Minutes of the MiniTOP on the 2012-07-24


The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, Uli, Benny, dirk, Michael, magu


(skip to agenda)

Action items from last meeting Meeting Action Items


Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected


    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage


    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy



    bug #920 Join - single name only (eg Indonesian)

    details under bug number



    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field



    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open


    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development



    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work



    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work


Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task


  • Testers task


    bug #1004 Stats page improvement

    tested by 2, needs 2nd review



    Bugs #1159 it might be possible to execute commands on the signing server



    bug #1065 Wrong wording when sending mails during the assurance process



    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\



    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails



    bug #988 TTP cap form deployment


Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task


    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review



    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review



    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update



    bug #1010 Reorder the view on organisation certificates

    tested by 3


Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task


    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer


Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link



1. Preface

  1. Cebit brainstorming
    • dirk: request for events report
    • (2012-03-27) Marcus awaiting translation from Marc
    • (2012-06-19) Marcus: translation received, will send within the next upcoming days
    • (2012-06-26) Marcus: not yet finished
    • 2nd draft finished
    • Sat report missing

2. 2nd review of about 5 patches

3. Patches Overview - DEV and Testing

  1. bug #1023 Testing (6.php)
    1. Thawte points removal, final step
      • last patch transfered to production system 2012-05-30
    2. what are the next steps for thawte points revoke?
      • points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
      • 15.php needs rename to 10.php
      • cannot move forward without dirk
  2. Bugs under Testing
    1. bug #1075 cap form link wrong under pages/wot/6.php


      bug #1075 cap form link wrong under pages/wot/6.php

      cap link removed, moved to testserver


      • data protection problem to pickup user data before assurance f2f meeting starts
      • what does assurance process means? assurance "process" starts from request of assuree to an assurer to do an assurance over assuree
      • problem in ttp process too, to have a view over data before f2f meeting and signed cap is in the hands of an assurer. ttp-admin can request confirmation from ttp-user to access online data
      • simple patch: remove links
      • edited by NEO: transfered to testserver
  3. Marcus Bugs list
    • see also Software/BugsOverview

    • bug#1023 related

      • bug#583 "Assure Somebody" allows future assurance dates

      • bug#648 send message from Assurer to Member

      • bug#802 Name parts should be designated in assurance form

      • bug#870 My Details - My Points show bugus time stamp

      • bug#914 Information about Practice on Name while entering an Assurance

      • bug#930 types wrong points in "Assure Someone" form

      • bug#931 Date of assurance in future don't throw any exception

      • bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.

      • bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field

    • Others
      • bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed

      • bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed

      • bug#489 Pb on rewarding 2 points for an assurance

      • bug#567 case sensitive email: tested by 2, cannot be confirmed, closed

      • bug#767 Single-quotes escaped in Web-of-Trust contact form.

    • info pages to wiki pages
      • starting bug #671. there still exist a bug# bug #740 (How to become an assurer is missleading)

    • bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected

      •   * username/password half of the combination is known to potential attacker
          * login prevents login to several email addresses
          * acceptance to several email addresses is prevented
          * no notification if primary email address has been changed
          * note regarding Policy Group
          * dirk: proposal: response email address exists, but isn't primary email ?
           * create new account results in "email address exists"
           * what is a proper response?
           * requestor has to be an assurer for assure someone
          * neo: for registration process chaptcha required
          * no good solution
          * for assurance only primary, for all other services allow also secondary addresses
           * search needs enhancement: search not only primary, also secondary
    • bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix

        * primary and secondary email addresses are shown in admin console
    • bug #591 "CPS has to be improved for audit." - proposes: Closed

        * CPS is a working revision also DRAFT revision included
        * relates to policy repository bug# final place finding
    • addtl. groups:
      1. OA
      2. CCA rollout
      3. TTP
  4. bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked

    • wrong description, problem removing domains, bugfix solves this problem
    • async removal of certs by signer
    • needs review and testing
    • inopiae will try testing on upcoming weekend
    • to test: email- and domain dispute
  5. bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked

    • patch seems to be ok
    • white spaces cleanup
    • includes/account.php var $id shall be fixed within recursion, new bug #1078

