To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2012-04-17
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: Marcus, Uli, Magu, dirk, Michael
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
Full testing{0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}
Agenda
- there are 5 topics of high priority (2-6):
1. Preface
- dirk topics
- Cebit brainstorming
- dirk: request for events report
- (2012-03-27) Marcus awaiting translation from Marc
- (2012-04-03) Marcus will do upcoming (easter) weekend
- Cebit brainstorming
- github
new bug#1031 security issue?
2. Software-Assessors candidates
- Problem:
- 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive
- candidate to contact by ...
kotek? (-> neo) - neo is doing reviewing
aphexer? (-> ?)
bjoern? (-> magu) - no update
willm (-> neo) (xing contact, developer), will contact next
stephan (-> marcus)
3. bug #1023 Testing (6.php)
- Thawte points removal, final step
- relates to 6.php
- this also relates to TTP
- dirk will work on this last weekend (2012-01-21)
- current state: not yet finished
- expected finishing? upcoming weekend (2012-01-23 to 2012-01-30)
- not finished, upcoming weekend 2012-02-06?
- not finished, last weekend 2012-03-12?
2012-03-13: new bug#1023 bug#1023
- transfered to git cacert
- to test:
- assure someone
- w/ and w/o ttp
- in all variations
- Added to testserver Tue 13.3., Wed 14.3.
dirk
bug #1023 Consolidate changes into the Assure Someone page
6.php global re-design project
assurance, wot area (Thawte points removal effective){0}
- current state: patch removed from testserver, needs work (DEV)
- (2012-03-27) back on testserver: bug #1023 (6.php), has a bug, needs work
- 2 new bugs within meeting 2012-03-27
- (2012-04-03) bugs analyze, empty results analyse, new patch transfered to testserver
4. testing of certs patches
- 2012-02-21 meeting test series by uli
- 2012-03-27 adobe8 test candidate, magu has a contact
bug#540 No key usage attribute in cacert org certs anymore?
also: bug#905
Policy group discussion - Extended key usage -> p20111113, motion CARRIED
- deployment
prepare fixes -> Michael to prepare diffs, against svn
- sending to testserver
- transfer to critical system
- (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
- Michael did transfer the patch to testserver
- signer code update
- changes against svn
- uli, to add to tester portal, done
- uli to inform testers about new tests
- test report from kenneth to transfer to report (email from 2011-12-25)
- Michael: where to find the report from kenneth? link?
- NEO has added the report (written to private dl)
- who has adobe 8 for testing?
- magu has, please test
- next: needs testing (week 6)
- uli, marcus: needs full cert create tests
- uli (2012-01-25): sent notification to software testers
- awaiting testing ... problem FULL test, including all possible variations with certs creation
also to report under bug #978 bug 978 (weak keys) (bug 918)
- Testers: test all certs veriations, functions
bug#440 Problem with subjectAltName (CSR, renew certs)
- "There seems to be a problem with the subjectAltName. Dupes, missing entries, and more"
- patch by gagern
- Software-Assessors: needs 1st review + transfer to testserver (week 4)
- (2012-01-23) michael picked up
bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
- (week 7)
bug #812 CAcert certificate not working with Windows Encrypting Filesystem (EFS)
bug #905 Unable to sign PDF file with Acrobat
5. 2nd review of 3 patches
Software-Assessors task
uli, ted
bug #789 OA edit domain fix
Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy
more fixes, more testing6 {0}
Michael
0001002: Contact Assurer form leaves a funny comment after sending
{0}
Michael
bug #1011 problem fix
needs review by Software-Assessor - priority: high {-}
untestable, needs 2nd review{0}
- 2nd review of 3 patches
- Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?)
- 2nd review of 3 patches
6. continue BlackJack coding by Michael
bug#964, bug#918 (Part II) Codename "BlackJack" - VBscript for Vista/Win7 (select keysize >= 1024)
x1 Dirk, new bug#964
DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEVcurrent state: test /account/4.php added to testserver
Marcus will do detailed tests on Wed
some references added to bug#964{0}
- as part of
x1 Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964
- Current state:
{g}
pre mailing sent
{g}
keys revocation script to bulk revoke weak keys, new bug #954, finished
{-}
dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
Api CertEnroll (MS crypto provider)
new bug#964
current state: test /account/4.php added to testserver
Marcus will do detailed tests on Wed
some references added to bug#964 - codename "BlackJack"{g}
Weak keys blog post, published
{g}
Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)
{b}
weak keys: problems with cryptostick (to test at Froscon with Juergen ?)
cert enroll infos under bug#964
vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation
http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx
Marcus: added notes for Win7 https://bugs.cacert.org/view.php?id=964#c2249
- dirk: has not started the virtual machine
- Question from Marcus: did someone contacted illuminat?
