To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-03-22

Setting

The MiniTOP will be held via telco 22:00 CET

Attendees: Dirk, Magu, Michael, Uli, Ted

Action items from last meeting

Dirk: translingo cacert upload.pl bug #913
Dirk: regular Thawte patches, still open
- 15.php - add assurers state at bottom of page
Michael: TMS function (Assurances)
Michael: Hosting providers: to contact Martin Ga regarding questions about VMs on vienna hosting
Michael: add SA's to Admin in bugs for customizing, mail to Philipp, Andreas, Mario
Dirk: strategy for: "Certificates Class3" problem and "New Roots & Escrow"
- contact root cert group
Michael: CI (low priority)

Topics

State Testserver Update
- Current Patches on Testserver:
  - "Thawte" patch Bug# 827
  - /locale/ cleanup Bug# 896
- see action items
strategy plans ...
- strategy for: "Certificates Class3" problem and "New Roots & Escrow"
- see action items
- pragmatic solution proposed
Overview Projects Board (wiki:OverviewProjectsBoard) topics for SA (Update)
Signer deployment (Andreas/Markus) (Update)
Automated testing system (Andreas, Magu, MSchiffer) (Update)
Arbitration case a20110312.1
next meeting: Tuesday, March 29, 2011 22:00

Minutes

Action items from last meeting
Michael: TMS function (Assurances), still open
Michael: Hosting providers: to contact Martin Ga regarding questions about VMs on vienna hosting, still open
Michael: add SA's to Admin in bugs for customizing, mail to Philipp, Andreas, Mario, still open
Michael: CI (low priority), still open
strategy plans ...
- strategy for: "Certificates Class3" problem and "New Roots & Escrow"
- Multimember Escrow system proposal by Mario: HR problem, CRL signing problem
Overview Projects Board (wiki:OverviewProjectsBoard) topics for SA (Update)
- WIP
Dirk, Ted: translingo cacert upload.pl bug #913, still open
Dirk: regular Thawte patches, still open
- 15.php - add assurers state at bottom of page, still open
- Special Case: in production system user with 120 pts: 60 + 30 + 30 F2F (!!)
- Michael to add sql injection onto special testuser
Dirk: strategy for: "Certificates Class3" problem and "New Roots & Escrow"
- class3 prob: signing server receives identifier for which cert certs to issue
- Michael: webdb is the problem, to correct on several code snippests
- "New Roots" makes no sense with Software not Audit Ready
- proposal: one event: old "new" clase3 (A), create new root (B), new class3 (C), (A) to apply first
- Software and "Audit Ready" topic
  1. software needs documented
  2. each step has to be traceable
    - eg. logical deletions -> delete mark, but content shouldn't be deleted
    - assurances -> deletable by support or by administrative increases
    - temporary administrative increases
    - admin for organisation assurerance
    - delete account function from support console
    - may be more
  3. full code review
    - in the past this leads to Software Camp Innsbruck - Software is not auditable
    - we have procedures for updates, but new critical bugs needs to be fixed
    - also Policy related fixes
    - critical mass of developers
  4. policy conformity
  5. fix major bugs
Arbitration case a20110312.1 "Weak keys"
- Weak keys ... check databases, revoke keys and so on
- search keys from database script
- testservers: all software assessors should have console access onto all related servers (cacert1, git)
- ted has access to test1.cacert.at
  - in database is filename of pem encoded cert file
  - in database there is some info, but not valueable
  - rsa key lengths vs. dsa key lengths, first check rsa keys
  - tests finished, needs coding, and running
  - generate emails based on the exec results
- Michael: don't accept weak csr's
- Ted: 4 procedures to check: user client cert, user server cert, org client cert, org server cert
- Michael: account.php 23 matches regarding openssl, -7 text matches
- Michael: api - running a script with parameters /www/api
  - web api (SOA)
- Ted: relevant positions to find - transfer to signer
  - Michael: its to late, to send user responses
- proposed fix till end of week, review upcoming monday
- revocation of too small keys, info to board
next meeting: Tuesday, March 29, 2011 22:00
Ted: pushed a branch to git: translingo cacert upload.pl bug #913
Signer deployment (Andreas/Markus), Michael will contact Andreas
meeting closed [0:45]

Action items: Meeting Action Items

Software/Assessment/ActionItems

all	proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls Proposal from Sysadm list 2013-09-06	{0}
SA	documentation server cert design concept to SystemAdministration/Systems/Development/Prepare	{0}
all	review Software patches Update Cycle	{0}
BenBE, Marcus	documentation: developer git repos under github bug #1131 history @ github CAcertOrg @ github started under Software/Assessment/Documentation/UpdateCycle/step1	{0}
NEO	BenBe: request: htttps header on bugtracker bug #1116	{0}
all	read x509 guide	{0}
all	bug#1068 blog problem (also relates to community) debian lenny - edge - squeeze upgrades needed alternate: new server with squeeze, install wordpress, transfer domain workaround: configure your FF FAQ/BrowserClients	{g}
uli	Experience points for ATE attendance check board motions and/or trigger if not yet passed	{0}
uli	Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 current state: see Funding Landing Page May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished	{0}
All	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment	{0}
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, deferred to next events (?) next round: picked up by Benedikt new proposal 2013-06-02	{0}
Uli, Michael	Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png	{0}

Development, Deployment, Discussion

OAO, Ted	bug #943 change OA admin/assurer text	needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected	{-}
uli, Ted	bug #824 Org User cert fix Case study	Organisation User Certificates: Need UI improvement for proper production usage	{0}
uli, ted	bug #823 email address removal fix	No warning when removing e-mail address from account that certificates will be revoked checked by 4, needs 2nd review, deploy rejected	{-}
inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number	{0}
uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface rejected, certs login doesn't modify "modified" field	{r}
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978 tested by 3, 2nd review done, transfered Ken reported: still has problems, bug kept open	{0}
gagern, NEO	bug #440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development	{r}
neo	bug #1025 Domain Dispute issue	disputes rc and rc2 var prob needs work	{r}
dirk	bug #1054 0001054: Review the code regarding the new point calculation	Thawte patch part II needs further work	{r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

Software-Assessors task

Testing

Testers task

neo	bug #1004 Stats page improvement	tested by 2, needs 2nd review	{0}
neo	Bugs #1159 it might be possible to execute commands on the signing server		{0}
inopiae	bug #1065 Wrong wording when sending mails during the assurance process		{0}
inopiae	bug #1162 calcutate (the passwords) hash in php instead of in mysql	create test scenarios for the software testers $/!\$ Full testing $/!\$	{0}
inopiae	bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails		{0}
inopiae	bug #988 TTP cap form deployment		{0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

Software-Assessors task

Ted	bug #500 Get contact mail adress after resolving test	tested by 3, requires review	{0}
Ted	bug #1140 Show if a test is passed in learnprogress	tested by 3, requires review	{0}
magu	bug #1131 Rename _all_ Policies from .php to .html and fix all links	global policy directory maintenance and update	{0}
inopiae	bug #1010 Reorder the view on organisation certificates	tested by 3	{0}

Software Assessors: Bundle Package to Critical Team

Software-Assessors task

inopiae

bug #1139 Add new fields to the database

tests through #500 and #1140, 2nd review done, requires transfer

{0}

Awaiting Response from Critical Team

inopiae

bug #411 Wrong text is made into link

{g}

CategorySoftwareAssessment

CategorySoftwareAssessment

Software/Assessment/20110322-S-A-MiniTOP (last edited 2011-09-23 00:12:25 by UlrichSchroeter)