To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2011-12-27
Setting
The MiniTOP will be held via telco 22:00 CET
Attendees: dirk, michael, uli, magu (late)
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
Full testing{0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}
Agenda
1. bug#794 Display certs in admin console
bug#794 display certs in admin console
bug #827 mailing results in around 36 new "delete account cases" moved into disputes queue
Time and action needed per case
total
0,5 hour
to move from disputes into arbitration queue (iCM)
18 hours
2 hours
pickup and handling by an arbitrator
72 hours
20 min
handling by an SE
12 hours
Total:
102 (12) hours
- The problem:
- Arbitration is slow (don't wonder why)
- Delete Account cases can be handled by Support-Engineers, once Arbitrator has an option to rule a precedent case, that SE can check that 0 certs are used by the user, w/o hijacking an account
so this will free the disputes queue of about > 90% of all "delete account" cases
- summary: 12 hours work by an SE with a software fix, + (10% of 90 hours = ) 9 hours by arbitration = 21 hours in total instead of 102 hours without a software fix
from within last meeting: bug#794 Display certs in admin console
- assigned to michael, checked in to cacert-devel
- 1. review by michael
- 2 tests done
- 2nd review dirk and go
- working session: michael / dirk - git for beginners and runaways
2nd Review by dirk (week 3)
- from last meeting 2011-12-20
- request from SE: iCM's to transfer disputes from disputes queue to arbitration queue
- if 2 weeks open 2nd review on bug #794 will be transfered to critical, all delete account cases (approx 40) can be moved to SE queue for review and working under precedent
2. bug #985 - Move Translingo to Translations (incl. patches)
Translingo bug #985
https://translations.cacert.org (http://translations.cacert.org/) (replacement for translingo)
- the translingo.cacert.org had been in operation far longer, so I think it is possible that some users migrated to translingo.cacert.org, without telling us.
- I would suggest to mass-mail the email addresses of the translation-project leaders in the translingo database, to inform them, and to ask them to speak up if they still need it
- last foreign uploads 2008 on about 13 + cacert projects
- whohas translingo server console access?
- mario
- req for console access for michael to contact project leaders, Updates?
- Transfer In, Transfer Out problems
- Update from new deployment ?
- opened for: create an account can now be started
- Michael current state:
- import and export routine works
- script to incorporate updates needs fixed
- next: complete language handling needs to be updated
- accept lang handler needs fix
- FF de, de_de
- IE 6 de, 8,9 de_de
- working session within last meeting: michael, marcus
- infos from meeting 2011-10-18
- pdf code needs rewrite (uni code library, move to external server (outsourcing))
- message cert notification - uses perl code, text source not avail (get bind-text-domain)
- infos from meeting 2011-10-18
- current state?
- Marcus sent mailing to translators, no response so far, no tests so far (week 3)
- Morten NO
- Emanuel IT
- current state:
- create test system accounts dutch@test, espania@test and so on, let users do their tests
- Magu, Marcus will give it a try
- a couple of testers has started testing and reporting within the last 7 days
- results: de, fr, en, pl, es, pl
last meeting: working session bug#985 translingo transfer
- Michael: needs 2nd review
- Translations
- problems that relates to blocks translations
- changes into translations database
- contact NEO to transfer manualy to testserver
bug #985 needs 2nd review, so update script can run also on critical system
needs 2nd review by dirk or ted or markus
3. Patches queue
- bug #827 - New Points calculation / Thawte patch
- bug#827 + bug#882 to merge
- close bug#882
- wot.inc.php + notary.inc.php to merge
- continue with bug#827
- pojam bug to fix
bug#540 No key usage attribute in cacert org certs anymore?
also: bug#905
Policy group discussion - Extended key usage -> p20111113, motion CARRIED
- deployment
prepare fixes -> Michael to prepare diffs, against svn
- sending to testserver
- transfer to critical system
- (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
- Michael will work on this in last week this year
Marcus: working session bug#789 OA field extension
- magu to test
Marcus: working session bug#859 Activity on Account
- Michael: needs 1st review + transfer to testserver
bug #920 Join - single name only (eg Indonesian)
- details under bug number
- presented to Policy Group
- first results from policy group?
