To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2012-07-03

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, Michael, Uli, Benny, dirk; Marek + David via irc#sap

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Software/Assessment/ActionItems

all	proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls Proposal from Sysadm list 2013-09-06	{0}
SA	documentation server cert design concept to SystemAdministration/Systems/Development/Prepare	{0}
all	review Software patches Update Cycle	{0}
BenBE, Marcus	documentation: developer git repos under github bug #1131 history @ github CAcertOrg @ github started under Software/Assessment/Documentation/UpdateCycle/step1	{0}
NEO	BenBe: request: htttps header on bugtracker bug #1116	{0}
all	read x509 guide	{0}
all	bug#1068 blog problem (also relates to community) debian lenny - edge - squeeze upgrades needed alternate: new server with squeeze, install wordpress, transfer domain workaround: configure your FF FAQ/BrowserClients	{g}
uli	Experience points for ATE attendance check board motions and/or trigger if not yet passed	{0}
uli	Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 current state: see Funding Landing Page May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished	{0}
All	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment	{0}
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, deferred to next events (?) next round: picked up by Benedikt new proposal 2013-06-02	{0}
Uli, Michael	Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png	{0}

Development, Deployment, Discussion

OAO, Ted	bug #943 change OA admin/assurer text	needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected	{-}
uli, Ted	bug #824 Org User cert fix Case study	Organisation User Certificates: Need UI improvement for proper production usage	{0}
uli, ted	bug #823 email address removal fix	No warning when removing e-mail address from account that certificates will be revoked checked by 4, needs 2nd review, deploy rejected	{-}
inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number	{0}
uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface rejected, certs login doesn't modify "modified" field	{r}
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978 tested by 3, 2nd review done, transfered Ken reported: still has problems, bug kept open	{0}
gagern, NEO	bug #440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development	{r}
neo	bug #1025 Domain Dispute issue	disputes rc and rc2 var prob needs work	{r}
dirk	bug #1054 0001054: Review the code regarding the new point calculation	Thawte patch part II needs further work	{r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

Software-Assessors task

Testing

Testers task

neo	bug #1004 Stats page improvement	tested by 2, needs 2nd review	{0}
neo	Bugs #1159 it might be possible to execute commands on the signing server		{0}
inopiae	bug #1065 Wrong wording when sending mails during the assurance process		{0}
inopiae	bug #1162 calcutate (the passwords) hash in php instead of in mysql	create test scenarios for the software testers $/!\$ Full testing $/!\$	{0}
inopiae	bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails		{0}
inopiae	bug #988 TTP cap form deployment		{0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

Software-Assessors task

Ted	bug #500 Get contact mail adress after resolving test	tested by 3, requires review	{0}
Ted	bug #1140 Show if a test is passed in learnprogress	tested by 3, requires review	{0}
magu	bug #1131 Rename _all_ Policies from .php to .html and fix all links	global policy directory maintenance and update	{0}
inopiae	bug #1010 Reorder the view on organisation certificates	tested by 3	{0}

Software Assessors: Bundle Package to Critical Team

Software-Assessors task

inopiae

bug #1139 Add new fields to the database

tests through #500 and #1140, 2nd review done, requires transfer

{0}

Awaiting Response from Critical Team

inopiae

bug #411 Wrong text is made into link

{g}

CategorySoftwareAssessment

Agenda

1. Preface

Cebit brainstorming
- dirk: request for events report
- (2012-03-27) Marcus awaiting translation from Marc
- (2012-06-19) Marcus: translation received, will send within the next upcoming days
- (2012-06-26) Marcus: not yet finished

2. Permissions Review

dispute cases
- new bug: bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1
- re bug #1003 Permissions review script, to incorporate new intermediate ruling
Permissions review and revoke of board and tverify flag (bug #1003 and bug #1038)
- Michael run the permission preview script. After finding some formating stuff and fixing it, the script was run a second time.
- Afterwards Michael run the script revoke of board and tverify flag. The executing report was added as private to bug #1003
- All tester please review your flags and mails on the test server and report ONLY in bug #1003.
fix available, tested, next run close before
- last run: 2012-03-30, next run 2012-06-30
- to dirk: 2nd review bug#1003
- dirk: review looks ok
- has been tested on testserver, on local testserver by Michael
- good to go
- part 1: recuring script, ok
- part 2: permission reset, notification of users missing, fixed, tested, awaiting 2nd review again
2nd review done by Ted
new permission review script incorporated, board, tverify reset script executed by critical team
problem with ttpadmin flag removal, needs new board motion or workaround with old board motions m20090912.1 and finaly m20090914.2
1. new intermediate ruling in arbitration case
2. uli in role as AO prepares ttpadmin members list, sends to OAO
3. OAO confirms and sends to list to support
4. Support executes the request
ttpadmin reset started under arbitration, next permissions review schedule executed

