• Software
• Assessment
• 20110906-S-A-MiniTOP

• To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-09-06

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: marc, marcus, uli, dirk, alex, michael, magu

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Agenda

1. Software-Assessors blockage - The List of open / running / unhandled bugs - Part I

   1. Michael - action items last week
      1. bug 827
      2. bug 841
      3. bug 846
         • and others in the queue

   2. x⁴ bug #841 Problems on cert login

      • x4 NEO: bug #841 Problems on cert login

        needs 2nd review - Ted, done needs bundled NEO will check to get sql query extracted needs pushing pushed to testserver Needs 2nd Review & deploy by Dirk or Ted

        {-}

      • started last meeting, not yet finished
      • 2 sql queries
      • dirk will do some rewrite later
      • review ok
      • needs transfer to critical team

   3. x² Bug# 827 and bug #959 "Thawte" patch - Points-Count-Order-Change project - 2nd Review + deploy

      • x2 bug #827 "Thawte" patch (still running) related bug #959

        needs 1 more test, needs 2nd review 2nd review: also check -x tests done, 2nd review outstanding

        {0} {g}

      • request by Joost for variable fields
      • next steps:
        1. preparing PR, support (see below)
           1. Thawte Patch - PR strategy
              • alex to prepare blog post
              • if the patch goes active, this needs support
              • wiki faq (existing page? thawte topic?)

              • blog (-> alex)

              • mailing list
              • press release? probably not at this state
              • Support: could be better, but is ok
                • Triage: where to forward Thawte patch requests?
                • add to Support team meeting agenda
        2. reviewed last meeting. needs transfer to critical team
           • mailing to people: Ted, Florian F, PG, Wytze, Carsten L, Jeff F, Frank K (ask Marcus) 120 pts, Sebastian K
2. PR work
   1. thawte patch - blog post
   2. newsletter mailings
      1. Security campaign, Newsletters
         1. weak passwords (bug 637)
         2. password reset w/ Assurance replaces pwd reset thru paypal
         3. cert login security fix (bug 841)
         4. weak keys disabled (bug 918)
         5. class3 re-sign with sha256
         6. check your CAcert account
            1. create a client cert for client cert login (also needed for CATS)
            2. check your secret questions
            3. check your password
            4. check your notification settings
            5. check your location settings
      2. thawte patch detailed (1 month later, 6-8 weeks later)
         1. infos about thawte points removal
         2. infos about points counting
3. Wytze: planned chroot environment upgrade on cacert1.it-sls.de
   • upgrade of chroot environment on cacert1 like webdb upgrade last week
4. Translingo
   • the translingo.cacert.org had been in operation far longer, so I think it is possible that some users migrated to translingo.cacert.org, without telling us.
   • I would suggest to mass-mail the email addresses of the translation-project leaders in the translingo database, to inform them, and to ask them to speak up if they still need it
5. Dirks workqueue - The List of open / running / unhandled bugs

   1. VBscript for Vista/Win7 (select keysize >= 1024) - reminder to dirk

      • x1 Dirk, new bug#964 DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

        current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964

        {-}

      • as part of

      • x¹ Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964

      • Current state:

        • {g}	pre mailing sent
          {g}	keys revocation script to bulk revoke weak keys, new bug #954, finished
          {-}	dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024) Api CertEnroll (MS crypto provider) new bug#964 current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964
          {g}	Weak keys blog post, published
          {g}	Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)
          {b}	weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

      • cert enroll infos under bug#964

      • vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation

        • http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx

        • Marcus: added notes for Win7 https://bugs.cacert.org/view.php?id=964#c2249

   2. Advertising

      1. Prepare Advertising fix for testserver - reminder to dirk

         • Dirk

           Advertising (from last board meeting), bug #958

           add changes as discussed in last meeting to testserver

           {0}

         • CAcertInc/LogosForSale/Rules wiki link exist

         • "buy me" logo / "Logo For Sale" logo / "Monthly Auction on Logos" logo
         • Logos and Links exist, needs deployment to testserver
      2. google ads, nobody knows about

