.php?id=1064|Bug #1064]] and [[https://bugs.cacert.org/view.php?id=1045|Bug #1045]] results in merge conflict in www/wot.php - postponed, Various patches * merge conflicts, in www/wot.php 1. Updated [[https://bugs.cacert.org/view.php?id=569|Bug #569]] had been pushed to testserver already 1. bug Bug:1183 prepared patch by magu 1. bug Bug:372 - relates to fixed bug Bug:922 but 922 only covers missing expired certs notifications - 372 requires deeper review regarding domlink table (in short: deprication of domlink table isn't possible) === 6. Long Term Projects === 1. NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] * NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] testing from last week -> error codes * started implementing * how does [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] relate to this bug? * cert signing routine * ie5 ie6 automatic storage of signed key in local keystore * doesn't work under vista, win7 * msi package is to download and import the keys to the local keystore under vista, win7 * relates to [[https://bugs.cacert.org/view.php?id=1099|bug #1099]] but is quite different * neo sent msi package for testing to u60, benbe; test successful passed * bug #964 passed, #1017 still open * bug 964, has been passed to production, key generation works, transfer into browser not * BenBE: reviewed [[https://bugs.cacert.org/view.php?id=1099|bug #1099]] roots installer * [[https://cacert1.it-sls.de/index.php?id=3|Root Certificates]] * displays: "Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows)" * some ideas to move the installer to own section * Michael: reworks [[https://bugs.cacert.org/view.php?id=1099|bug #1099]] (roots download page), deployed 1. Marek's sql class project: * is working on charset replacement 1. api project, Carsten continues with portal project not waiting for vendor-api to be delivered * vendor-api delayed * no coders * other projects * related to sql class project * portal project continues with a workaround, needs an assurer * arbitration case on locations database orders outsourcing of find-an-assurer asap * with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers) * relation to location database 1. website find an assurer 1. scripted mailing for ATE invitations * user check that data is still valid eg every 1 year * notification at login upto 6 months not online * notification by email if not logged in within last 6 months 1. Automated testing system * Timo: Unit-test testsystem, phpunit jenkins * [[http://ci.partkeepr.org/job/PartKeepr/]] * [[https://github.com/NEOatNHNG/cacert-frontendtests]] * can we merge both environments? frontend tests and unit tests? * Timo: automated testing systems are mergable * frontend test: java, may become a problem, alternate php version? * focus on unittests * dirk: code or screen? * code and screen * frontend and unit tests on one machine? * trial: port frontend tests 1. Timo: monitoring signer, not yet done * Probably Wytze monitors the systems externaly ?!? * see [[SystemAdministration/Systems|Systems overview]] * monitoring system eg Zabbix instead of Nagios? * BenBE: Icinga as alternate? * Zabbix agents: requires to be the same revision as server 1. TLS project * BenBe/Wytze talked @ fosdem * risks fairly low, awaiting fix 1. secure boot project (required steps?) (also relates to New Roots & Escrow) * we have * risk analyze * new roots procedure * required steps? * Escrow method to select * subroot under eg. org++ * cps changes * new roots? * new signer? * indirect crl's === 7. next meeting === * Tuesday, July 23, 2013 - 22:00 CEST (20 UTC) ? == Minutes == === 