3. 2nd review of about 6 patches

Software-Assessors task

bug #789 OA edit domain fix, Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy
more fixes, more testing
- 2nd review of 1 patch
  - Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?)
bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
- uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
- (week 7)
bug#540 No key usage attribute in cacert org certs anymore?
- also: bug#905
- Policy group discussion - Extended key usage -> p20111113, motion CARRIED
- deployment
  1. prepare fixes -> Michael to prepare diffs, against svn
  2. sending to testserver
  3. transfer to critical system
- (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
- Michael did transfer the patch to testserver
  - signer code update
  - changes against svn
  - uli, to add to tester portal, done
  - uli to inform testers about new tests
  - test report from kenneth to transfer to report (email from 2011-12-25)
    - Michael: where to find the report from kenneth? link?
    - NEO has added the report (written to private dl)
  - who has adobe 8 for testing?
    - magu has, please test
  - next: needs testing (week 6)
    - uli, marcus: needs full cert create tests
    - uli (2012-01-25): sent notification to software testers
    - awaiting testing ... problem FULL test, including all possible variations with certs creation
    - also to report under bug #978 bug 978 (weak keys) (bug 918)
  - Testers: test all certs veriations, functions

uli	bug #967 OA isassurer check	Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer	1 {0}
neo	bug #1024 Assurer flag is not set correctly on updatesort.php run	tested by 4, ok	2 {0}
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978	3 {0}
inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administrators in account/id35	4 {0}
neo	bug #978 Invalid SPKAC requests are not properly validated	recheck full certs signing procedures duplicate report to bug#540	5 {0}
uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26 2 tests, needs 2nd review, deploy more fixes, more testing	6 {0}

4. bug #1023 Testing (6.php)

Thawte points removal, final step
- last patch transfered to production system 2012-05-30
what are the next steps for thawte points revoke?
- points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
- cannot move forward without dirk

5. Marcus Bugs list

bug#1023 related
- bug#583 "Assure Somebody" allows future assurance dates
- bug#648 send message from Assurer to Member
- bug#802 Name parts should be designated in assurance form
- bug#870 My Details - My Points show bugus time stamp
- bug#914 Information about Practice on Name while entering an Assurance
- bug#930 types wrong points in "Assure Someone" form
- bug#931 Date of assurance in future don't throw any exception
- bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.
- bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field
Others
- bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed
- bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed
- bug#489 Pb on rewarding 2 points for an assurance
- bug#567 case sensitive email: tested by 2, cannot be confirmed, closed
- bug#767 Single-quotes escaped in Web-of-Trust contact form.
info pages to wiki pages
- starting bug #671. there still exist a bug# bug #740 (How to become an assurer is missleading)
see also Software/BugsOverview

bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected

  * username/password half of the combination is known to potential attacker
  * login prevents login to several email addresses
  * acceptance to several email addresses is prevented
  * no notification if primary email address has been changed
  * note regarding Policy Group
  * dirk: proposal: response email address exists, but isn't primary email ?
   * create new account results in "email address exists"
   * what is a proper response?
   * requestor has to be an assurer for assure someone
  * neo: for registration process chaptcha required
  * no good solution
  * for assurance only primary, for all other services allow also secondary addresses
   * search needs enhancement: search not only primary, also secondary

bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix
- ```
  * primary and secondary email addresses are shown in admin console
```

bug #591 "CPS has to be improved for audit." - proposes: Closed

  * CPS is a working revision also DRAFT revision included
  * relates to policy repository bug# final place finding

6. Benny reviews

bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked
- wrong description, problem removing domains, bugfix solves this problem
- async removal of certs by signer
- needs review and testing
- inopiae will try testing on upcoming weekend
- to test: email- and domain dispute
bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked
- patch seems to be ok
- white spaces cleanup
- includes/account.php var $id shall be fixed within recursion, new bug #1078
- 2 tests initiated by inopiae and u60
- principle ok, but very confusing
bug #1019 "Contact form does not work when logged in"
- Michael: rework contact form
  - usability: 1 form, option box with public/support delivery, default support
  - current form 1: public, form 2: private
  - spam prevention via java, on disabled java the mail is marked [possible spam]
- mass mailing possible if adding multiple emails separated by commas
- account.php - email address from sender, no address validation, several other places it passes address validation
- neo: why not use primary email address?
  - works only if logged-in
- index?id=11 has also been changed
- url was hardcoded
- account.php?id=14
- sendmail() routine in includes/mysql.php

7. New SA candidates

ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before
- 2012-08-10 - 2012-08-11 BarCamp kiel

8. next meeting

Tuesday, July 10, 2012 22:00 CEST

Minutes

bug#922 certs expires notification
- discussions, Marcus got 71 or 72 notifications
- default 5 notifications: 45d, 30d, 15d, 3d, 1d
Benny didn't had the time for vista (blackjack) problem review
api project, Karsten continues with portal project if vendor-api will be delivered
- potential candidates for development
  1. Marek's sql class proposal
    - needs probably db upgrades
    - needs addtl. indices
    - needs testing
  2. archaios
    - builds daemon as unpreviliged user
- vendor-api delayed
  - no coders
  - other projects
  - related to sql class project
dirk reviews
- don't know
- review of bug #967
Permissions Review
- ttpadmin's removed
- permissions review passed
- board + tverify flags empty
Marcus Bugs list
- see also Software/BugsOverview
- addtl. groups:
  1. OA
  2. CCA rollout
  3. TTP
Benny reviews
- no new one, no updates
New SA candidates
- ABC Benny - needs a dispute filing first -> NEO
- Whats with ABC over archaios?
new ip available for 2nd testserver
- needs 3 ip's, at least 2 ip's
- www, secure, tms
Marek's sql class project:
- is working on charset replacement
working session, dirk 2nd review: bug #967 OA isassurer check
- git diff origin/release...origin/bug-XXX
- review done by dirk, is ok
next meeting
- Tuesday, July 10, 2012 22:00 CEST

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

CategorySoftwareAssessment

Software/Assessment/20120703-S-A-MiniTOP (last edited 2012-07-03 23:03:20 by UlrichSchroeter)