- dirk has made some changes in 6.php last year
- there are 4 possible choices:
- givenname
- lastname (as current fix)
- givenname or lastname
- brians proposal, mononym + checkbox
- dirks proposal:
- make name handling more AP conform (1 line names, multiple names)
- 2 possible paths:
- allow multiple names (dirks proposal) is massive change (long term change)
- "simple" solution (short term change)
4. Michaels workqueue
- OCSP server - timeout 10 min too short, 3 days to long, recommendation is 24-48 hours max, verisign: 7 days, startssl: 2d
- who has been informed, contacted?
- Michael will inform Wytze
- not yet written
thread relates to https://lists.cacert.org/wws/arc/cacert-board/2011-11/msg00021.html
- Build + Document Emergency Patches Path
Build + Document Emergency Patches Path
Andreas, Uli, Wytze
{0}
- Documentation written, reviewed by Wytze, Marcus
Michael: reminder for review Software/Assessment/Documentation/EmergencyPatches
- other reviews done ?
- New function to TMS - edit notary table record
- infos from last meeting
- testers needs editing individual notary records: fields "method", "awarded", "points"
- easier to create notary records with testserver (add F2F), and edit existing record, doesn't need to check for assurer-from, assuree-to and so on
- Update?
- Michael (2011-11-15): after some other bug reviews
5. Dirks workqueue - The List of open / running / unhandled bugs
- review bug #794
bug#794 display certs in admin console
- review bug #985
bug #985 Move Translingo to Translations (incl. patches)
VBscript for Vista/Win7 (select keysize >= 1024) (BlackJack) - reminder to dirk
x1 Dirk, new bug#964
DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEVcurrent state: test /account/4.php added to testserver
Marcus will do detailed tests on Wed
some references added to bug#964{0}
- as part of
x1 Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964
- Current state:
{g}
pre mailing sent
{g}
keys revocation script to bulk revoke weak keys, new bug #954, finished
{-}
dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
Api CertEnroll (MS crypto provider)
new bug#964
current state: test /account/4.php added to testserver
Marcus will do detailed tests on Wed
some references added to bug#964 - codename "BlackJack"{g}
Weak keys blog post, published
{g}
Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)
{b}
weak keys: problems with cryptostick (to test at Froscon with Juergen ?)
cert enroll infos under bug#964
vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation
http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx
Marcus: added notes for Win7 https://bugs.cacert.org/view.php?id=964#c2249
- dirk: has not started the virtual machine
- Question from Marcus: did someone contacted illuminat?
- No, Marcus: to contact illuminat
- illuminat will give it a try, first needs download of testserver image
- Update?
- marcus: illuminat not yet seen last time
baseline requirement - keyssize >= 2048 to fix till end of 2011
- how to proceed?
- dirk: 1st step, to bring win test server localy online
- marcus: to contact illuminat
- Do we have other developers who may pick up this project?
