To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2011-07-05
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: dirk, Uli, Michael, Marcus, Marc
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Agenda
- Software Assessors Patch Reviews - working session in meeting
- Review 1: review, add to cacert-devel, transfer to testserver
- Review 2: finish tests, bundle patch, send to critical team ?
Dirk
the Bug #948 (impact on mail delivery (non RFC-2821 compliance))
- Review 1: review, add to cacert-devel, transfer to testserver
strategy plans ... next: strategy for "New Roots & Escrow"
- idea: using indirect crl's ?
- 2 crl's needed, one valid, one invalid crl server
- more infos available ? who ?
- build testserver with special certs
- Magu, Michael to send instructions for test deployment
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
- Magu: not avail, no update
- other testers ?
- Marcus: no, Marc: ?
- some discussion about potential test environment, no result
- Define requirements, Define a testszenario
- policy group: define requirements
- multimember escrow method ?
- needs risk analyze
- potential candidates ?
- Marcus to contact Thomas K
- contacted benedikt, will take care about
- will contact Thomas K
- Marcus to contact Thomas K
- multimember escrow method ?
- how does debian work ?
- defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
- idea: using indirect crl's ?
- State Testserver Update, Current Patches on Testserver, current running Arbitrations:
- the list of unhandled patches
Arbitration case a20110312.1 Weak keys bug #918
- mail to ted to continue with arb case, adding to thread on arb case
Next: script to bulk revoke weak keys, new bug #954
- see action items, update ?
Arbitration case a20110419.1 Bug #637: Weak Passwords
- Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd
- problem #1 at login, plz change, use old pwd works - fail
- problem #2 at join
- to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ?
- current: clear password in source code
- checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd
- dictionary is still active grep current-pwd share/userdict
- Fred... to add into checkpassword()
- checkpassword() to add into login procedure
pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"
- SE reset pwd procedure doesn't take care about weak pwd
- Under testing: update
"Thawte" patch Bug# 827 Points-Count-Order-Change project
- in testing
- problems in counting found, missing points
- new commit by dirk, forwarded by NEO
- 80 pts counted, 100 countable ... problem
- new commit by dirk, forwarded by NEO
- pts problem seems to be solved, assurer challenge needed seems now to be ok
- Under testing: update
- Marc: thawte patch problem found 2147483647 assurance pts entered, 15.php displays 2147483647 pts
- Arbitration: exists values in points? limit 0-150 pts ? or no arbitration ? (discussion)
- the list of unhandled patches
- Annoying gpg bug
dirk, michael, uli
annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
{0}
- Documentation
- Bugs.cacert.org
- discussion about states to define, redefine
bugs documentation I (bugs handbook)
bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
- Review, Update
- uli, marcus - Testserver + Software Testers - task based help - update
uli, marcus - testers how-to regarding testserver roots: live-cd ? how-to, 2nd profile add to Welcome Pack - update
- Bugs.cacert.org
- CI (Update)
- next meeting: Tuesday, July 12, 2011 22:00
Minutes
- Review 2: finish tests, bundle patch, send to critical team ?
Dirk
the Bug #948 (impact on mail delivery (non RFC-2821 compliance))
Uli: new file to patch found: CommModule client.pl (dirk will check)
- Marc, Marcus to test
- Michael: TMS Batch Assurance implemented
- Michael: Bugs tracker, added field/column reviewed by ...
strategy plans ... next: strategy for "New Roots & Escrow"
- policy group: define requirements
- multimember escrow method ?
- needs risk analyze
- potential candidates ?
- Marcus to contact Thomas K
- contacted benedikt, will take care about
- will contact Thomas K
- Marcus in meeting with Benedikt, ok from Benedikt, B. needs some more details input, Uli to contact
- Marcus to contact Thomas K
- multimember escrow method ?
- idea: using indirect crl's ?
- 2 crl's needed, one valid, one invalid crl server
- more infos available ? who ?
- build testserver with special certs
- Magu, Michael to send instructions for test deployment
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
- Magu: not avail, no update
- other testers ?
- Marcus: no, Marc: ?
- some discussion about potential test environment, no result
- Define requirements, Define a testszenario
- requirement:
- webserver to deliver test crl's
- openssl - create testCA incl. subCA + non-CA but allowed to create crl's
- publish only subRoot + crl cert
- publish public key of root
- in certs ocsp responder should be prevented or otherwise own ocsp responder has to be deployed
- testCA and subCA doesn't publish crl's
subCA included: link to CRL-distribution-point -> non-CA crl distributor
- in certs issued of subRoot has to include CRL-distribution-point that is identical with crl of subRoot
- own crl-distribution-point for each subRoot
RootCA -> SubRoot-blub -> SubRoot-blub-certs -> crl-distribution-point is blub
- crl needs extensions
RootCA -> A -> C, SubCA -> B -> B, 2 crl distribution points B and C
- client with software to test, browser, email client, acrobat (doc-signing), code-signing
- what is the content of crl-distribution-point server cert?
- points to himself
- no distribution point
- rootCA creates one crl, that only is used for crl-signer
- does one of the methods work ?
- for testing: virtual server: apache + openssl
create certs -> manual openssl command
- requirement:
- policy group: define requirements
- feature request by dirk: to add ntp to testserver image, pool.ntp.org
- Working session:
- Documentation
- Bugs.cacert.org
- discussion about states to define, redefine
bugs documentation I (bugs handbook)
bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
- Review, Update
- Testserver Documentations
- uli, marcus - Testserver + Software Testers - task based help - update
- defered after discussion
uli, marcus - testers how-to regarding testserver roots: live-cd ? how-to, 2nd profile add to Welcome Pack - update
- defered after discussion
- general problem to spoon-feed the people with step by step documentations
- uli, marcus - Testserver + Software Testers - task based help - update
- Bugs.cacert.org
- Uli: Marcus, please re-test/check Bugs 921 + 942
- topic ..
dirk
DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
{-}
vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
Api CertEnroll (MS crypto provider)
annoying bug #911
dirk, michael, uli
annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
{0}
https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html
https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html
- the key is ok
- display on gpg list in webdb displays wrong date
- to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
- review finished, transfered to testserver
bug #841 (cert login - check issuer source) {g}
- State Testserver Update, Current Patches on Testserver, current running Arbitrations:
- the list of unhandled patches
Arbitration case a20110312.1 Weak keys bug #918
- mail to ted to continue with arb case, adding to thread on arb case
Next: script to bulk revoke weak keys, new bug #954
- see action items, update ?
on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)
- the list of unhandled patches
Fixed Action Items since last or within meeting
Uli
{g}
uli, marcus
Testserver + Software Testers - task based help
{b}
uli, marcus
testers how-to regarding testserver roots: live-cd ? how-to, 2nd profile add to Welcome Pack
{b}
Michael
bug #943 (replace OA-admin text with OA-Assurer), Uli: transfered to testers portal
{g}
Michael
DEV: TMS function (Batch Assurances) DEV
{g}
Michael
bug #841 (cert login - check issuer source)
{g}
Marcus, Uli
2. next: strategy for "New Roots & Escrow" - multimember escrow method risk analyze
contact potential candidates for doing a risk analyze{g}
Action Items New
Action items: Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
![/!\](/moin_static199/cacert/img/alert.png "/!\")
Full testing {0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}