To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2011-07-26
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: dirk, uli, michael, alex, ted
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Agenda
strategy plans ... next: strategy for "New Roots & Escrow"
- idea: using indirect crl's ?
- 2 crl's needed, one valid, one invalid crl server
- more infos available ? who ?
- build testserver with special certs
- Magu, Michael to send instructions for test deployment
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
- meetings ago we've defined Testing requirements and a potential testszenario
- to remind every meeting
- policy group: define requirements
- multimember escrow method ?
- needs risk analyze
- potential candidates ?
- Marcus to contacted Benedikt, will contact Thomas K
- Next step(s)
- multimember escrow method ?
- how does debian work ?
- defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
- idea: using indirect crl's ?
- Software-Assessment project team report finished, plz review
- Documentation Bugs.cacert.org Review
- discussion about states to define, redefine
bugs documentation I (bugs handbook)
bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
- Review, Update
- CI (Update)
- Workshop - The List of open / running / unhandled bugs
x1 Arbitration case a20110312.1 Weak keys bug #918 / bug #954
- mail to ted to continue with arb case, adding to thread on arb case
Next: script to bulk revoke weak keys, new bug #954
on mailing the $reason had not been added into the mail, nor the specified wiki links, that were created for this mailing (see https://lists.cacert.org/wws/arc/cacert-support/2011-06/msg00072.html)
- Remove Weak Certs is under deployment, testing
- Weak Certs script testing
- out of chroot, vulnkey out of chroot
- set delete date to 1970.. triggers cert revoke routine in client.pl
needs review bug #954
- infos from critical team
- Current state:
- mailing sent
- keys revocation script not started
- Weak keys article not yet published
weak keys: problems with cryptostick (to test at Froscon with Juergen ?)
x2 Bug# 827 and bug #959 "Thawte" patch - Points-Count-Order-Change project - 2nd Review + deploy
* in testing * problems in counting found, missing points * new commit by dirk, forwarded by NEO * 80 pts counted, 100 countable ... problem * new commit by dirk, forwarded by NEO * pts problem seems to be solved, assurer challenge needed seems now to be ok * Under testing: update * Marc: thawte patch problem found 2147483647 assurance pts entered, 15.php displays 2147483647 pts * Arbitration: exists values in points? limit 0-150 pts ? or no arbitration ? (discussion) * problem fixed under bug 959 * Next step(s) ? * current state on production system? table points: count(id) > 150 points ? * fix points < 0 and points > 150 in bug 827 ?
x3 Bug #637: Weak Passwords - 2nd Review + deploy
* Pwd text removed, but reject pwd doesn't work, pwd can be set to weak pwd * problem #1 at login, plz change, use old pwd works - fail * problem #2 at join * to include in ? checkpassword() in includes(general.php) ... add addtl. requirements there ? * current: clear password in source code * checkpassword() needs rewrite, but this is another issue, first we have to take care about the Fred pwd * dictionary is still active grep current-pwd share/userdict 1. Fred... to add into checkpassword() 1. checkpassword() to add into login procedure * pwd cannot be changed - new [[https://bugs.cacert.org/view.php?id=953|Bug# 953]] "After change of password change on account.php?id=14 does not meet requirements wrong redirect" * SE reset pwd procedure doesn't take care about weak pwd * Under testing: update * Overall result: Please evaluate if the session problem can be fixed!
- VBscript, Weak Keys script - awaiting dirks deployment
dirk
DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
{-}
vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
Api CertEnroll (MS crypto provider)
Dirk reminder (from last meeting) assure someone patches (checkboxes)
Dirk
DEV: bug #894 problems with check-boxes on website forms (Assure someone) -> a20091118.3
{0}
- Review 1: review, add to cacert-devel, transfer to testserver
?
bug #955 Possibilty to change the sorting order for the organisation overview
{0}
?
bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible
{0}
- Review bugs under testing (finished testing?) (Review 2?)
revoke keys deployment
{0}
needs 1 more test, needs 2nd review
2nd review: also check -x
tests done, 2nd review outstanding{0}
x^3 bug #637 weak password
needs 2nd review, not Micha -> Ted, done
Overall result: Please evaluate if the session problem can be fixed!