         • http://google.de/adsense/ - needs google account

           • ad client id: pab.*9860, email adress is needed
           • board member to write email request to Robert, Philipp, Philpp, Teus, ernie
           • contact google?
           • account recovery?
           • dirk: google ads account - to write mail to treasurer (address from invoice)

   3. Dirk reminder (from last meeting) assure someone patches (checkboxes)

      • Dirk

        DEV: bug #894 problems with check-boxes on website forms (Assure someone) -> a20091118.3

        {0}

6. Software-Assessors blockage - Bugs to Review #1, transfer to testserver - Currently 13 (!!!)

   • uli	bug #977 admin console text fix	admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue	{0}
     uli	bug #975 admin console interface (2)	report potential database inconsistency in SE console (debug infos), new update	{0}
     uli	bug #968 error logging cleanup (splitted bug #909)	split 0000909: too many error messages logged - part II - general.php	{0}
     uli	bug #967 OA isassurer check	Give an OA the oppertuntiy to check if a desiginated Organisation Admininistrator is a CAcert assurer	{0}
     uli, Ted	bug #965 0000965: Outsource / fix Webdb text pages id=12, 13	addtl. id=37, id=38, new update	{0}
     uli, ted	bug #882	display Assurance when field in list of assurances received, assurances given by a user in admin console interface, new update	{0}
     uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface, new update	{0}
     uli	bug #855 admin console interface "unknown" + "empty" assurance method fields, needed for correct testing on testserver	admin console lists "empty" and "Unknown" Assurance types on listing given Assurances	{0}
     uli	bug #824 Org User cert fix	Organisation User Certificates: Need UI improvement for proper production usage	{0}
     uli	bug #823 email address removal fix	No warning when removing e-mail adres from acount that certificates wil be revoked	{0}
     uli, ted	bug #794	visibility over certificates for sysadm in account administration, new update	{0}
     uli	bug #789 OA edit domain fix	Editing domain for organisations does not work	{0}
     moh	bug #596 certs list advanced	display ser# in certs overview lists	{0}

7. Bugs under testing: - Currently only 2 (!!!)

   • uli, Michael	bug #966 cancel doesn't cancel but processes instead	potential workaround to fix all "Cancel" requests available addtl. individual fixes new update 2011-08-30	{0}
     uli, Ted	bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible	new fix avail 2011-08-19	{0}

8. Software-Assessors blockage - Needs 2nd review + transfer to Critical team, to bundle, to deploy

   • uli, ted	bug #955 change sort order Orga list	Possibilty to change the sorting order for the organisation overview	{0}
     uli, ted	bug #940 help* to wiki	Outsource Webdb text pages help.php?id=0..9 to wiki needs review, deploy	{0}
     uli, ted	bug #910 Outsource board member list	from Webdb to wiki (id=8) (Part II)	{0}
     Ted, uli	bug #846 Join Form restructure, help link	Better guidance of bonafide members in Join Form about Suffixes they doesn't have in their ID doxs (a20100207.2)	{0}

9. Software-Assessors blockage - Needs transfer to Critical team, to bundle, to deploy

   • Dirk, Michael	bug #827 and bug #959 Thawte patch/Points-Count-Order-Change project	related bug 959: needs 1 more test, needs 2nd review / 2nd review: also check -x / tests done, needs 2nd review 959 {g} reviewed, deployed 827 {g} reviewed, deployment in 2 steps new fixes, reviewed, needs testing	{0} {0}
     Uli, Neo, Dirk	bug #841 Problems on cert login	needs 2nd review - Ted, done needs bundled NEO will check to get sql query extracted needs pushing pushed to testserver Needs 2nd Review & deploy by Dirk or Ted	{-}

10. Needs development, deployment, discussion

    1. bug #835 Migrate CATS onto testserver

       • bug #835 Assurer challenge (on testserver)

         asssigned to Ted, CATS to install on ca-mgr1, awaiting deployment

         {0}

    2. bug #943 change OA admin/assurer text

       • bug #943 change OA admin/assurer text

         -> Ted, rejected, needs comment from OAO

         {-}

       • webdb names OrgAdmins as OrgAssurers and names OrgAssurers as OrgAdmins.

