• Software
• Assessment
• 20120131-S-A-MiniTOP

• To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2012-01-31

Setting

The MiniTOP will be held via telco 22:00 CET

Attendees: dirk, marcus, uli, michael, magu

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Agenda

1. Dirks Big Redesign Project

1. bug #827 - New Points calculation / Thawte patch

   • bug #827

   1. bug#827 + bug#882 to merge
      • close bug#882
      • wot.inc.php + notary.inc.php to merge
      • continue with bug#827
      • pojam bug to fix
   2. Thawte points removal, final step
      • relates to 6.php
      • this also relates to TTP
      • dirk will work on this last weekend (2012-01-21)
      • current state: not yet finished
        • expected finishing? upcoming weekend (2012-01-23 to 2012-01-30)
2. Bring TTP assurances up to running
   • requirement: make 855 active on production
   • TTP-caps can be build by TTP-admins offline, not for public distribution !!

     • uli

       bug #855 admin console interface "unknown" + "empty" assurance method fields, needed for correct testing on testserver

       admin console lists "empty" and "Unknown" assurance types on listing given Assurances

       {0}

   • uli to add test report
   • needs 2nd review by dirk, ted, markus, pg - ted will do within the upcoming days, probably Thursday
   • passed to production
   • TTP CAP form - sneak preview

     • for local testserver only bug #988 TTP cap form deployment Case study

   • TTP system implementation to enter TTP assurances into the system

     • Bug #863

     • Bug #864

     • Bug #888

   • current workaround - make use of "old" "TTP assurance" method with TTPadmin flag set, TOPUP impossible
   • question araised:
     • Notary public is also CAcert assurer, 2 possible ways
       1. make assurance via TTP assurance, entered into the system by TTPadmin
       2. make assurance as CAcert assurer
     • TTPadmin has different userid then TTP who is also CAcert assurer
       • AP prevents double assurances, but system cannot discover that, that TTP sends one TTP CAP form to TTPadmin and TTPadmin enters this assurance into the system and Notary public in role as CAcert assurer makes a 2nd CAcert assurance by CAP form
3. PoJAM patch

   • bug #872 PoJAM 3.3 restricition not applied

4. bug #920 Join - single name only (eg Indonesian)

   • details under bug number
   • presented to Policy Group
   • first results from policy group?
     • dirk has made some changes in 6.php last year
     • there are 4 possible choices:
       1. givenname
       2. lastname (as current fix)
       3. givenname or lastname
       4. brians proposal, mononym + checkbox
     • dirks proposal:
       • make name handling more AP conform (1 line names, multiple names)
     • 2 possible paths:
       1. allow multiple names (dirks proposal) is massive change (long term change)
       2. "simple" solution (short term change)
     • global re-design
       • eg users view
       • 43.php, multiple views
5. alternate experience points

   • bug #1007 add 5 Experience points for ATE attendance form

6. VBscript for Vista/Win7 (select keysize >= 1024) (BlackJack) - reminder to dirk

   • x1 Dirk, new bug#964 DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

     current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964

     {0}

   • as part of

   • x¹ Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964

   • Current state:

     • {g}	pre mailing sent
       {g}	keys revocation script to bulk revoke weak keys, new bug #954, finished
       {-}	dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024) Api CertEnroll (MS crypto provider) new bug#964 current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964 - codename "BlackJack"
       {g}	Weak keys blog post, published
       {g}	Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)
       {b}	weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

   • cert enroll infos under bug#964

   • vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation

     • http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx

     • Marcus: added notes for Win7 https://bugs.cacert.org/view.php?id=964#c2249

   • dirk: has not started the virtual machine
   • Question from Marcus: did someone contacted illuminat?
     • No, Marcus: to contact illuminat
     • illuminat will give it a try, first needs download of testserver image
   • Update?
     • marcus: illuminat not yet seen last time

     • baseline requirement - keyssize >= 2048 to fix till end of 2011

     • how to proceed?
     • dirk: 1st step, to bring win test server localy online
     • marcus: to contact illuminat
     • Do we have other developers who may pick up this project?

