Minutes of the MiniTOP on the 2012-06-26

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: michael, magu, benny, marcus, uli, dirk

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Software/Assessment/ActionItems

Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected

    {-}

    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage

    {0}

    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy
    rejected

    {-}

    inopiae

    bug #920 Join - single name only (eg Indonesian)

    details under bug number

    {0}

    uli

    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field

    {r}

    Michael

    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open

    {0}

    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development

    {r}

    neo

    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work

    {r}

    dirk

    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work

    {r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task

Testing

  • Testers task

    neo

    bug #1004 Stats page improvement

    tested by 2, needs 2nd review

    {0}

    neo

    Bugs #1159 it might be possible to execute commands on the signing server

    {0}

    inopiae

    bug #1065 Wrong wording when sending mails during the assurance process

    {0}

    inopiae

    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\

    {0}

    inopiae

    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails

    {0}

    inopiae

    bug #988 TTP cap form deployment

    {0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task

    Ted

    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review

    {0}

    Ted

    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review

    {0}

    magu

    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update

    {0}

    inopiae

    bug #1010 Reorder the view on organisation certificates

    tested by 3

    {0}

Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task

    inopiae

    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer

    {0}

Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link

    {g}


Agenda

1. Preface

  1. Cebit brainstorming
    • dirk: request for events report
    • (2012-03-27) Marcus awaiting translation from Marc
    • (2012-04-03) Marcus will do upcoming (easter) weekend
    • (2012-04-17) no update
    • (2012-04-24) no update
    • (2012-05-29) no update, uli: marcus please translate by yourself
    • (2012-06-05) no update
    • (2012-06-12) in the next days
    • (2012-06-19) Marcus: translation received, will send within the next upcoming days

2. Permissions Review

  1. dispute cases
    • new bug: bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1

    • re bug #1003 Permissions review script, to incorporate new intermediate ruling

  2. Permissions review and revoke of board and tverify flag (bug #1003 and bug #1038)

    • Michael run the permission preview script. After finding some formating stuff and fixing it, the script was run a second time.
    • Afterwards Michael run the script revoke of board and tverify flag. The executing report was added as private to bug #1003

    • All tester please review your flags and mails on the test server and report ONLY in bug #1003.

  3. fix available, tested, next run close before
    • last run: 2012-03-30, next run 2012-06-30
    • to dirk: 2nd review bug#1003

    • dirk: review looks ok
    • has been tested on testserver, on local testserver by Michael
    • good to go
    • part 1: recuring script, ok
    • part 2: permission reset, notification of users missing, fixed, tested, awaiting 2nd review again
  4. 2nd review done by Ted
  5. new permission review script incorporated, board, tverify reset script executed by critical team

3. 2nd review of about 6 patches

4. bug #1023 Testing (6.php)

  1. Thawte points removal, final step
    • last patch transfered to production system 2012-05-30
  2. what are the next steps for thawte points revoke?
    • points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
    • 15.php needs rename to 10.php
    • cannot move forward without dirk

5. Marcus Bugs list

6. Benny's buglist

7. next meeting

Minutes

  1. Cebit brainstorming
    • (2012-06-19) Marcus: translation received, will send within the next upcoming days
    • not yet finished
  2. Permissions Review
    1. dispute cases
      • new bug: bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1

      • re bug #1003 Permissions review script, to incorporate new intermediate ruling

    2. problem with ttpadmin flag removal, needs new board motion or workaround with old board motions m20090912.1 and finaly m20090914.2

      1. new intermediate ruling in arbitration case
      2. uli in role as AO prepares ttpadmin members list, sends to OAO
      3. OAO confirms and sends to list to support
      4. Support executes the request
  3. 2nd review of about 6 patches
    • without dirk no success
  4. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before
    • 2012-08-10 - 2012-08-11 BarCamp kiel

  5. ATE-DU preparations
  6. Benny reviews
    • bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked

      • wrong description, problem removing domains, bugfix solves this problem
      • async removal of certs by signer
      • needs review and testing
      • inopiae will try testing on upcoming weekend
      • to test: email- and domain dispute
    • bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked

      • patch seems to be ok
      • white spaces cleanup
      • includes/account.php var $id shall be fixed within recursion, new bug #1078
      • 2 tests initiated by inopiae and u60
      • principle ok, but very confusing
    • bug #1019 "Contact form does not work when logged in"

      • Michael: rework contact form
        • usability: 1 form, option box with public/support delivery, default support
        • current form 1: public, form 2: private
        • spam prevention via java, on disabled java the mail is marked [possible spam]
      • mass mailing possible if adding multiple emails separated by commas
      • account.php - email address from sender, no address validation, several other places it passes address validation
      • neo: why not use primary email address?
        • works only if logged-in
      • index?id=11 has also been changed
      • url was hardcoded
      • account.php?id=14
      • sendmail() routine in includes/mysql.php
  7. Marcus buglist
    • bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected

      • username/password half of the combination is known to potential attacker
      • login prevents login to several email addresses
      • acceptance to several email addresses is prevented
      • no notification if primary email address has been changed
      • note regarding Policy Group
      • dirk: proposal: response email address exists, but isn't primary email ?
        • create new account results in "email address exists"
        • what is a proper response?
        • requestor has to be an assurer for assure someone
      • neo: for registration process chaptcha required
      • no good solution
      • for assurance only primary, for all other services allow also secondary addresses
        • search needs enhancement: search not only primary, also secondary
    • bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix

      • primary and secondary email addresses are shown in admin console
    • bug #591 "CPS has to be improved for audit." - proposes: Closed

      • CPS is a working revision also DRAFT revision included
      • relates to policy repository bug# final place finding
  8. neo: win7/vista BlackJack

    • certs codesigning
    • trusted sites
    • one component not secured for scripting
    • cannot be added to trusted sites
    • rtfm answer: registry key to set, on request by IE special answer, does not work
    • certenroll lib cannot be activated
    • https://cacert.nhng.de/IEkeygen/

  9. next meeting
    • Tuesday, July 3rd, 2012 22:00 CEST

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items


Software/Assessment/20120626-S-A-MiniTOP (last edited 2012-06-26 22:30:30 by UlrichSchroeter)