       • patch takes account about this issue
       • problem with menu link Org Admin .. is Org Assurers menu
         • but this menu includes one addtl. link "View" that is available for Org Admins
           • and Org Admins with master flag to add new admins

         • master flag is not described in OAP

         • addtl master flag to revoke ?
         • rename to "Org Administration"

         • don't show menu to OrgAdmins

11. strategy plans ... next: strategy for "New Roots & Escrow"

    1. idea: using indirect crl's ?
       • 2 crl's needed, one valid, one invalid crl server
       • more infos available ? who ?
         1. build testserver with special certs
         2. Magu, Michael to send instructions for test deployment

            • indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)

       • meetings ago we've defined Testing requirements and a potential testszenario
       • to remind every meeting
    2. policy group: define requirements
       • multimember escrow method ?
         • needs risk analyze
         • potential candidates ?
           • Marcus to contacted Benedikt, will contact Thomas K
           • Next step(s)
    3. how does debian work ?
       • defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
    4. The Bjoern report

       • New signatures for CAcert-Class 3-Subroot-certificate - Comments

12. CI (Update)

    1. description to eclipse testpage, Webinar

       • deployment scenario:
         1. create testusers
         2. testing
         3. delete testusers
       • regression test for standard tests: eg 0,1,49,50,51,99,100,101 pts w/ and w/o CATS passed
       • reminder
    2. Jubula Test-Tool (by Michael) - update?

       • http://www.eclipse.org/jubula/download.php

       • instructions see under Minutes meeting 2011-08-30

13. next meeting: Tuesday, September 13, 2011 22:00

Minutes

1. Software-Assessors blockage - The List of open / running / unhandled bugs - Part I

   1. Michael - action items last week
      1. bug 827
      2. bug 841
      3. just pushed
      4. next: mailing to people: Ted, Florian F, PG, Wytze, Carsten L, Jeff F, Frank K (ask Marcus) 120 pts, Sebastian K
2. PR work
   1. thawte patch - mailing
      • thawte patch infos
      • newsletter settings
   2. newsletter mailings - security campaign
      • defered after last board meeting motion
      • so first info regarding thawte patch
3. Wytze: planned chroot environment upgrade on cacert1.it-sls.de
   • upgrade of chroot environment on cacert1 like webdb upgrade last week
   • problems on upgrade
     1. signer doesn't run
     2. mx record dns check
     3. char encoding utf8 vs latin1, server sent auto header
        • account_stuff header needs updated
   • dirk: request for new developer image
   • proposed next upgrade step lenny to squeeze
4. Translingo
   • the translingo.cacert.org had been in operation far longer, so I think it is possible that some users migrated to translingo.cacert.org, without telling us.
   • I would suggest to mass-mail the email addresses of the translation-project leaders in the translingo database, to inform them, and to ask them to speak up if they still need it
   • last foreign uploads 2008 on about 13 + cacert projects
   • whohas translingo server console access?
     • mario
   • req for console access for michael to contact project leaders
5. Dirks workqueue - The List of open / running / unhandled bugs

   1. VBscript for Vista/Win7 (select keysize >= 1024) - reminder to dirk

      • x1 Dirk, new bug#964 DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

        current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964

        {-}

      • as part of

      • x¹ Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964

      • Current state:

        • {g}	pre mailing sent
          {g}	keys revocation script to bulk revoke weak keys, new bug #954, finished
          {-}	dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024) Api CertEnroll (MS crypto provider) new bug#964 current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964
          {g}	Weak keys blog post, published
          {g}	Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)
          {b}	weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

      • cert enroll infos under bug#964

      • vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation

        • http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx

        • Marcus: added notes for Win7 https://bugs.cacert.org/view.php?id=964#c2249

      • no update {-}
   2. Advertising

      1. Prepare Advertising fix for testserver - reminder to dirk

         • Dirk

           Advertising (from last board meeting), bug #958

           add changes as discussed in last meeting to testserver

           {0}

         • CAcertInc/LogosForSale/Rules wiki link exist

         • "buy me" logo / "Logo For Sale" logo / "Monthly Auction on Logos" logo
         • Logos and Links exist, needs deployment to testserver
         • no update {-}
      2. google ads, nobody knows about