   • Marcus -> dirk: announcement of vbscript bug to developers mailing list

     • change keysize
     • merge 2 scripts to one
     • fix on script 1 needs fix in 2nd script too, solutions: include, one file, or comment fix script 2 too

   • interrupt: bug#964 -> codename "BlackJack"

     • relates to IE8 problem, that certs cannot be created

     • is there a security issue with available fix? also bug#918

     • related 927, 901, 847
     • a patch is online on testserver, but cannot found
     • related patch files, /pages/account/ 3,4,16,17; /include/account.php
     • there are other vbscript pages: ../account/ 6 + 19

   • Brian bug#964

     • Michael: Marcus to test with IE
     • IE select provider only
   • code from Brian needs some corrections, corrections to do, 4 + 17 inclusions, checkin
     • notification to Brian, done
     • quickfix has problems too
     • next step(s)
       • check error codes / debug routines
       • open developer mode, create cert
         • resulting error: line 213, put length, wrong parameter

           Zeile: 213
           Fehler: CertEnroll::CX509PrivateKey::put_Length: Falscher Parameter. 0x80070057 (WIN32: 87)
           Zeile 213:  objPrivateKey.Length = &h08000000

   • current state: an undef error with current patch
     • we need someone who has experience with vbscript, to come into telco, reviews interface/api beforehand
       • illuminat: not before eastern
       • marcus: will ask users on assurance party Wed 18th Jan
   • 2012-01-23:
     • also cabforum requirement, keysize under IE limited to 1024
     • how to find programmers ?
       • windows webserver programmers: Outlook, Citrix portals
     • new API's can use java, new apis have web-enabled

     • splitting vbscript for os revisions < vista, java for os revisions >= vista ?

2. Certs Patches

1. bug#540 No key usage attribute in cacert org certs anymore?

   • also: bug#905

   • Policy group discussion - Extended key usage -> p20111113, motion CARRIED

   • deployment

     1. prepare fixes -> Michael to prepare diffs, against svn

     2. sending to testserver
     3. transfer to critical system
   • (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
   • Michael did transfer the patch to testserver
     • signer code update
     • changes against svn
     • uli, to add to tester portal, done
     • uli to inform testers about new tests
     • test report from kenneth to transfer to report (email from 2011-12-25)
       • Michael: where to find the report from kenneth? link?
       • NEO has added the report (written to private dl)
     • who has adobe 8 for testing?
       • magu has, please test
     • next: needs testing (week 5)
       • uli, marcus: needs full cert create tests
       • uli (2012-01-25): sent notification to software testers
       • awaiting testing ... problem FULL test, including all possible variations with certs creation

       • also to report under bug #978 bug 978 (weak keys) (bug 918)

2. bug#440 Problem with subjectAltName (CSR, renew certs)

   • "There seems to be a problem with the subjectAltName. Dupes, missing entries, and more"
   • patch by gagern
   • Software-Assessors: needs 1st review + transfer to testserver (week 4)
   • (2012-01-23) michael picked up

3. bug #978 bug 978 (weak keys) (bug 918)

   • invalid key format, no regular error message, something wrong, error code # identified
   • debugging infos from user + infos from critical team with error code #, was spkac routine
   • one test done 2011-12-17 by JensK

   • uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests

   • (week 6)

4. bug #812 CAcert certificate not working with Windows Encrypting Filesystem (EFS)

5. bug #905 Unable to sign PDF file with Acrobat

3. Patches queue

1. bug #985 - Move Translingo to Translations (incl. patches) - POST work

   1. bug #985 Move from translingo to pootle - closed

   2. bug #900 CAcert Site translation - solved?

   3. bug #899 Translingo website doesn't have a useraccount adminstration page - closed

   4. bug #586 TransLingo: lost password option missing [Delete] - closed

   5. bug #842 /locale/make.php missing mkdir produces errors on translingo update - closed

   6. bug #891 Almost impossible to register to website - closed

   7. bug #892 Verification mail wrong - closed

   8. bug #843 Upload new texts to translingo problems - closed

   9. bug #816 language encoding not correct for non-english pages - closed

2. bug#1002 0001002: Contact Assurer form leaves a funny comment after sending

   • Michael did transfer the patch to testserver
   • Michael: request to alex to check, seems to be ok
   • next: tested by 2, needs 2nd review + deploy (week 4), ted?
   • (2012-01-23) ted picked up

3. Marcus: working session bug#789 OA field extension

   • 2nd review: dirk or ted

4. bug #859 admin console interface - feature request: show activity on an account in the admin interface, new update

   • Michael: needs 1st review + transfer to testserver
   • NEO: will check the next days (done)
   • show creation date as date? or daterange?
   • nothing prevents to show date as SE receives request from user or arbitrator to view user record (permission given)
   • will an access be logged?
     • yes, eg 43.php?usreid=1234567
     • expires after 3-6 months
   • split 43.php to two pages?
   • show last account activity on login page for the user?
   • no central landing page: account.php without parameters
   • alternates
     1. new page, needs return url
     2. 2nd part, add below (like points table)
        • several parts: eg show user flags, show account states
   • fixed: email, names, rest: dob, training, flags, addtl. parts
   • find user performance varies
     • sometimes fast, sometimes slow
   • flag settings per get request change?

