To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2011-07-19
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: Dirk, Marcus, Marc, Uli, Michael, Alex
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Agenda
- Software Update Cycle - Review 1 - Review 2 workflow
Proposal 1 - sequential update cycle Software update cyle
- Review 1 to bundle with add to cacert-devel repository and transfer to testserver
- Review 2 to bundle with check review 1, testing, bundle package to critical team
Proposal 2 - parallel update cycle see pictures under Bugs docu
- Fix available
- Transfer to Testserver | Review 1 | Review 2
- Ready to deploy
- Other proposals ?
Arbitration case a20110312.1 Weak keys bug #918
- mail to ted to continue with arb case, adding to thread on arb case
Next: script to bulk revoke weak keys, new bug #954
on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)
- Remove Weak Certs is under deployment, testing
- Weak Certs script testing
- out of chroot, vulnkey out of chroot
- set delete date to 1970.. triggers cert revoke routine in client.pl
needs review bug #954
- infos from critical team
annoying gpg bug #911
dirk, michael, uli
annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
{0}
https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html
https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html
- the key is ok
- display on gpg list in webdb displays wrong date
- to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
- 2 potential propblem areas
- add and sign new gpg key (save to database script results in wrong date)
- view gpg keys (read from database)
- new infos from critical team
cacert.gpg expire filled with "1971-01-02 00:00:00" starting 2010-12-29 the system upgrade date from Debian Etch (1.4.6-2+etch1) to Debian Lenny (1.4.9-3+lenny1) The function OpenPGPextractExpiryDate defined and used in CommModule/client.pl appears to be relying rather strongly on the ascii formatted output of the "gpg -vv keyfile" command. This output has probably changed
- Workshop
- Review bugs under testing (finished testing?) (Review 2?)
bug #835 Assurer challenge (on testserver)
bug #827 "Thawte" patch (still running) x1
bug #897 transfer text pages to wiki (points system) (T) x3
bug #637 weak password x2
bug #921 Privacy Policy cleanup
bug #948 SMTP protocol bug and fix (T) x3
bug #942 CATS import (2)
bug #943 change OA admin/assurer text
bug #841 Problems on cert login
x1 Bug# 827 "Thawte" patch - Points-Count-Order-Change project
* in testing * problems in counting found, missing points * new commit by dirk, forwarded by NEO * 80 pts counted, 100 countable ... problem * new commit by dirk, forwarded by NEO * pts problem seems to be solved, assurer challenge needed seems now to be ok * Under testing: update * Marc: thawte patch problem found 2147483647 assurance pts entered, 15.php displays 2147483647 pts * Arbitration: exists values in points? limit 0-150 pts ? or no arbitration ? (discussion) * Next step(s)x2 Bug #637: Weak Passwords
* Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd * problem #1 at login, plz change, use old pwd works - fail * problem #2 at join * to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ? * current: clear password in source code * checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd * dictionary is still active grep current-pwd share/userdict 1. Fred... to add into checkpassword() 1. checkpassword() to add into login procedure * pwd cannot be changed - new [[https://bugs.cacert.org/view.php?id=953|Bug# 953]] "After change of password change on account.php?id=14 does not meet requirements wrong redirect" * SE reset pwd procedure doesn't take care about weak pwd * Under testing: updatex3 Review bugs under testing (finished testing?), state from last meeting
- list of unhandled bugs
- VBscript, Weak Keys script
dirk
DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
{-}
vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
Api CertEnroll (MS crypto provider)
Dirk reminder (from last meeting) assure someone patches (checkboxes)
Dirk
DEV: bug #894 problems with check-boxes on website forms (Assure someone) -> a20091118.3
{0}
- Review 1: review, add to cacert-devel, transfer to testserver
?
bug #955 Possibilty to change the sorting order for the organisation overview
{0}
?
bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible
{0}
- VBscript, Weak Keys script
- Review bugs under testing (finished testing?) (Review 2?)
- ADS Challenge (from last board meeting)
new bug #958
- Update from last board meeting
strategy plans ... next: strategy for "New Roots & Escrow"
- idea: using indirect crl's ?
- 2 crl's needed, one valid, one invalid crl server
- more infos available ? who ?
