To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-06-21

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, Uli, Michael, Magu, Dirk

Topics

(skip to agenda)

new items in last meeting:

dirk ? michael ? jandd ? alexander ? sven ? - next strategy for "New Roots & Escrow" - get in contact with debian group
dirk, michael, uli - annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
uli, marcus - Testserver + Software Testers - task based help

Action items from last meeting Meeting Action Items

Agenda

strategy plans ...
1. next: strategy for "New Roots & Escrow"
  - idea: using indirect crl's ?
    - 2 crl's needed, one valid, one invalid crl server
    - more infos available ? who ?
  - policy group: define requirements
    - multimember escrow method ?
    - how does debian work ?
      - secret sharing schema
      - docu process http://ftp-master.debian.org/keys.html
      - public mailing lists ? contacts ?
      - dirk ? michael ? jandd ? alexander ? sven ? and other contacts (ftp team ?)

State Testserver Update, Current Patches on Testserver, current running Arbitrations:

the list of unhandled patches

Arbitration case a20110312.1 Weak keys bug #918
Arbitration case a20110419.1 Bug #637: Weak Passwords
"Thawte" patch Bug# 827 Points-Count-Order-Change project

Software Assessors Review 1

Michael, Dirk, Ted, Mawa	bug #940 (outsource help pages to wiki)
Michael, Dirk, Ted, Mawa	bug #943 (replace OA-admin text with OA-Assurer)
Michael, Dirk, Ted, Mawa	bug #841 (cert login - check issuer source)
Dirk, Michael, Mawa	bug#942 (CATS test)
Dirk	bug#827 (Thawte patches, points order change)

Software Assessors Review 2
- Dirk, Ted, Mawa
  
  the Bug #948 (impact on mail delivery (non RFC-2821 compliance))

Testgroup: recruit new testers, update
- result from: Software Testers - Workshop at Barcamp Karlsruhe
CI (Update)
next meeting: Tuesday, June 28, 2011 22:00

Minutes

Bugs.cacert.org
- discussion about states to define, redefine
- bugs documentation I (bugs handbook)
- bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
strategy plans ...
- next: strategy for "New Roots & Escrow"
  1. idea: using indirect crl's ?
    - 2 crl's needed, one valid, one invalid crl server
    - more infos available ? who ?
      1. build testserver with special certs
      2. Magu, Michael to send instructions for test deployment
        indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
  2. policy group: define requirements
    - multimember escrow method ?
      - needs risk analyze
      - potential candidates ?
        Marcus to contact Thomas K
        Uli to contact Benedikt
  3. how does debian work ?
    - secret sharing schema
    - docu process http://ftp-master.debian.org/keys.html
    - public mailing lists ? contacts ?
      - dirk ? michael ? jandd ? alexander ? sven ? and other contacts (ftp team ?)
    - Update: no update, no one works on contacts
      - defered to Froscon (end of Aug), CCCcamp (around Aug 10th)

State Testserver Update, Current Patches on Testserver, current running Arbitrations:

the list of unhandled patches

Arbitration case a20110312.1 Weak keys bug #918
- mail to ted to continue with arb case, adding to thread on arb case
Arbitration case a20110419.1 Bug #637: Weak Passwords
- Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd
- problem #1 at login, plz change, use old pwd works - fail
- problem #2 at join
- to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ?
- current: clear password in source code
- checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd
- dictionary is still active grep current-pwd share/userdict
  1. Fred... to add into checkpassword()
  2. checkpassword() to add into login procedure
- pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"
- SE reset pwd procedure doesn't take care about weak pwd
- to continue testing
"Thawte" patch Bug# 827 Points-Count-Order-Change project
- in testing
- problems in counting found, missing points
- new commit by dirk, forwarded by NEO
- 80 pts counted, 100 countable ... problem
- new commit by dirk, forwarded by NEO
- pts problem seems to be solved, assurer challenge needed seems now to be ok

Software Assessors Review 1

Michael, Dirk, Ted, Mawa	bug #940 (outsource help pages to wiki)
Michael, Dirk, Ted, Mawa	bug #943 (replace OA-admin text with OA-Assurer)
Michael, Dirk, Ted, Mawa	bug #841 (cert login - check issuer source)
Dirk, Michael, Mawa	bug#942 (CATS test)
Dirk	bug#827 (Thawte patches, points order change)	{g}

we need active SA's
- PG inactive
- Mawa currently on projects
- Dirk writes patches
- Ted is currently busy
- Michael is alone
new SA's ?
Uli to write mail to SA's: dirk, michael + ted, to appoint each SA two bugs
next week working session

Software Assessors Review 2
- Dirk, Ted, Mawa
  
  the Bug #948 (impact on mail delivery (non RFC-2821 compliance))
- dirk will check

Testgroup: recruit new testers, update
- result from: Software Testers - Workshop at Barcamp Karlsruhe
- no real new testers ... some interesting talks, but no HR
next meeting: Tuesday, June 28, 2011 22:00

Unhandled within meeting

(from action items)

dirk, michael, uli	annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?	{0}
uli, marcus	Testserver + Software Testers - task based help	{0}
uli, markus	testers how-to regarding testserver roots: live-cd ? how-to, 2nd profile add to Welcome Pack	{0}

