• Software
• Assessment
• 20110712-S-A-MiniTOP

• To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-07-12

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, dirk, Uli, Alex, Michael, Ted

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Agenda

1. Software Assessors Patch Reviews - working session in meeting and State Testserver Update, Current Patches on Testserver, current running Arbitrations:
   1. Workshop

      • Dirk reminder (from last meeting) assure someone patches (checkboxes)

      • Review 1: review, add to cacert-devel, transfer to testserver

        • Ted	bug #940 (outsource help pages to wiki)
          Michael	bug #953 (change pwd routine, text changes only)
          Michael	bug #958 add ads on main website
          Michael	bug #959 add points bug

      • VBscript, Weak Keys script

        • dirk

          DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

          {-}

        • vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)

        • Api CertEnroll (MS crypto provider)

      • annoying gpg bug #911

        • dirk, michael, uli

          annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?

          {0}

        • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html

        • https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html

          1. the key is ok
          2. display on gpg list in webdb displays wrong date
        • to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
        • 2 potential propblem areas
          1. add and sign new gpg key (save to database script results in wrong date)
          2. view gpg keys (read from database)
   2. To discuss (the list of unhandled patches)

      1. Arbitration case a20110312.1 Weak keys bug #918

         • mail to ted to continue with arb case, adding to thread on arb case

         • Next: script to bulk revoke weak keys, new bug #954

         • on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)

         • Remove Weak Certs is under deployment, testing

      2. Arbitration case a20110419.1 Bug #637: Weak Passwords

         • Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd
         • problem #1 at login, plz change, use old pwd works - fail
         • problem #2 at join
         • to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ?
         • current: clear password in source code
         • checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd
         • dictionary is still active grep current-pwd share/userdict
           1. Fred... to add into checkpassword()
           2. checkpassword() to add into login procedure

         • pwd cannot be changed - new Bug# 953 "After change of password change on account.php?id=14 does not meet requirements wrong redirect"

         • SE reset pwd procedure doesn't take care about weak pwd
         • Under testing: update

      3. "Thawte" patch Bug# 827 Points-Count-Order-Change project

         • in testing
         • problems in counting found, missing points
         • new commit by dirk, forwarded by NEO
         • 80 pts counted, 100 countable ... problem
         • new commit by dirk, forwarded by NEO
         • pts problem seems to be solved, assurer challenge needed seems now to be ok
         • Under testing: update
         • Marc: thawte patch problem found 2147483647 assurance pts entered, 15.php displays 2147483647 pts
           • Arbitration: exists values in points? limit 0-150 pts ? or no arbitration ? (discussion)
         • Next step(s)
   3. Review bugs under testing (finished testing?)

      • bug #835 Assurer challenge (on testserver)

      • bug #827 "Thawte" patch (still running)

      • bug #897 transfer text pages to wiki (points system) (T)

      • bug #637 weak password

      • bug #921 Privacy Policy cleanup

      • bug #948 SMTP protocol bug and fix (T)

      • bug #942 CATS import (2)

      • bug #943 change OA admin/assurer text

      • bug #841 Problems on cert login

2. AGM reports 2010-2011

   • Software-Assessment project team report started, review

3. strategy plans ... next: strategy for "New Roots & Escrow"

   1. idea: using indirect crl's ?
      • 2 crl's needed, one valid, one invalid crl server
      • more infos available ? who ?
        1. build testserver with special certs
        2. Magu, Michael to send instructions for test deployment

           • indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)

      • Last meeting we've defined Testing requirements and a potential testszenario
      • Next step(s)
   2. policy group: define requirements
      • multimember escrow method ?
        • needs risk analyze
        • potential candidates ?
          • Marcus to contacted Benedikt, will contact Thomas K
          • Next step(s)
   3. how does debian work ?
      • defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
4. Documentation
   • Bugs.cacert.org
     • discussion about states to define, redefine

     • bugs documentation I (bugs handbook)

     • bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)

     • Review, Update
5. CI (Update)
6. next meeting: Tuesday, July 19, 2011 22:00

Minutes

• 1. Arbitration case a20110312.1 Weak keys bug #918

  • mail to ted to continue with arb case, adding to thread on arb case

  • Next: script to bulk revoke weak keys, new bug #954

  • on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)

  • Remove Weak Certs is under deployment, testing
  • Weak Certs script testing
  • out of chroot, vulnkey out of chroot
  • set delete date to 1970.. triggers cert revoke routine in client.pl

  • needs review bug #954

• adwards from last board meeting
  • ads will only displayed in logout mode
  • http vs https mode ?
  • googleads doesn't work with https
  • question from dirk: to add ads only on http or also under https ? login mode too ?

  • new bug #958

• Workshop - Review patches
  • Review 1: review, add to cacert-devel, transfer to testserver

    • Ted	bug #940 (outsource help pages to wiki)	{+}
      Michael	bug #953 (change pwd routine, text changes only)	{+}
      Michael	bug #958 0000958: Board wants advertisments on main CAcert website	{+}
      Michael	bug #959 add points bug	{+}

• AGM reports 2010-2011 for review

• Review bugs under testing (finished testing?)

  • bug #897 transfer text pages to wiki (points system) (T)	finished testing, ready to deploy	{+}
    bug #948 SMTP protocol bug and fix (T)	needs more tests	{0}

• next meeting: Tuesday, July 19, 2011 22:00

Fixed Action Items since last or within meeting

• Michael	bug #959 add points bug	{+}
  All	bugs for review 1: if unhandled before next meeting to handle under working session within next meeting	{+}
  Michael, Dirk, Ted	New bug fixes: review, add to cacert-devel, transfer to testserver REVIEW 1 bug #940 (outsource help pages to wiki) {+}	{+}
  Michael, Dirk, Ted, Mawa	bug #953 (change pwd routine, text changes only) REVIEW 1	{+}

• Software Assessors Review 1

  Ted	bug #940 (outsource help pages to wiki)	{+}
  Michael	bug #953 (change pwd routine, text changes only)	{+}
  Michael	bug #958 add ads on main website	{+}
  Michael	bug #959 add points bug	{+}

Action Items New

Action items: Meeting Action Items

• CategorySoftwareAssessment