Marcus -> dirk: announcement of vbscript bug to developers mailing list
- change keysize
- merge 2 scripts to one
- fix on script 1 needs fix in 2nd script too, solutions: include, one file, or comment fix script 2 too
interrupt: bug#964 -> codename "BlackJack"
- relates to IE8 problem, that certs cannot be created
is there a security issue with available fix? also bug#918
- related 927, 901, 847
- a patch is online on testserver, but cannot found
- related patch files, /pages/account/ 3,4,16,17; /include/account.php
- there are other vbscript pages: ../account/ 6 + 19
Brian bug#964
- Michael: Marcus to test with IE
- IE select provider only
- code from Brian needs some corrections, corrections to do, 4 + 17 inclusions, checkin
- notification to Brian, done
6. General Bugs List Overview
Bugs to Review #1, transfer to testserver - Currently 4
uli
bug #977 admin console text fix
admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue
{0}
uli
bug #967 OA isassurer check
Give an OA the oppertuntiy to check if a desiginated Organisation Admininistrator is a CAcert assurer
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface, new update
{0}
inopiae
New layout of view for Organisation Administraors in account/id35
{0}
Brian
new bug#964
DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEVsome references added to bug#964
current state: first review, add to testserver{0}
Bugs under testing: - Currently 3
uli
bug #855 admin console interface "unknown" + "empty" assurance method fields, needed for correct testing on testserver
admin console lists "empty" and "Unknown" assurance types on listing given Assurances
{0}
Michael
bug #978 bug 978 (weak keys) (bug 918)
invalid key format, no regular error message, something wrong, error code # identified
debugging infos from user + infos from critical team with error code #
was spkac routine{0}
Needs 2nd review + transfer to Critical team, to bundle, to deploy - Currently 3
- define priority eg. 10,2, and so on, proposed order: from 1 to 10
1
uli, michael
bug#794 display certs in admin console
last update 2011-12-06
tested by 2
2nd review + transfer{0}
1
7
uli, ted
bug #789 OA edit domain fix
Editing domain for organisations does not work
new update 2011-09-26
more fixes, more testing
* testcase scenario
* open org, edit 1st domain in new window, edit 2nd domain in new window
* results in: change made in window 2, written to record in window 2
* needs cross checking{0}
? / u7 / m7
2
neo
bug #985 move translingo to translations
check language settings under testserver
{0}
2
- define priority eg. 10,2, and so on, proposed order: from 1 to 10
- Needs development, deployment, discussion, reminder
7. Long term projects
strategy plans ... next: strategy for "New Roots & Escrow"
- idea: using indirect crl's ?
- 2 crl's needed, one valid, one invalid crl server
- more infos available ? who ?
- build testserver with special certs
- Magu, Michael to send instructions for test deployment
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)
- meetings ago we've defined Testing requirements and a potential testszenario
- to remind every meeting
- Michael: testserver environment deployment
- Michael will review after Certs extension policy group vote
- policy group: define requirements
- multimember escrow method ?
- needs risk analyze
- potential candidates ?
- Marcus to contacted Benedikt, will contact Thomas K
- Next step(s)
- multimember escrow method ?
- idea: using indirect crl's ?
- CI (Update)
description to eclipse testpage, Webinar
- deployment scenario:
- create testusers
- testing
- delete testusers
- regression test for standard tests: eg 0,1,49,50,51,99,100,101 pts w/ and w/o CATS passed
- reminder
- deployment scenario:
- Jubula Test-Tool (by Michael) - update?
instructions see under Minutes meeting 2011-08-30
- test deployment needs to be continued by software testers
Jubula documentation started: Software/Jubula
- new proposal by Sven: Webdriver with Maven and Jenkins-CI
- Jubula vs. Webdriver
- testserver variants
- testserver for manual tests
- testserver of OS and application upgrades
- testserver for CI
- test methods
- unit test
- test single modules, exceptions
- integration tests
- test interaction of modules
- system tests
- complete system test, with database interactions, module interactions and much more
- unit test
- sven did some work regarding frontendtest (Webdriver with Maven and Jenkins-CI)
- Michael did some review: probably needs some seperation
- Infrastructure seperation
- CAcert Inc statement - received
- Hosting/Housing Provider
- 2011-12-01: Vienna response
- questions answered
- contacting secure-u, oophaga started?
- Frank, Mario, Ted, Uli, Sebastian ?
- started 2011-12-19, awaiting response
- Hardware
- alternate solutions
- Helping CAcert
- How does recruitment work?
- Newsletters, recuring notifications
Fosdem -> focus on Nucleus events
- Recruitment on events?
Recruitment page eg events/Recruitment, HelpingCAcert, Jobs
- Flyers?