1. Preface === 1. bug Bug:1184 * conclusion reached in meeting 2013-07-02 * see comment [[https://bugs.cacert.org/view.php?id=1184#c4095|#4095]] 1. tk-server / testserver system hosting . LXC and serial interfaces . possible solutions: using a. serial interface b. named pipes? . alternates: VirtualBox . To link serial port ttyS0 to another serial port: * {{{ socat /dev/ttyS0,raw,echo=0,crnl /dev/ttyS1,raw,echo=0,crnl }}} * Server is currently locate by Sebastian and is planned for Non-Critical Infrastructure * another plan: reducing rackspace, removal of old hardware? * IP Addresses see [[SystemAdministration/IPList|IP List]] * cacert1 + secure1 -> 1 IP * ca-mgr1 + cats1 -> 1 IP * git-cacert -> 1 IP * TVERIFY is disabled * dirk: shall contact Sebastian, transfer to Wytze, Wytze will continue preparation offsite * secure-u project (signatures) is decoupled from tk server project 1. patch day 2013-07-15 * bug Bug:782 rejected * communication BenBE - trying with ignore whitespace, response Wytze: this works 1. bug Bug:1190 . First fast path patch discovered, that we are close to the 24 hours proposal of [[Software/Assessment/Documentation/EmergencyPatches|Emergency Patches Procedures]]. Optimisation is possible using alternate communication channels 1. Blog post . CCA Rollout . in about half-a-year CCA agreement request at Join page becomes production 1. Ted: bug Bug:1191 proposal to upgrade to Wheezy . do we have a testserver? if no - can cats1 be upgraded? . requires no update for 1191 . ca-mgr1 update will be done by NEO . Markus initiated Zend on ca-mgr1, NEO continued <> 1. Infrastructure upgrades . several systems bugs, mantis, lists and many others {{{ root@infra01:/var/lib/lxc# for i in *; do echo $i | sed 's/^vm-//'; for x in rsa dsa; do ssh-keygen -l -f $i/rootfs/etc/ssh/ssh_host_${x}_key.pub | sed -e 's/[a-z\-]*\/rootfs//'; done; done blog 2048 ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5 /etc/ssh/ssh_host_dsa_key.pub (DSA) board 2048 c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3 /etc/ssh/ssh_host_dsa_key.pub (DSA) bugs 2048 59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9 /etc/ssh/ssh_host_dsa_key.pub (DSA) cats 2048 d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33 /etc/ssh/ssh_host_dsa_key.pub (DSA) email 2048 a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 f4:eb:0a:36:40:1c:55:6b:75:a2:26:34:ea:18:7e:91 /etc/ssh/ssh_host_dsa_key.pub (DSA) emailout 2048 16:73:71:ce:a4:c3:71:15:67:da:4f:13:53:dd:d8:f3 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 77:74:42:8e:9e:82:cb:ce:a9:fa:38:d6:ce:cd:44:cf /etc/ssh/ssh_host_dsa_key.pub (DSA) irc 2048 6e:7c:14:4b:a3:fe:8c:88:1b:d0:e8:3c:93:9c:33:2f /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 e7:92:a5:80:49:a9:fe:d3:57:11:1d:ca:b8:0f:c0:44 /etc/ssh/ssh_host_dsa_key.pub (DSA) issue 2048 61:32:04:12:e3:4f:0b:b7:14:2d:d1:8f:82:b2:c7:47 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 a8:57:20:2f:09:a2:f3:d6:24:7a:29:35:2f:28:5e:4e /etc/ssh/ssh_host_dsa_key.pub (DSA) ldap 2048 f3:52:23:78:b7:72:b5:c4:38:7c:7f:f9:e9:ee:0e:24 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 81:c1:e1:22:13:42:84:da:73:b5:b9:a4:23:ed:aa:de /etc/ssh/ssh_host_dsa_key.pub (DSA) lists 2048 9a:64:3d:ab:38:91:90:88:2b:73:cb:05:8c:56:f9:c9 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 dd:ab:a6:c2:29:91:e9:81:fa:29:3c:f7:88:76:1f:f6 /etc/ssh/ssh_host_dsa_key.pub (DSA) mail 2048 2b:3f:a6:ff:73:63:4b:05:58:18:45:b3:84:f4:28:aa /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 83:8d:91:50:6d:73:27:ee:80:5f:7d:30:e5:0a:dd:c8 /etc/ssh/ssh_host_dsa_key.pub (DSA) monitor 2048 