- No, Marcus: to contact illuminat
- illuminat will give it a try, first needs download of testserver image
- Update?
- marcus: illuminat not yet seen last time
baseline requirement - keyssize >= 2048 to fix till end of 2011
- how to proceed?
- dirk: 1st step, to bring win test server localy online
- marcus: to contact illuminat
- Do we have other developers who may pick up this project?
Marcus -> dirk: announcement of vbscript bug to developers mailing list
- change keysize
- merge 2 scripts to one
- fix on script 1 needs fix in 2nd script too, solutions: include, one file, or comment fix script 2 too
interrupt: bug#964 -> codename "BlackJack"
- relates to IE8 problem, that certs cannot be created
is there a security issue with available fix? also bug#918
- related 927, 901, 847
- a patch is online on testserver, but cannot found
- related patch files, /pages/account/ 3,4,16,17; /include/account.php
- there are other vbscript pages: ../account/ 6 + 19
Brian bug#964
- Michael: Marcus to test with IE
- IE select provider only
- code from Brian needs some corrections, corrections to do, 4 + 17 inclusions, checkin
- notification to Brian, done
- quickfix has problems too
- next step(s)
- check error codes / debug routines
- open developer mode, create cert
- resulting error: line 213, put length, wrong parameter
Zeile: 213 Fehler: CertEnroll::CX509PrivateKey::put_Length: Falscher Parameter. 0x80070057 (WIN32: 87) Zeile 213: objPrivateKey.Length = &h08000000
- resulting error: line 213, put length, wrong parameter
- current state: an undef error with current patch
- we need someone who has experience with vbscript, to come into telco, reviews interface/api beforehand
- illuminat: not before eastern
- marcus: will ask users on assurance party Wed 18th Jan
- we need someone who has experience with vbscript, to come into telco, reviews interface/api beforehand
- 2012-01-23:
- also cabforum requirement, keysize under IE limited to 1024
- how to find programmers ?
- windows webserver programmers: Outlook, Citrix portals
- new API's can use java, new apis have web-enabled
splitting vbscript for os revisions < vista, java for os revisions >= vista ?
- NEO started development, not yet finished
next: for XP: rewrite vbscript to JavaScript
7. next meeting
- Tuesday, April 24, 2012 22:00 CEST
Minutes
- Cebit brainstorming
- request for events report
- (2012-04-03) Marcus will do upcoming (easter) weekend
- no update
- OA stuff
- bug #1023 Testing (6.php)
- Thawte points removal, final step
- current state
- dirk: didn't we concluded 14 days ago, that the current patch state is the revision similar on the production system
potential bugs on production system can be identified against wot.php on testserver (-> diff wot.php, if no difference bugs are also in production system)
- Michael: diff is empty, this means wot.php is identical between production and testserver
- Michael: didn't pushed one patch, as it has at least one error
- Michael: fix and push to git / testserver, patch is transfered to testserver
- testing: failures occured
- last time we've added method transfer
if board=1, method empty -> results in garbage in database
new bug, that methods aren't checked that needs to be checked bug#1032
req by Marcus to add maxpoints limit definition: 35 assurance points (by AP) in a f2f meeting, upto 50 assurance points possible though a subpolicy (currently none available), new bug bug#1033
- bug #1027 Testing (donations / booking.com)
- invitation to magu
- github
- question from Michael:
- some forks are running
- from update proposal git on it-sls.de is the Software-Assessors limited write access repository
- git.it-sls.de needs administration, who?
see sample: https://github.com/k1c14k/cacert-devel/commit/c722a807f661d1177d85cbe08de3df9518fc513f
new bug#1031 security issue?
- no high risc, but should be fixed
- problem is multibyte encoding related (currently not used)
- alternate coding: each sql statement needs to be reviewed (prepared statements)
- Software-Assessors candidates
- Problem:
- 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive
- candidate to contact by ...
kotek? (-> neo) - neo is doing reviewing
aphexer? (-> ?)
bjoern? (-> magu) - what attracts programming for CAcert?
willm (-> neo) (xing contact, developer), will contact next
stephan (-> marcus)
- reactivte PG?
- how we get SA attractive?
- Marcus: blockers? eg. dpa
- dirk: newsletters, last one last year
- open dpa discussion (uli: added to next board meeting agenda)
- Problem:
- next meeting
- Tue April, 24th
Fixed Action Items since last or within meeting
uli
image backup ca-mgr1, git-cacert, for planned system maintenance
{g}
critical team
system maintenance cacert1 (and others), remove stamp.cacert.org
{g}
uli
create new dev image from cacert1
{g}
Action Items New
Action items: Meeting Action Items