Minutes of the MiniTOP on the 2014-01-21


The MiniTOP will be held via telco 22:00 CET (21:00 UTC)



(skip to agenda)

Action items from last meeting Meeting Action Items


Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected


    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage


    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy



    bug #920 Join - single name only (eg Indonesian)

    details under bug number



    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field



    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open


    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development



    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work



    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work


Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task


  • Testers task


    bug #1004 Stats page improvement

    tested by 2, needs 2nd review



    Bugs #1159 it might be possible to execute commands on the signing server



    bug #1065 Wrong wording when sending mails during the assurance process



    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\



    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails



    bug #988 TTP cap form deployment


Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task


    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review



    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review



    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update



    bug #1010 Reorder the view on organisation certificates

    tested by 3


Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task


    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer


Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link



1. Preface

  1. Patches to review / transfer
    1. Bug 1010 "Reorder the view on organisation certificates" not yet reviewed

      • several tests passed by at least 2 testers, -> NEO?

    2. Bug 1031 "Policy documents rework" WIP -> NEO?

    3. Review for Dirk Bug Bug 1213

      • git commands
        1. git pull
        2. git checkout bug-####
        3. git diff realease...HEAD
    4. Bug 1131 - needs work - join CCA box (Policy rename to php, general rework)

      • fixed, retest looks ok, needs review -> dirk?

      • more reviews Bug 1131 - needs work - join CCA box (Policy rename to php, general rework)

      • fixed, retest looks ok, needs review -> dirk?

  2. Patches to test
    1. Bug 1065

      • several issues with old users
        1. could not login (CCA acceptance bug if not yet accepted), currently no workaround :-P
    2. Bug 1162 - Full tests

    3. Bug 0028

    4. Bug 1137 testing

  3. Patches Todo list
    1. Bug 1146 - fix avail

    2. Bug 1192

    3. Bug 1213

  4. tk-server server transfer (see also 6.7), reminder 2013-09-17
    • Sebastian will send the server upcoming Friday (2013-10-04) to BIT, Ede, NL directly
    • dirk at last board meeting: btw: i just got the info, that the new TK-server is now at mendel, so he or wytze can prepare it for the rack in the next days ...

2. Documentations

  1. Documentation - Review / Changes to add (relates to Policy Group SP review)
  2. Documentation - To-Do (relates to Policy Group SP review)

3. DEV on bug 1023/1054 "Thawte Patch"

4. requires transfer to production

5. Bugs untestable

  1. 2013-06-11: Bug #1064 and Bug #1045 results in merge conflict in www/wot.php - postponed, Various patches

    • merge conflicts, in www/wot.php
  2. bug #1135 SE activity audit tables

    • addtl. recording of arbitration numbers to members
    • results in long discussions
      • requirements, thought cases (eg name change request while another arbitration is running (-> uncritical))

      • delete account requests handled under precedent case a20111128.3), one "critical" case (certs misusage) is turned in procedure: arbitrator has to follow "emergency case" procedure and to keep track of open "delete account" cases

      • interferance/interaction of 2 of the 3 powers (executive, judicate) (arbitration has to act as executive to forward all new cases to support team with list of open/running arbitration cases)
    • all ends on (arbitration) "critical" cases
    • "critical" cases will be handled under Arbitration eg. a20111128.3 within reasonable (eg 48 hours) window

    • discussion defered
    • 1135 (BenBe) 2nd review by another SA before moving to testserver

    • Michael to review
      1. bug #1135 Extend database table AdminLog et al

  3. bug #1172 MySQL -> transactional, move isam to innodb

    • Switch MySQL to MariaDB ?
    • 2013-06-11: bug #1172 Move the database engine from myISAM to InnoDB - and other plans for DB migrations

    • also long term project: "sql class project"
    • ongoing discussions about using stored procedures or not
      • voted: result: 1 aye, 4 naye, 1 abstain

6. Patches Overview - Testing, Development

  1. summary - state of patches
    1. 440 needs work (NEO) (see also below)
      • Patch bug #440 was defered (timo addtl. work), but this project stalls. What to do with bug #440 ?

        gagern, neo

        bug #440 Problem with subjectAltName

        tested, needs 2nd review, rejected, new deployment getcn/getalt procedure, relates to bug #1101

        {r} 2

    2. 1004 needs work by neo
    3. 1113 needs work by benbe, transfered to cacert-devel
    4. 1025 needs testing
    5. Bugs #1023 re-opened

      • Bugs #1112 Exchange the text on the TTP page according to the new TTP programm, deployed 2013-04-24