4. Michaels workqueue

1. OCSP server - timeout 10 min too short, 3 days to long, recommendation is 24-48 hours max, verisign: 7 days, startssl: 2d
   • who has been informed, contacted?
   • Michael will inform Wytze
   • not yet written

     • thread relates to https://lists.cacert.org/wws/arc/cacert-board/2011-11/msg00021.html

   • general solved
   • scalability might be a problem in the future ?!?
   • preconfigured there is no solution
   • whats with EBJCA
     • java based
     • distribution solution (database replication), master server distributes to other criticial slaves, no caching function
     • post request includes timestamp, simple http cache probably doesn't work
     • engineX ?
   • ocsp protocol: version, requestor-name, extension, request-list
   • open issue, needs time for implementation
   • studienarbeit? bachelor arbeit?

   • new bug #1001 Need a way to set up redundant OCSP responders

   • still WIP, low priority
2. New function to TMS - edit notary table record

   • bug #980

   • infos from last meeting
   • testers needs editing individual notary records: fields "method", "awarded", "points"
   • easier to create notary records with testserver (add F2F), and edit existing record, doesn't need to check for assurer-from, assuree-to and so on
   • Update?
   • Michael (2011-11-15): after some other bug reviews
   • TMS - certs expire handling
     • for testserver eg 3 days (short), 31 days (long)

5. General Bugs List Overview

1. Bugs to Review #1, transfer to testserver - Currently 3

   • uli	bug #977 admin console text fix	admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue	{0}
     uli	bug #967 OA isassurer check	Give an OA the oppertuntiy to check if a desiginated Organisation Admininistrator is a CAcert assurer	{0}
     inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administraors in account/id35	{0}

2. Bugs under testing: - Currently 5

   • Michael	bug #978 bug 978 (weak keys) (bug 918)	invalid key format, no regular error message, something wrong, error code # identified debugging infos from user + infos from critical team with error code # was spkac routine	{0}
     Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing	{0}
     uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface, new update	{0}
     NEO	bug #1003 permissions notifications	Provide a possibility to regularly review the permissions in the system	{0}
     gagern	bug#440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more	{0}

3. Needs 2nd review + transfer to Critical team, to bundle, to deploy - Currently 2

   • define priority eg. 10,2, and so on, proposed order: from 1 to 10

     uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26 more fixes, more testing * testcase scenario * open org, edit 1st domain in new window, edit 2nd domain in new window * results in: change made in window 2, written to record in window 2 * needs cross checking	7 {0}
     Michael	bug #1002	0001002: Contact Assurer form leaves a funny comment after sending	{0}

4. Needs development, deployment, discussion, reminder

   1. bug #835 Migrate CATS onto testserver

      • Ted

        bug #835 Assurer challenge (on testserver)

        asssigned to Ted, CATS to install on ca-mgr1, awaiting deployment

        {0}

        • (2012-01-23) reminder to Ted

   2. bug#964, bug#918 (Part II) Codename "BlackJack"

      • Brian

        new bug#964 DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

        some references added to bug#964 current state: first review, add to testserver

        {0}

6. Long term projects

1. strategy plans ... next: strategy for "New Roots & Escrow"

   1. idea: using indirect crl's ?
      • 2 crl's needed, one valid, one invalid crl server
      • more infos available ? who ?
        1. build testserver with special certs
        2. Magu, Michael to send instructions for test deployment

           • indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)

      • meetings ago we've defined Testing requirements and a potential testszenario
      • to remind every meeting
      • Michael: testserver environment deployment
      • Michael will review after Certs extension policy group vote
        • Michael: VM + OS builtup for CRL server tests (WIP)
   2. roots escrow method risk analyse process for proposal to policy group / board
      • currently Ian works on this
      • publishing of results is not that a big problem, as not yet in production
2. CI (Update)

   1. description to eclipse testpage, Webinar

      • deployment scenario:
        1. create testusers
        2. testing
        3. delete testusers
      • regression test for standard tests: eg 0,1,49,50,51,99,100,101 pts w/ and w/o CATS passed
      • reminder
   2. Jubula Test-Tool (by Michael) - update?