df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc /etc/ssh/ssh_host_dsa_key.pub (DSA) svn 2048 df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc /etc/ssh/ssh_host_dsa_key.pub (DSA) translations 2048 df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc /etc/ssh/ssh_host_dsa_key.pub (DSA) web 2048 6d:e5:7e:1d:72:d5:5e:f8:43:80:94:a8:b1:0d:9b:81 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 00:27:11:fe:58:9d:d8:e5:c5:35:34:27:bb:79:86:16 /etc/ssh/ssh_host_dsa_key.pub (DSA) webmail 2048 82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd /etc/ssh/ssh_host_dsa_key.pub (DSA) wiki 2048 f8:16:e5:40:91:42:10:a6:ba:aa:e3:f9:1a:71:d7:09 /etc/ssh/ssh_host_rsa_key.pub (RSA) 1024 d5:36:2d:0c:bb:73:da:43:0c:23:61:df:b6:b9:8c:c9 /etc/ssh/ssh_host_dsa_key.pub (DSA) }}} . several firewall outbound rules for blog, web (community portal) and others === 2. Bugs testing === 1. bug Bug:1131 1. bug Bug:1136 1. needs testing 1. bug Bug:1123 1. magu test done 1. bug Bug:1137 - Record the CCA acception for entering an assurance * after finishing assure someone - results in wot.php blank page * problem commit 93742459589b515a232d3ec4b717e4b7caa9de85 * testserver-stable~43..testserver-stable~44 (bad -> good) - dublicated code * 43.php inclusion -> notary.inc is most current * to depricate: wot.inc * inopiae will pickup the merge process upcoming weekend 1. notary.inc / wot.inc mistery behind * one for 15.php, one for 10.php, later to merge 1. ntp server . own hardware for signer? . timestamping via serial interface? === 3. Bug reviews === 1. bug Bug:663 * dirk, review done 1. bug Bug:1131 . go authority by [[https://svn.cacert.org/CAcert/Policies/PolicyOnPolicy.html|PoP 2.5]] according to [[PolicyDecisions#p20130223|Policy Decisions #p20130223]] * NEO, looks good, except html entities in CPS section 3.1.2 ==== Fixed Action Items since last or within meeting ==== || all || bug Bug:585 Issues with escaping on web-site e-mail forms (old bug from 2008-08-04) || retested, problems still fixed, closed || {g} || || all || bug Bug:454 Please add a description field to the Certificates || covered by bug Bug:782 - closed || {g} || || all || bug Bug:822 Please add a sort of description field to server/client certificates || covered by bug Bug:782 - closed || {g} || || Mario || Wiki addtl flag marker icons || fixed by Mario || {g} || || NEO, BenBE || todo: monitor /home/cacert/var/log/apache2/error.log for php errors (recuring)<
>relates to [[https://bugs.cacert.org/view.php?id=1176|Bug #1176]] || untestable, but monitored other tests for 2 weeks || {g} || || inopiae || [[https://bugs.cacert.org/view.php?id=1173|bug #1173]] While email or domain dispute check if the request belongs to a locked account and stop the process || tested by 2 || {g} || || inopiae || [[https://bugs.cacert.org/view.php?id=1186|bug #1186]] Warning when determining MX records of a domain || tested by 2 || {g} || || magu || [[https://bugs.cacert.org/view.php?id=1190|Bugs #1190]] News does not display teaser || tested by 4, deploy (emergency fix, normal way) || {g} || || all || [[https://bugs.cacert.org/view.php?id=1068|bug#1068]] blog problem (also relates to community)<
>debian lenny - edge - squeeze upgrades needed || alternate: new server with squeeze, install wordpress, transfer domain<
>workaround: configure your FF [[FAQ/BrowserClients]] || {g} || || inopiae || [[https://bugs.cacert.org/view.php?id=782|bug #782]] Add "notes" field to certificate information || "late" deployed 2013-07-17 || {g} || ==== Action Items New ==== Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' ---- . CategorySoftwareAssessment