      • needs update of patch 1023 (new points calculation routine)
      • Bugs #1023 re-opened

  2. Policy text and Arbitration ruling bug# fixes
    1. Policy text changes
    2. Arbitration ruling text fixes
      1. bug #879

        • CAcert must update the web page on disputes, and include an explanation how to file a dispute (a20091206.1)
  3. bug #1004 Stats page improvement

    • neo, BenBe

      bug #1004 Stats page improvement

      tested by 2, needs 2nd review


    • stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO
    • fully re-tested by 2: 2012-08-25 (at froscon)
    • needs 2nd review
    • moved out to cron job routine
    • -> BenBe, assigned

    • 1004 ... on review by BenBe

    • checked BenBe

    • work done by NEO, pushed to cacert-devel, transfered to testserver
    • needs 2nd review, tested
    • current state:
    • open issues
      1. How are deleted users handled?
      2. Isn't "verified_certs" misleading as the affected tables also contain certs that failed to be signed?
      3. User Statistics don't take removed assurances into account (???)
      4. Why not calculate backwards in the year-dependent loop from the already known values? The loop runs backwards already anyway.
    • the latter is still open
  4. bug #1025 Domain Dispute issue

    • BenBe will pickup for 2nd review

    • needs further testing
    • magu, inopiae, u60 -> testing https://bugs.cacert.org/view.php?id=1025

      • several test accounts, variations of one or more email addresses, 0 or 1 domain added
      • test the full disputes procedure for all variations
      • tested by u60
  5. bug #1054, test 1054.3.6, bug #1035

    • create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs

    • renew the certs
    • addtl. tests ? Marcus? Magu? BenBe?

    • 2012-10-02 dirk: problems with git push #1054, got fixed
    • DEV on bug 1023/1054 "Thawte Patch"
    • see reference notes note 3225 on bug #1101 and note 3245 on bug #1101

  6. Marcus Bugs list
    • see Software/BugsOverview

    • according to Bugs # 976

      • 0000976: List of update request for webdb database structure upgrade with tables / fields
      • addtl_notes table hasn't been added in patch bug 976 on 2011-11-25

      • OU info from Org cert not stored
      • addtl_notes table hasn't been added in patch bug 976 on 2011-11-25

      • extend org certs table ? new bug?
      • OU in subject?
      • includes/account.php (17)
      • in org certs it is in subject
      • addtl. field ou ? new bug# ?
      • used bug #1010
  7. new bug #1095 "Problems with creating server sertificate where the csr is created with Java SDK Tools"

    • cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
    • NEO couldn't reproduce the problem using keytool, tested against production and testserver
    • identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message
  8. bug #440, bug #1101 (extract CSR) (back under development)

    • ASN.1 format
    • CSR extract: needed for signing: email address, hostname
    • Timo will write a CSR parser
    • Current:
      • CN will be parsed
      • some information about public key
    • ASN.1 php library
    • Whats about UTF-8 ?
    • IDN's
      • Policy: p20091108 CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets

      • FAQ Privileges

      • CPS 3.1.7

      • Assurance Handbook - Some more Information

        • Code signing and IDN certificates
          If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names).
          Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space.
    • current only client and server certs, other options currently not selectable, except Code Signing
      • extensions currently not supported eg jabber
      • bug #530 XMPP extension not present after renewal

      • bug #87 Issuing certificates for Jabber servers/users

    • parameters: domains, current first becomes CN, others SANs
    • rebuild subject routine ... to check
    • Michael: shall we enforce cn from csr?
      • optional?
      • enforce copy cn to SAN
    • asn1 parse procedure, http://lapo.it/asn1js/

      • getcn, getalt procedure
      • docs für extractit() und getcn(): general.php line.230

      • felicitus: how someone get "CN" from "commonName"? where is it documented that "CN" is "commonName"?
      • OID of commonName is, but there is nothing about "CN"
        • BenBE: see Header of OpenSSL-Header
    • Patch bug #440 was defered (timo's addtl. work), but this project stalls. What to do with bug #440 ?
    • ASN.1 parser - planned: incorporate asn.1 from openssl
  9. bug #1101 refactoring getalt getcn (Timo)

    • might 1101 comment c3225

    • tries to build a php library for openssl parsing replacement
      1. asn.1 parsing, own library
      2. ???
    • openssl does escaping (per man page) (input? output?)
    • library test thru unit tests
    • openssl command for multiple san's ?
  10. GPG bugs
    1. delete/revoke GPG keys (eg bug #1079 )