Fixed Action Items since last or within meeting

Dirk, Ted, Mawa	Bug #946 (Class3 Fingerprints)	{g}
Dirk	DEV: bug#827 regular Thawte patches: still open 15.php - add assurers state at bottom of page Thursday ? REVIEW 1	{g}
Michael	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? send instructions for test deployment	{g}
Michael	Arbitration case a20110312.1 Weak keys bug #918 mail to ted to continue with arb case, adding to thread on arb case	{g}
Marcus	pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"	{g}

Modification on Action Items

dirk ? michael ? jandd ? alexander ? sven ?

next strategy for "New Roots & Escrow" - get in contact with debian group

split to 3 sub parts

Action Items New

Michael, Ted, Uli, Marcus	bugs documentation I (bugs handbook) bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)	{0}
Michael	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? send instructions for test deployment	{g}
Magu	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment	{0}
Marcus, Uli	2. next: strategy for "New Roots & Escrow" - multimember escrow method risk analyze contact potential candidates for doing a risk analyze	{0}
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, defered to Froscon (end of Aug), CCCcamp (around Aug 10th)	{b}
Michael	Arbitration case a20110312.1 Weak keys bug #918 mail to ted to continue with arb case, adding to thread on arb case	{g}
Marcus	pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"	{g}
Testers	Arbitration case a20110419.1 Bug #637: Weak Passwords * one report: lost password: is fixed on testserver, needs testing !!! Continue TESTING	{0}
Testers	bug#827 regular Thawte patch/Points-Count-Order-Change project applied to testserver, needs testing !!! Urgent TESTING	{0}
Uli	to write mail to SA's: dirk, michael + ted, to appoint each SA two bugs for review 1	{0}
All	bugs for review 1: if unhandled before next meeting to handle under working session within next meeting	{0}
Dirk	the Bug #948 (impact on mail delivery (non RFC-2821 compliance)) REVIEW 2	{-}

Action items: Meeting Action Items

Software/Assessment/ActionItems

all	proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls Proposal from Sysadm list 2013-09-06	{0}
SA	documentation server cert design concept to SystemAdministration/Systems/Development/Prepare	{0}
all	review Software patches Update Cycle	{0}
BenBE, Marcus	documentation: developer git repos under github bug #1131 history @ github CAcertOrg @ github started under Software/Assessment/Documentation/UpdateCycle/step1	{0}
NEO	BenBe: request: htttps header on bugtracker bug #1116	{0}
all	read x509 guide	{0}
all	bug#1068 blog problem (also relates to community) debian lenny - edge - squeeze upgrades needed alternate: new server with squeeze, install wordpress, transfer domain workaround: configure your FF FAQ/BrowserClients	{g}
uli	Experience points for ATE attendance check board motions and/or trigger if not yet passed	{0}
uli	Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 current state: see Funding Landing Page May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished	{0}
All	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment	{0}
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, deferred to next events (?) next round: picked up by Benedikt new proposal 2013-06-02	{0}
Uli, Michael	Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png	{0}

Development, Deployment, Discussion

OAO, Ted	bug #943 change OA admin/assurer text	needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected	{-}
uli, Ted	bug #824 Org User cert fix Case study	Organisation User Certificates: Need UI improvement for proper production usage	{0}
uli, ted	bug #823 email address removal fix	No warning when removing e-mail address from account that certificates will be revoked checked by 4, needs 2nd review, deploy rejected	{-}
inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number	{0}
uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface rejected, certs login doesn't modify "modified" field	{r}
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978 tested by 3, 2nd review done, transfered Ken reported: still has problems, bug kept open	{0}
gagern, NEO	bug #440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development	{r}
neo	bug #1025 Domain Dispute issue	disputes rc and rc2 var prob needs work	{r}
dirk	bug #1054 0001054: Review the code regarding the new point calculation	Thawte patch part II needs further work	{r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

Software-Assessors task

Testing

Testers task

neo	bug #1004 Stats page improvement	tested by 2, needs 2nd review	{0}
neo	Bugs #1159 it might be possible to execute commands on the signing server		{0}
inopiae	bug #1065 Wrong wording when sending mails during the assurance process		{0}
inopiae	bug #1162 calcutate (the passwords) hash in php instead of in mysql	create test scenarios for the software testers $/!\$ Full testing $/!\$	{0}
inopiae	bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails		{0}
inopiae	bug #988 TTP cap form deployment		{0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

Software-Assessors task

Ted	bug #500 Get contact mail adress after resolving test	tested by 3, requires review	{0}
Ted	bug #1140 Show if a test is passed in learnprogress	tested by 3, requires review	{0}
magu	bug #1131 Rename _all_ Policies from .php to .html and fix all links	global policy directory maintenance and update	{0}
inopiae	bug #1010 Reorder the view on organisation certificates	tested by 3	{0}

Software Assessors: Bundle Package to Critical Team

Software-Assessors task

inopiae

bug #1139 Add new fields to the database

tests through #500 and #1140, 2nd review done, requires transfer

{0}

Awaiting Response from Critical Team

inopiae

bug #411 Wrong text is made into link

{g}

CategorySoftwareAssessment

CategorySoftwareAssessment

Software/Assessment/20110621-S-A-MiniTOP (last edited 2011-09-23 00:04:14 by UlrichSchroeter)