- build testserver with special certs
- Magu, Michael to send instructions for test deployment
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
- Last meeting we've defined Testing requirements and a potential testszenario
- Next step(s)
- policy group: define requirements
- multimember escrow method ?
- needs risk analyze
- potential candidates ?
- Marcus to contacted Benedikt, will contact Thomas K
- Next step(s)
- multimember escrow method ?
- how does debian work ?
- defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
- idea: using indirect crl's ?
- Software-Assessment project team report started, review
- Documentation Bugs.cacert.org Review
- discussion about states to define, redefine
bugs documentation I (bugs handbook)
bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
- Review, Update
- CI (Update)
- next meeting: Tuesday, July 26, 2011 22:00
Minutes
- Software Update Cycle - Review 1 - Review 2 workflow
Proposal 1 - sequential update cycle Software update cyle
- Review 1 to bundle with add to cacert-devel repository and transfer to testserver
- Review 2 to bundle with check review 1, testing, bundle package to critical team
Proposal 2 - parallel update cycle see pictures under Bugs docu
- Fix available
- Transfer to Testserver | Review 1 | Review 2
- Ready to deploy
- using proposal 2 - 5 aye
annoying gpg bug #911
dirk, michael, uli
annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
{0}
https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00012.html
https://lists.cacert.org/wws/arc/cacert-devel/2011-06/msg00013.html
- the key is ok
- display on gpg list in webdb displays wrong date
- to increase priority of this bug, to fix displaying gpg key date in list as too many reports receives support
- 2 potential propblem areas
- add and sign new gpg key (save to database script results in wrong date)
- view gpg keys (read from database)
- new infos from critical team
cacert.gpg expire filled with "1971-01-02 00:00:00" starting 2010-12-29 the system upgrade date from Debian Etch (1.4.6-2+etch1) to Debian Lenny (1.4.9-3+lenny1) The function OpenPGPextractExpiryDate defined and used in CommModule/client.pl appears to be relying rather strongly on the ascii formatted output of the "gpg -vv keyfile" command. This output has probably changed
- OpenPGPextractExpiryDate() in client.pl may cause problems
- client.pl 543 "if ( /^\s*version \d+, created (\d+), md5len 0, sigclass \d+\s*$/ ) " needs updated
-> sigclass 0x[0-9A-Fa-f]
- client.pl fix added by Michael
![/!\](/moin_static199/cacert/img/alert.png "/!\")
gpg signing to enable on testserver - gpg signing authority is there
gpg --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? -> 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) -> 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) -> Enter Key does not expire at all Is this correct? (y/N) -> y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: -> My Givenname Surname Email address: -> my@email.tld Comment: You selected this USER-ID: "My Givenname Surname <my@email.tld>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? -> o You need a Passphrase to protect your secret key. Enter passphrase: -> enter a passphrase Repeat passphrase: -> enter your passphrase We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++++...++++++++++.+++++++++++++++++++++++++.+++++++++++++++++++++++++ +++++..+++++.++++++++++..++++++++++.+++++++++++++++...++++++++++>++++++++++.<.++ +++...>++++++++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..+++++.+++++++++++++++....++++++++++.++++++++++.+++++.+++++...++++++++++.++++++ ++++...++++++++++.+++++.+++++++++++++++.+++++..+++++..++++++++++.+++++++++++++++ .++++++++++.+++++..+++++++++++++++>+++++.+++++...++++++++++++++++++++.+++++..+++ ++...+++++....+++++>.+++++>+++++>...+++++....................................... ...............................................+++++^^^ gpg: key 5C68118C marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/5C68118C 2011-07-19 Key fingerprint = 95F2 D66C 4313 839C 77FD F374 AAF6 0782 5C68 118C uid My Givenname Surname <my@email.tld> sub 4096g/5C7F1F26 2011-07-19 Export: gpg --export --armor>ascii-key-filename.extension For debugging: gpg -v ascii-key-filename.extension FAQ: problems with middlename, remove middlename
- gpg signing authority is there
Arbitration case a20110312.1 Weak keys bug #918 / bug #954
- infos from critical team, no update as ted doesn't attended
- mailing sent
- keys revocation script not started
- not yet published
weak keys: problems with cryptostick (to test at Froscon with Juergen ?)