      • http://www.eclipse.org/jubula/download.php

      • instructions see under Minutes meeting 2011-08-30

      • Jubula documentation started: Software/Jubula

      • not performant as needed over internet, testing stopped.
   3. new proposal by Sven: Webdriver with Maven and Jenkins-CI
      1. sven did some work regarding frontendtest (Webdriver with Maven and Jenkins-CI)
         • Michael did some review: probably needs some seperation

         • raw source

         • one implemented test case

           • needs building a team, sven + 2 others, to be forced and pushed forward
           • active people have to work with this framework
             1. write a testunit that triggers the bug
             2. write a bugfix
             3. start regression test
         • what do we want?
         • is this our direction?
         • does this fit to our requirements?
         • someone needs time to do a deep review
         • long term view:
           • developers needs to become familiar with the automated testing system to write also the test scripts
           • software-assessors to review test results
         • automated testing will be helpful in relation to certs creation
         • but may be a problem in certs creation
         • selenium test makes frontend tests, solution is ok for our requirements
3. Infrastructure seperation
   1. CAcert Inc statement - received
   2. Hosting/Housing Provider
      • 2011-12-01: Vienna response
      • questions answered
   3. contacting secure-u, oophaga started?
      • Frank, Mario, Ted, Uli, Sebastian ?
      • Secure-u started 2011-12-19, awaiting response
   4. Hardware
      • alternate solutions
        • uli: luxemburg connection, will try 1st week in january
      • 2 way path: search sponsors for money, search hardware sponsors
      • level after netburst
      • sample TK config: 1626.90€ + 117.30€ (1750)
        • includes: Intel Xeon 4-Core E3-1260L 2,4GHz 8MB 5GT/s, 16 GB ECC DDR3 1333-RAM, 4x 500 GB SATA II WD Raid
      • fund rising project

      • new hardware -> leasing?

   5. Definition of Infrastructure Systems

      • Overview Critical/Non-Critical systems

   6. Fund raising
      • start at Fosdem ?
      • rcpt: money + address to association
      • Secure-u: next meeting 2012-01-12, first Thursday per month
      • request to secure-u vorstand@, subject: infrastructure separation
        • sent 2011-12-18
      • Payments to Funkfeuer - Vienna, AT, maybe a problem ? Ted has to talk to Sebastian
4. Helping CAcert
   • How does recruitment work?
   • Newsletters, recuring notifications

   • Fosdem -> focus on Nucleus events

   • Recruitment on events?

   • Recruitment page eg events/Recruitment, HelpingCAcert, Jobs

   • Flyers?
   • re-design main page:
     • dirk: 3 news, upcoming events
     • michael: *
     • rss-feed script modification is simple
     • main page cms page, login to secure area (portal project)
       • public: www.cacert.org
         • secure1: www.cacert.org
         • secure2: secure.cacert.org

   • Upcoming Event Fosdem 2012

     • A3: Logo + volunteers wanted! (Software, Administration, Support)
     • A5, A4 with detailed infos
       • who?
         • A3: dirk
         • A4, A5: Software-Developer (php, vbscript), Software-Tester, Triage, Sysadmins
     • Discussion: makes it sense to offer Cheat Sheets?
       • experiences from ATEs: most of the Cheat Sheets left after the ATE :-P
       • so does it make sense to print A4, A5 detailed infos no one wants to take @home ?!?
   • Ted sent infos for Assurers at events
     • Cheat Sheet, first proposal ok

5. Discovery II a20110118.1 discussion / Permissions Stocktaking

   • still running
   • who should receive infos? list of appropiate recipients listed in discovery II table
   • possible software solutions:
     1. triggered info mailing eg board-private mailing list + support
     2. view page with current results (like hidden stats page?)

   • bug#1003 Provide a possibility to regularly review the permissions in the system

   • motion from last board meeting:

     1. m20120122.1 Request permissions stocktaking SQL queries - carried

     2. m20120122.2 Request up-to-date access lists - carried

        • It is moved that Board or a representative asks the persons responsible for an up-to-date copy of all access lists as specified in the Security Policy §3.4.2 including OA