    • 2 tests initiated by inopiae and u60
    • principle ok, but very confusing
    • test reports Marcus:
      • discussions, Marcus got 71 or 72 notifications
      • Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
    • bug #922 test report / review

      • one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
      • 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
      • needs further inspection
    • Bug Testing / Reporting bug #922 difficult
      • Marcus writes a tool to collect Email infos from TMS
  6. bug #1019 "Contact form does not work when logged in"

    • Michael: rework contact form
      • usability: 1 form, option box with public/support delivery, default support
      • current form 1: public, form 2: private
      • spam prevention via java, on disabled java the mail is marked [possible spam]
    • mass mailing possible if adding multiple emails separated by commas
    • account.php - email address from sender, no address validation, several other places it passes address validation
    • neo: why not use primary email address?
      • works only if logged-in
    • index?id=11 has also been changed
    • url was hardcoded
    • account.php?id=14
    • sendmail() routine in includes/mysql.php
  7. Findings from David
    1. (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
      • todo: doing whitelist of allowable chars
      • \xA0 is a problem too (at least in Win32/64)
      • todo: file a new bug#
    2. subjectAltName is occasionally not checked for problems
      • todo: file a new bug#

4. Benny reviews

5. New SA candidates and Coders

  1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel

  2. ABC David
  3. How to find coders? Experiences from the Gentoo project

6. English Translation Problems

7. Long Term Projects

  1. NEO: "BlackJack" bug #964

  2. Marek's sql class project:
    • is working on charset replacement
  3. api project, Carsten continues with portal project not waiting for vendor-api to be delivered
    • potential candidates for development
      1. Marek's sql class proposal
        • needs probably db upgrades
        • needs addtl. indices
        • needs testing
      2. archaios
        • builds daemon as unpreviliged user
    • vendor-api delayed
      • no coders
      • other projects
      • related to sql class project
    • portal project continues with a workaround, needs an assurer
    • arbitration case on locations database orders outsourcing of find-an-assurer asap
    • with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)

8. next meeting


  1. Preface
    1. working session: testing "Black Jack" bug #964

      • benny, did not find time for testing
      • marcus: tested chrome
      • marcus, uli: enable-login flag set after key has been signed with unset flag on request
    2. benny, cryptical grafix on main testserver page
      • identified as crippled googleads
  2. dirk 2nd review: bug#540 No key usage attribute in cacert org certs anymore?

  3. working session
    1. black-jack
      1. NEO: (964) enable-login flag fixed, to transfer to testserver
      2. NEO: org-certs prob
      3. ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
        • "Fehler: Nachricht (0x80000095 / -2147.....)"
    2. Magu: to test bug #1075
      • also bug #964
    3. error messages:
  4. dirk 2nd review: bug#1075 cap form link wrong under pages/wot/6.php

    • neo

      bug #1075 cap form link wrong under pages/wot/6.php

      cap link removed, moved to testserver


    • 2nd review done, ok, good to go, tested by 3
  5. dirk 2nd review: bug #789 OA edit domain fix, Editing domain for organisations does not work
    new update 2011-09-26
    2 tests, needs 2nd review, deploy
    more fixes, more testing

    • 2012-07-17: dirk review bug 789, OA edit domain fix, Editing domain for organisations does not work - started
      • gitdiff origin/release..origin/bug789
      • bug #789 reviewed: 2012-07-10

        • what is /pages/account/29.php for? edit org domain
        • phone accu breaks
    • request domid instead of config/domid to prevent multiple window interactions
    • 2nd review ok, tested by 2, good to go
  6. NEO transfering to critical:
    1. bug#540

    2. bug#1075

    3. bug#789

  7. dirk question: state of ABC's for SA's
    • 2 ABCs filed for Ben and David
    • Heino, not yet prepared
  8. dirk 2nd review: bug #1024 Assurer flag is not set correctly on updatesort.php run

    • michael: fix assurer flag from library
      • with userid for one special user
      • w/o userid, for all users
    • to continue upcoming week

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

Software/Assessment/20120724-S-A-MiniTOP (last edited 2012-07-24 23:13:30 by UlrichSchroeter)