- Workshop
- Review bugs under testing (finished testing?) (Review 2?)
bug #835 Assurer challenge (on testserver)
- asssigned to Ted, set to needs work, CATS to install on ca-mgr1
bug #827 "Thawte" patch (still running) x1
- related bug 959: needs 1 more test, needs 2nd review
- 2nd review: also check -x
- tests done, needs 2nd review
bug #897 transfer text pages to wiki (points system) (T) x3
- Michael: to bundle to critical team
bug #637 weak password x2
- needs 2nd review, not Micha, Dirk? Ted?
bug #921 Privacy Policy cleanup
- Marcus: 2nd test
- Dirk, Ted: 2nd review
bug #948 SMTP protocol bug and fix (T) x3
- wait for 3rd tester ? or deploy?
- removed space, no function destroyed
ready to deploy -> Micha
bug #942 CATS import (2)
- complete re-test as of code changes
needs further testing: a) assuree has 99 pts, assurer challenge passed add 1 assurance, -> result has to be 100 pts and is assurer b) assuree has 99 pts, assurer challenge not passed add 1 assurance -> result has to be 100 pts and NO assurer c) add one more 1 pts -> 100 pts, NO assurer d) pass assurer challenge -> 100 pts, and IS assurer e) assuree with 80 pts, challange passed add: temporary points increase you need your admin account with boardmember flag add temporary increase 20 pts => result? 100 pts? is assurer?
- complete re-test as of code changes
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex?
needs 2nd review -> Dirk, Ted
bug #841 Problems on cert login
- needs 2nd review
- Review bugs under testing (finished testing?) (Review 2?)
list of unhandled bugs -> dirk to work on following bugs
- VBscript, Weak Keys script
dirk
DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
{-}
vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
Api CertEnroll (MS crypto provider)
Dirk reminder (from last meeting) assure someone patches (checkboxes)
Dirk
DEV: bug #894 problems with check-boxes on website forms (Assure someone) -> a20091118.3
{0}
- VBscript, Weak Keys script
- fix available
- Review 1: review, add to cacert-devel, transfer to testserver
?
bug #955 Possibilty to change the sorting order for the organisation overview
{0}
?
bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible
{0}
- Review 1: review, add to cacert-devel, transfer to testserver
- ADS Challenge (from last board meeting)
new bug #958
- Update from last board meeting
- no more info
strategy plans ... next: strategy for "New Roots & Escrow"
- idea: using indirect crl's ?
- to remind every meeting
- idea: using indirect crl's ?
- Testing
- Marcus Nov 2-3 test event Nuernberg
- software-qs-tag 2011, 2-3 Nov, Nuernberg, www.ix-konferenz.de
- Michael: new eclipse version, test tool included, eg web applications
- you click the tasks to do within framework, no programming
- Marcus Nov 2-3 test event Nuernberg
AGM/TeamReports/2011 plz review
- Documentation Bugs.cacert.org Review
- Michael added some pictures
- next meeting: Tuesday, July 26, 2011 22:00
Fixed Action Items since last or within meeting
Michael, Ted, Uli, Marcus
bugs documentation I (bugs handbook)
bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation){g}
dirk, michael, uli
annoying bug #911 (gpg expires 1970), activate gpg on testserver ? pickup upcoming weekend ?
{g}
Action Items New
Michael
weak keys: problems with cryptostick to test at Froscon with Juergen ?
{b}
Dirk
ADS Challenge (from last board meeting), bug #958, Update from last board meeting, no more info, on hold till further infos available, dirk to receive response from board
{b}
Marcus
Nov 2-3 test event Nuernberg, software-qs-tag 2011, 2-3 Nov, Nuernberg, www.ix-konferenz.de, check for infos, attendance ?
{0}
Michael
new eclipse version, test tool included, eg web applications, description to eclipse testpage (add to CI project?)
{0}
All
AGM team report review
{0}
Tester
annoying bug #911 (gpg expires 1970)
{0}
Action items: Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
Full testing {0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}