bug #835 Assurer challenge (on testserver)
asssigned to Ted, set to needs work, CATS to install on ca-mgr1
{0}
bug #942 CATS import (2)
complete re-test as of code changes
fully re-tested by 2 testers{0}
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex
needs 2nd review -> Ted, rejected{-}
gpg keys expires 1970
tests started last week{0}
- to bundle, to deploy
- On hold
ADS Challenge, awaiting response from board
- Deployed, Finished
- next meeting: Tuesday, August 2, 2011 22:00
Minutes
- Sysadmin reset procedure - some discussion
- Software-Assessment project team report finished, plz review
- Weak keys / Weak passwords missing
- Documentation Bugs.cacert.org Review
- discussion about states to define, redefine
bugs documentation I (bugs handbook)
bugs documentation II (to incorporate into the Software-Update-Cycle procedure/documentation)
- Review, Update
- svg pictures have cuted text under some browsers
- CI (Update)
- deployment scenario:
- create testusers
- testing
- delete testusers
- regression test for standard tests: eg 0,1,49,50,51,99,100,101 pts w/ and w/o CATS passed
- Workshop - The List of open / running / unhandled bugs
x1 Arbitration case a20110312.1 Weak keys bug #918 / bug #954
- script needs 2nd review
- Ted code added
- NEO has made two changes, needs review (whitespaces, license code)
- next bundle package, transfer to critical team, Ted, but don't know how to
- instructions given by NEO, will be handled by Ted within the next upcoming days
- ||
bug #841 Problems on cert login || needs 2nd review - Ted, done
needs bundled || {0} ||- root certs req into join ?
- view / controller
- export complete sql statement ?
- function serial + issuer, returns id of email cert (advance server cert, org email, org server cert)
- next? NEO will check to get this updated
- update added to testserver, needs review, needs testing
x2 Bug# 827 and bug #959 "Thawte" patch - Points-Count-Order-Change project - 2nd Review + deploy
- Next step(s) ?
current state on production system? table points: count(id) > 150 points ?
fix points < 0 and points > 150 in bug 827 ?
- missing: #959 2nd review
bug #959 - Diff http://git-cacert.it-sls.de/cgi-bin/gitweb.cgi?p=cacert-devel.git;a=blobdiff;f=www/wot.php;h=7fa572f6ce5cced08fa04fabd28b40a26ca09c9c;hb=f5cca0215ef95189fd24966e3260948605df0e5e;hpb=b24134a0a06df0855652457a28d8077e24a7a354
+ } elseif (intval($_POST['points']) < 0) {
- + $awarded = $newpoints = 0;
- yet included
- dirk to add note in bugtracker
- todo:
- Next step(s) ?
x3 Bug #637 and bug #963 : Weak Passwords - 2nd Review + deploy
- Overall result: Please evaluate if the session problem can be fixed!
- if password changed, cached info - reminder plz change pwd
- session reset and error messages in system log
new bug #963
- /includes/loggedin.php line 140 ff. to fix
- Ted: checked-in cacert-devel, added to testserver
- needs review, re-testing
- VBscript, Weak Keys script - awaiting dirks deployment
dirk
DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
{-}
vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
Api CertEnroll (MS crypto provider)
new bug#964
- current state: test /account/4.php added to testserver
- Marcus will do detailed tests on Wed
- Review bugs under testing (finished testing?) (Review 2?)
needs 2nd review, not Micha -> Ted, done
Overall result: Please evaluate if the session problem can be fixed! (new bug #963){0}
bug #835 Assurer challenge (on testserver)
asssigned to Ted, set to needs work, CATS to install on ca-mgr1
{0}
bug #942 CATS import (2)
complete re-test as of code changes
fully re-tested by 2 testers{0}
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex
needs 2nd review -> Ted, rejected{-}
gpg keys expires 1970
tests started last week{0}
NEO: bug #841 Problems on cert login
needs 2nd review - Ted, done
needs bundled
NEO will check to get sql query extracted
needs pushing
pushed to testserver
Needs Review & testing{0}
- to bundle, to deploy
NEO: bug #921 Privacy Policy cleanup
Marcus: 2nd test, finished
Dirk, Ted: 2nd review, finished
needs bundling to CT{g}
needs 1 more test, needs 2nd review
2nd review: also check -x
tests done, 2nd review outstanding
dirk to add note in bugtracker{b}
revoke keys deployment
next bundle package, transfer to critical team, Ted, but don't know how to{b}
- git pull
git diff origin/release...origin/bug-921>bug921.patch
- send to critical team by email (with template)
- link to bug, who reviewed, people to cc
- Review 1: review, add to cacert-devel, transfer to testserver
?
bug #955 Possibilty to change the sorting order for the organisation overview
{0}
?
bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible
{0}
?
bug #963 session reset
{g}
Fixed Action Items since last or within meeting
Awaiting Response from Critical Team
Action Items New
Action items: Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
![/!\](/moin_static199/cacert/img/alert.png "/!\")
Full testing {0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}