      • trust signatures can be revoked
      • CRL's have to be added to keyservers, but no one will check
      • revocation: 5 reasons given
      • should be possible, but project needs a developer
    2. GPG bugs
      • OpenGPG parser project, reviewed by Michael last weekend
      • Michael remark: using 3x = (===) instead of 2x = (==)
      • unpack (N) 32bit unsigned may become a problem
      • relates to hardware platforms, signer has been replaced about 2 years ago, but needs to be used on both sides (webserver + signer). Webserver upgrade is WIP
      • in principle ok
    3. BenBE: GPG/PGP parser
      • revoke gpg keys implemented
      • 1181

  11. bug #279 bad domains

    • .*top.*
    • regexp list
    • database table exist
    • update procedure?
    • whats about recuring distribution of update files via cabforum?
    • arbitration?
    • SE console for update?
    • critical admins?
    • check routine on add-domain
    • add domain under OA should be possible ...
    • one-time check of current existing domains ?
      1. first time check against full filter list
      2. individual check in event add domain
      3. global check in event add entry to filter list
      4. replace/update full filter list (case 1 + 4)
    • meta infos:
      1. datasources
      2. attributes (?)
      3. creation date
      4. delete entry / revocation date
  12. Bug 1162 pushed to test server by BenBE

    • request to write test scenario for software testers
    • sql patch, still is running on testserver for a while, requires full test
    • BenBE: to combine with Bug 988 ? Bug 988 depends on Bug 1162

    • 0001162: calcutate (the passwords) hash in php instead of in mysql -> \\

      • Test scenario
        1. several password combinations, special chars and so on
        2. own password reset
        3. administrative password reset
  13. Bug 988

    • show TTP CAP details
    • Lines 1.. Lines5 requires full postal addr incl. name, TTP assurer instructions added
    • current state: needs work
  14. bug #1141 If i delete Domains, no Servercerts for this domains are listet, even not the revoked

    • moved to testserver


      bug #1141 If i delete Domains, no Servercerts for this domains are listet, even not the revoked

      needs testing


    • discusssions: arb case? privacy (eg PP 10.), data retention (-> Australien DPA)

    • Marcus to contact Benedikt
  15. what to do with bug #1143 Web site doesn't scale vertically

  16. bug #901 Renewal of certificate with WIN 7 and IE8

  17. Marcus: server.pl - bug #1159 - it might be possible to execute commands on the signing server

    • answered by Wytze
    • NEO tries a patch
    • server.pl issue .. review by Ben finished, ready to deploy bug #1159

  18. bug #1094 Wrong information shown when disputing a domain that is part of a organisation account - Review by Michael

    • Review by Michael + Test by Magu 1094 - OK.
  19. bug #28 Wrong language for you've been assured & [CAcert.org] Client Certificate emails - Review by Michael

    • Review 28 by Michael doesn't work.
    • Additional work required: Doc Comments in include/lib/l10n.php
    • Repaired by Benny for bug 28
    • Ported patch by Marcus
    • Fixed parameter name and class refs in include/lib/l10n.php
  20. bug #872 Discuss over Software changes for PoJAM Policy

    1. (BenBE)
      • UI with checkbox for PoJAM seen
      • for old cases take "not seen" as default
      • do mass-mailing for all PoJAM related to ask assurers to confirm they saw the Parental Consent form
      • ignore points from assurances under PoJAM (even after 18th birthday) when calculating permissions if no confirmation is present
    2. Marcus
      • check only one case of PoJAM acceptions per user
      • once one is present count all assurances as valid
    3. Michael
      • 2 or more Checked PoJAM Assurances for CAcert High Products
    4. SQL query to critical:
      • Users below 18th birthday grouped by date -> counts of assurance points

      • From arb a20091221.1

    5. Uli (AO)
    6. bug 872 for statiscs for PoJAM
      • file a dispute - SQLquery
           1 SELECT 
           2     count( `temp`.`no` ) as AffectedUsers, 
           3     sum( `temp`.`assurances` ) as AffectedAssurances, 
           4     if(points = 0, "No points", IF(points < 50, "1 < x < 50", IF(points < 100, "50 <= x < 100", "100 <= x"))) as ReceivedPoints 
           5 FROM ( 
           6     SELECT 1 AS no, count( 1 ) AS assurances, sum( `notary`.`points` ) AS points 
           7     FROM `users`, `notary` 
           8     WHERE YEAR(`users`.`dob`)>=1995 and `users`.`id`=`notary`.`to` 
           9     GROUP BY `users`.`id` 
          10     ) AS `temp` 
          11 group by ReceivedPoints 
  21. bug #1140 needs testing