         • http://google.de/adsense/ - needs google account

           • ad client id: pab.*9860, email adress is needed
           • board member to write email request to Robert, Philipp, Philpp, Teus, ernie
           • contact google?
           • account recovery?
           • dirk: google ads account - to write mail to treasurer (address from invoice)
         • no update {-}

   3. Dirk reminder (from last meeting) assure someone patches (checkboxes)

      • Dirk

        DEV: bug #894 problems with check-boxes on website forms (Assure someone) -> a20091118.3

        {0}

      • if 827 is active, 894 becomes active
      • dirk: transfer to git cacert-devel
      • michael: transfer to testserver

6. Software-Assessors blockage - Bugs to Review #1, transfer to testserver - Currently 13 (!!!)

   • 13 open fixes available, needs 1st review by 1st Software-Assessor

7. Software-Assessors blockage - Needs 2nd review + transfer to Critical team, to bundle, to deploy

   • uli, ted	bug #955 change sort order Orga list	Possibilty to change the sorting order for the organisation overview	{0}
     uli, ted	bug #940 help* to wiki	Outsource Webdb text pages help.php?id=0..9 to wiki needs review, deploy	{0}
     uli, ted	bug #910 Outsource board member list	from Webdb to wiki (id=8) (Part II)	{0}
     Ted, uli	bug #846 Join Form restructure, help link	Better guidance of bonafide members in Join Form about Suffixes they doesn't have in their ID doxs (a20100207.2)	{0}

8. strategy plans ... next: strategy for "New Roots & Escrow"

   1. idea: using indirect crl's ?
      • 2 crl's needed, one valid, one invalid crl server
      • more infos available ? who ?
        1. build testserver with special certs
        2. Magu, Michael to send instructions for test deployment

           • indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)

      • meetings ago we've defined Testing requirements and a potential testszenario
      • to remind every meeting
      • Michael tries to prepare a vm testserver
9. Question from Lambert (by email): Is CAcert's ocsp server a blacklist or a whitelist ocsp ?
   • CAcert is probably a blacklist ocsp, cause the server delivers infos derived from current crl's interactively
10. CI (Update)

    1. description to eclipse testpage, Webinar

       • deployment scenario:
         1. create testusers
         2. testing
         3. delete testusers
       • regression test for standard tests: eg 0,1,49,50,51,99,100,101 pts w/ and w/o CATS passed
       • reminder
    2. Jubula Test-Tool (by Michael) - update?

       • http://www.eclipse.org/jubula/download.php

       • instructions see under Minutes meeting 2011-08-30

       • test deployment needs to be continued by software testers
11. bug 824 effects
    • account.php restructure plans
    • dirk made still some coding, but not yet active
    • from bug 824 analyze, many of the code is duplicated from other actions, so the idea here is to rethink about subfunctioning of subtasks eg split cert creation action into smaller parts and handle the transfer from each step to step with addtl. parameters

    • see discussion under https://lists.cacert.org/wws/arc/cacert-devel/2011-09/msg00013.html

Fixed Action Items since last or within meeting

• Awaiting Response from Critical Team (moved to next state)

  Done: Michael, Dirk, Michael ToDo:	bug #841 Problems on cert login	needs 2nd review, deploy	{0}
  Done: Dirk, Michael, Michael ToDo:	bug #827 and bug #959 Thawte patch/Points-Count-Order-Change project	related bug 959: needs 1 more test, needs 2nd review / 2nd review: also check -x / tests done, needs 2nd review 959 {g} reviewed, deployed 827 {g} reviewed, deployment in 2 steps	{0} {0}

• Fix available to testserver (moved to next state)

  uli, Ted

  bug #824 Org User cert fix

  Organisation User Certificates: Need UI improvement for proper production usage

  {0}

Action Items New

• uli	prepare cacert1 image for developers after proposed system update	{0}
  uli	prepare ca-mgr1 image for developers	{0}
  uli	prepare DEBIAN-Lenny image for developers (request by Michael)	{0}
  uli	preview mailing to people: Ted, Florian F, PG, Wytze, Carsten L, Jeff F, Frank K (ask Marcus) 120 pts, Sebastian K	{0}

Action items: Meeting Action Items

• CategorySoftwareAssessment