- re-design main page:
- dirk: 3 news, upcoming events
- michael: *
- rss-feed script modification is simple
- main page cms page, login to secure area (portal project)
- public: www.cacert.org
- secure1: www.cacert.org
- secure2: secure.cacert.org
- public: www.cacert.org
Discovery II a20110118.1 discussion
- who should receive infos? list of appropiate recipients listed in discovery II table
- possible software solutions:
- triggered info mailing eg board-private mailing list + support
- view page with current results (like hidden stats page?)
- create bug# ?
- Affilates program - topic for SA ?
- planned income projects by CAcert Inc
- new portal (Benedikt, Karsten working on it)
- critical / non-critical systems
- non-critical portal - with login link to critical secure.cacert.org
- cms system: own user base?
- critical system userid includes @, cms userid does not include @
- cms login adding userid from critical system may result in security leak that account data can be collected (MITM)
- critical / non-critical systems
- affiliate link to each event (template)
- addtl. link under main ads
8. next meeting
- Tuesday, January 3, 2012 22:00
Minutes
bug#794 display certs in admin console
- not yet
Translingo bug #985
- try assigning to Ted
bug#540 No key usage attribute in cacert org certs anymore?
- policy change
- signer code update
- changes against svn
- uli, to add to tester portal
bug #920 Join - single name only (eg Indonesian)
- details under bug number
- presented to Policy Group
- first results from policy group?
- dirk has made some changes in 6.php last year
- there are 4 possible choices:
- givenname
- lastname (as current fix)
- givenname or lastname
- brians proposal, mononym + checkbox
- dirks proposal:
- make name handling more AP conform (1 line names, multiple names)
- 2 possible paths:
- allow multiple names (dirks proposal) is massive change (long term change)
- "simple" solution (short term change)
- global re-design
- ie users view
- 43.php, multiple views
- OCSP server - timeout 10 min too short, 3 days to long, recommendation is 24-48 hours max, verisign: 7 days, startssl: 2d
- who has been informed, contacted?
- Michael will inform Wytze
- not yet written
thread relates to https://lists.cacert.org/wws/arc/cacert-board/2011-11/msg00021.html
- general solved
- scalability might be a problem in the future ?!?
- preconfigured there is no solution
- whats with EBJCA
- java based
- distribution solution (database replication), master server distributes to other criticial slaves, no caching function
- post request includes timestamp, simple http cache probably doesn't work
- engineX ?
- ocsp protocol: version, requestor-name, extension, request-list
- open issue, needs time for implementation
- studienarbeit? bachelor arbeit?
- who has been informed, contacted?
- Infrastructure seperation
- CAcert Inc statement - received
- Hosting/Housing Provider
- 2011-12-01: Vienna response
- questions answered
- contacting secure-u, oophaga started?
- Frank, Mario, Ted, Uli, Sebastian ?
- started 2011-12-19, awaiting response
- Hardware
- alternate solutions
- offer Frank a) 80 w, too high, b) unknown yet
- uli: luxemburg connection, will try 1st week in january
- 2 way path: search sponsors for money, search hardware sponsors
- alternate solutions
- next events:
- Fosdem
- Cebit
- Chemnitzer Linuxtag
- CAP forms have no bank account infos
- CAP form redesign
- CAP forms have no bank account infos
- TMS - certs expire handling
- for testserver eg 3 days (short), 31 days (long)
- signer rewrite
- cabforum, blacklist implementation
Discovery II a20110118.1 discussion
- still running
- possible software solutions:
- triggered info mailing eg board-private mailing list + support
- view page with current results (like hidden stats page?)
- create bug# ?
- Affilates program - topic for SA ?
- currently not
- next meeting - Tuesday, January 3, 2012 22:00
- NEO is away
Fixed Action Items since last or within meeting
Ted, uli
bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible
last update 2011-08-19
tested 3 times
ready to deploy?{g}
Action Items New
Action items: Meeting Action Items