    • Ted

      bug #1140 Show if a test is passed in learnprogress

      tested by 3, requires review


  22. bug #500 needs testing

    • Ted

      bug #500 Get contact mail adress after resolving test

      requires testing

      tested by 3, requires review


  23. bug #1139 moved to ready to deploy

    • inopiae

      bug #1139 Add new fields to the database

      tests through #500 and #1140, 2nd review done, requires transfer


  24. bug 1183 prepared patch by magu

  25. bug 372 - relates to fixed bug 922 but 922 only covers missing expired certs notifications - 372 requires deeper review regarding domlink table (in short: deprication of domlink table isn't possible)

  26. Ted: bug 1191 proposal to upgrade to Wheezy

    • do we have a testserver? if no - can cats1 be upgraded?
    • requires no update for 1191
    • ca-mgr1 update will be done by NEO
    • Markus W initiated Zend on ca-mgr1, NEO continued
  27. bug 1185 register globals

    • simple fix; Should be solved now because bug 1176 is in production

  28. bug 1193

    • per CPS 4.2.2 this is an allowed variant
    • CPS 4.2.2

    • section Domain verification

7. Long Term Projects

  1. Marek's sql class project:
    • is working on charset replacement
    • [2013-08-13] BenBE proposal ...
      • to centralize sql queries in the code base
      • project has been started by Marek, but didn't made much progress
  2. api project, Carsten continues with portal project not waiting for vendor-api to be delivered
    • vendor-api delayed
      • no coders
      • other projects
      • related to sql class project
    • portal project continues with a workaround, needs an assurer
      • arbitration case on locations database orders outsourcing of find-an-assurer asap
      • with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
      • relation to location database
        1. website find an assurer
        2. scripted mailing for ATE invitations
      • user check that data is still valid eg every 1 year
        • notification at login upto 6 months not online
        • notification by email if not logged in within last 6 months
  3. Automated testing system
  4. Timo: monitoring signer, not yet done
    • Probably Wytze monitors the systems externaly ?!?
    • see Systems overview

    • monitoring system eg Zabbix instead of Nagios?
    • BenBE: Icinga as alternate?
    • Zabbix agents: requires to be the same revision as server
  5. TLS project
    • BenBe/Wytze talked @ fosdem
    • risks fairly low, awaiting fix
  6. secure boot project (required steps?) (also relates to New Roots & Escrow)

    • we have
      • risk analyze
      • new roots procedure
    • required steps?
      • Escrow method to select
      • subroot under eg. org++
      • cps changes
      • new roots?
      • new signer?
      • indirect crl's
  7. tk-server / testserver system hosting
    • plans for moving testserver over from current location over to BIT Ede, NL new non-critical infrastructure?
    • What are the testserver host requirements? as current non-critical infrastructure runs on LXC and testserver runs under VMware esxi 3.5
      1. piped serial interface configuration
      2. isolating port 25 for testservers (local firewall?)
    • LXC and serial interfaces
      • possible solutions: using a. serial interface b. named pipes?
      • alternates: VirtualBox

      • To link serial port ttyS0 to another serial port:
        •        socat /dev/ttyS0,raw,echo=0,crnl /dev/ttyS1,raw,echo=0,crnl
      • Server is currently locate by Sebastian and is planned for Non-Critical Infrastructure
      • another plan: reducing rackspace, removal of old hardware?
      • IP Addresses see IP List

        • cacert1 + secure1 -> 1 IP

        • ca-mgr1 + cats1 -> 1 IP

        • git-cacert -> 1 IP

        • TVERIFY is disabled
        • dirk: shall contact Sebastian, transfer to Wytze, Wytze will continue preparation offsite
        • secure-u project (signatures) is decoupled from tk server project
    • Plans are: using VirtualBox or LXC (preferred)

    • planned Infrastructure upgrades
      • several systems bugs, mantis, lists and many others (current Infrastructure systems keys list (see meeting minutes 2013-07-16))

      • several firewall outbound rules for blog, web (community portal) and others
    • Update 2013-07-23
      • dirk: transfer to BIT Ede, NL, around week 33 (2013-08-12 ff.)

8. next meeting


Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

Software/Assessment/20140121-S-A-MiniTOP (last edited 2014-01-20 22:45:59 by MarcusMängel)