   • see also bug #1003
6. Affilates program - topic for SA ?
   • currently not
   • planned income projects by CAcert Inc
   • new portal (Benedikt, Karsten working on it)
     • critical / non-critical systems
       • non-critical portal - with login link to critical secure.cacert.org
       • cms system: own user base?
       • critical system userid includes @, cms userid does not include @
       • cms login adding userid from critical system may result in security leak that account data can be collected (MITM)
   • affiliate link to each event (template)
     1. addtl. link under main ads
7. CAP Form redesign for upcoming events
   • Fosdem
   • Cebit
   • Chemnitzer Linuxtag
   • CAP forms have no bank account infos
     • CAP form redesign
8. "NEO projects"
   1. architecture/design (aka Birdshack design)
   2. signer rewrite
      • cabforum, blacklist implementation
      • needs a rewrite, protocol isn't that reliable as required/needed
      • problems in current design: eg count of days a cert expires will be transfered from client to server
      • multiple servers (staging/scaling/load balancing)
      • problems in current design: eg OpenSSL and multithreading
9. Vendor-Api / New Assurers Portal
   • Marcus sent some proposals
   • A team is working on a Portal project (Carsten, Marcus)
10. Foundations
    • dst files for logos

7. next meeting

• Tuesday, February 7, 2012 22:00

Minutes

1. bug #827 - New Points calculation / Thawte patch

   • bug #827

   1. bug#827 + bug#882 to merge
      • close bug#882
      • wot.inc.php + notary.inc.php to merge
      • continue with bug#827
      • pojam bug to fix
   2. Thawte points removal, final step
      • relates to 6.php
      • this also relates to TTP
      • dirk will work on this last weekend (2012-01-21)
      • current state: not yet finished
        • expected finishing? upcoming weekend (2012-01-23 to 2012-01-30)
      • not finished, upcoming weekend ?
2. Global Re-Design project
   • add a work flow concept ?
3. Certs Patches

   1. bug#540 No key usage attribute in cacert org certs anymore? (and other patches)

      • Testers: test all certs veriations, functions
4. Patches queue
   1. bug #985 - Move Translingo to Translations (incl. patches) - POST work

   2. bug #1011 problem fix

      • needs review by Software-Assessor - priority: high

   3. Marcus: working session bug#789 OA field extension

      • 2nd review: dirk or ted

   4. bug #859 admin console interface - feature request: show activity on an account in the admin interface, new update

      • sublinked, last login as date
      • needs testing
5. New function to TMS - edit notary table record

   • bug #980

   • certs expires: for testserver eg 3 days (short), 31 days (long)
     • will be added by michael
6. Bugs to Review #1, transfer to testserver

   • uli	bug #967 OA isassurer check	Give an OA the oppertuntiy to check if a desiginated Organisation Admininistrator is a CAcert assurer	{0}
     inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administraors in account/id35	{0}

     • michael will check
7. Testers queue

   • NEO

     bug #1003 permissions notifications

     Provide a possibility to regularly review the permissions in the system

     {0}

     • all special flags, recipients and board (see account in bug note)
8. Patches for 2nd review and transfer to critical team

   • uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26 more fixes, more testing * testcase scenario * open org, edit 1st domain in new window, edit 2nd domain in new window * results in: change made in window 2, written to record in window 2 * needs cross checking	7 {0}
     Michael	bug #1002	0001002: Contact Assurer form leaves a funny comment after sending	{0}

9. Testserver signer
   • short 3d, long 30d, org 7d activated by NEO
10. Infrastructure seperation
    1. contacting secure-u, oophaga started?
       • Frank, Mario, Ted, Uli, Sebastian ?
       • Secure-u started 2011-12-19, awaiting response
    2. Fund raising
       • start at Fosdem ?
       • rcpt: money + address to association
       • Secure-u: next meeting 2012-01-12, first Thursday per month
       • request to secure-u vorstand@, subject: infrastructure separation
         • sent 2011-12-18
       • Payments to Funkfeuer - Vienna, AT, maybe a problem ? Ted has to talk to Sebastian
       • Fundraising Upcoming projects
         1. Cebit booth funding - 500 Euro
            • probably 2 presentations
            • Cebit visitors?

            • LibreOffice booth on Friday

            • m: 30, n: 30, d: 50, ma: 30, u: 360
            • via secure-u
         2. Hardware / host funding - 2000 Euro
            • starting fosdem
         3. non-critical infrastructure - monthly costs - 50 Euro/month
11. Helping CAcert

    • Upcoming Event Fosdem 2012

      • A3: Logo + volunteers wanted! (Software, Administration, Support)
      • A5, A4 with detailed infos
      • who?
        • A3: dirk
          • will print Wed, Thu
        • A4, A5: Software-Developer (php, vbscript), Software-Tester, Triage, Sysadmins
          • nothing

12. Discovery II a20110118.1 discussion / Permissions Stocktaking

    • see bug #1003
13. Vendor-Api / New Assurers Portal
    • no news
14. next meeting
    • Tuesday, February 7, 2012 22:00

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

• CategorySoftwareAssessment