To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2012-07-17

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, Uli, Benny, dirk, Michael, (David via irc)

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Software/Assessment/ActionItems

all	proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls Proposal from Sysadm list 2013-09-06	{0}
SA	documentation server cert design concept to SystemAdministration/Systems/Development/Prepare	{0}
all	review Software patches Update Cycle	{0}
BenBE, Marcus	documentation: developer git repos under github bug #1131 history @ github CAcertOrg @ github started under Software/Assessment/Documentation/UpdateCycle/step1	{0}
NEO	BenBe: request: htttps header on bugtracker bug #1116	{0}
all	read x509 guide	{0}
all	bug#1068 blog problem (also relates to community) debian lenny - edge - squeeze upgrades needed alternate: new server with squeeze, install wordpress, transfer domain workaround: configure your FF FAQ/BrowserClients	{g}
uli	Experience points for ATE attendance check board motions and/or trigger if not yet passed	{0}
uli	Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 current state: see Funding Landing Page May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished	{0}
All	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment	{0}
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, deferred to next events (?) next round: picked up by Benedikt new proposal 2013-06-02	{0}
Uli, Michael	Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png	{0}

Development, Deployment, Discussion

OAO, Ted	bug #943 change OA admin/assurer text	needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected	{-}
uli, Ted	bug #824 Org User cert fix Case study	Organisation User Certificates: Need UI improvement for proper production usage	{0}
uli, ted	bug #823 email address removal fix	No warning when removing e-mail address from account that certificates will be revoked checked by 4, needs 2nd review, deploy rejected	{-}
inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number	{0}
uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface rejected, certs login doesn't modify "modified" field	{r}
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978 tested by 3, 2nd review done, transfered Ken reported: still has problems, bug kept open	{0}
gagern, NEO	bug #440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development	{r}
neo	bug #1025 Domain Dispute issue	disputes rc and rc2 var prob needs work	{r}
dirk	bug #1054 0001054: Review the code regarding the new point calculation	Thawte patch part II needs further work	{r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

Software-Assessors task

Testing

Testers task

neo	bug #1004 Stats page improvement	tested by 2, needs 2nd review	{0}
neo	Bugs #1159 it might be possible to execute commands on the signing server		{0}
inopiae	bug #1065 Wrong wording when sending mails during the assurance process		{0}
inopiae	bug #1162 calcutate (the passwords) hash in php instead of in mysql	create test scenarios for the software testers $/!\$ Full testing $/!\$	{0}
inopiae	bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails		{0}
inopiae	bug #988 TTP cap form deployment		{0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

Software-Assessors task

Ted	bug #500 Get contact mail adress after resolving test	tested by 3, requires review	{0}
Ted	bug #1140 Show if a test is passed in learnprogress	tested by 3, requires review	{0}
magu	bug #1131 Rename _all_ Policies from .php to .html and fix all links	global policy directory maintenance and update	{0}
inopiae	bug #1010 Reorder the view on organisation certificates	tested by 3	{0}

Software Assessors: Bundle Package to Critical Team

Software-Assessors task

inopiae

bug #1139 Add new fields to the database

tests through #500 and #1140, 2nd review done, requires transfer

{0}

Awaiting Response from Critical Team

inopiae

bug #411 Wrong text is made into link

{g}

CategorySoftwareAssessment

Agenda

1. Preface

Cebit brainstorming
- dirk: request for events report
- (2012-03-27) Marcus awaiting translation from Marc
- (2012-06-19) Marcus: translation received, will send within the next upcoming days
- (2012-06-26) Marcus: not yet finished
- 2nd draft finished
- Sat report missing
Bennys c.o address
- wip

2. 2nd review of about 5 patches

Software-Assessors task

bug #789 OA edit domain fix, Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy
more fixes, more testing
- 2nd review of 1 patch
  - Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?)
- bug #789 reviewed: 2012-07-10
  - what is /pages/account/29.php for? edit org domain
  - (pc vm crashed)
bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
- uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
- (week 7)
bug#540 No key usage attribute in cacert org certs anymore?
- also: bug#905
- Policy group discussion - Extended key usage -> p20111113, motion CARRIED
- deployment
  1. prepare fixes -> Michael to prepare diffs, against svn
  2. sending to testserver
  3. transfer to critical system
- (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
- Michael did transfer the patch to testserver
  - signer code update
  - changes against svn
  - uli, to add to tester portal, done
  - uli to inform testers about new tests
  - test report from kenneth to transfer to report (email from 2011-12-25)
    - Michael: where to find the report from kenneth? link?
    - NEO has added the report (written to private dl)
  - who has adobe 8 for testing?
    - magu has, please test
  - next: needs testing (week 6)
    - uli, marcus: needs full cert create tests
    - uli (2012-01-25): sent notification to software testers
    - awaiting testing ... problem FULL test, including all possible variations with certs creation
    - also to report under bug #978 bug 978 (weak keys) (bug 918)
  - Testers: test all certs veriations, functions
- dirk 2nd review of patches, reviewed 2012-07-10
  - bug #540
  - diff line 23ff unclear, what does section ($root==2) mean?
  - also unclear: else section $CRLUrl="http://crl.cacert.org/root${root}.crl";
  - skipped $/!\$
bug #1024 reviewed 2012-07-10
- server.pl, too much changes to review in a working session, skipped $/!\$

neo	bug #1024 Assurer flag is not set correctly on updatesort.php run	tested by 4, ok	2 {0}
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978	3 {0}
inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administrators in account/id35	4 {0}
neo	bug #978 Invalid SPKAC requests are not properly validated	recheck full certs signing procedures duplicate report to bug#540	5 {0}
uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26 2 tests, needs 2nd review, deploy more fixes, more testing	6 {0}

3. bug #1023 Testing (6.php)

Thawte points removal, final step
- last patch transfered to production system 2012-05-30
what are the next steps for thawte points revoke?
- points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
- cannot move forward without dirk

4. Marcus Bugs list

see also Software/BugsOverview
bug#1023 related
- bug#583 "Assure Somebody" allows future assurance dates
- bug#648 send message from Assurer to Member
- bug#802 Name parts should be designated in assurance form
- bug#870 My Details - My Points show bugus time stamp
- bug#914 Information about Practice on Name while entering an Assurance
- bug#930 types wrong points in "Assure Someone" form
- bug#931 Date of assurance in future don't throw any exception
- bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.
- bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field
Others
- bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed
- bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed
- bug#489 Pb on rewarding 2 points for an assurance
- bug#567 case sensitive email: tested by 2, cannot be confirmed, closed
- bug#767 Single-quotes escaped in Web-of-Trust contact form.
info pages to wiki pages
- starting bug #671. there still exist a bug# bug #740 (How to become an assurer is missleading)

bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected

  * username/password half of the combination is known to potential attacker
  * login prevents login to several email addresses
  * acceptance to several email addresses is prevented
  * no notification if primary email address has been changed
  * note regarding Policy Group
  * dirk: proposal: response email address exists, but isn't primary email ?
   * create new account results in "email address exists"
   * what is a proper response?
   * requestor has to be an assurer for assure someone
  * neo: for registration process chaptcha required
  * no good solution
  * for assurance only primary, for all other services allow also secondary addresses
   * search needs enhancement: search not only primary, also secondary

bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix
- ```
  * primary and secondary email addresses are shown in admin console
```

bug #591 "CPS has to be improved for audit." - proposes: Closed

  * CPS is a working revision also DRAFT revision included
  * relates to policy repository bug# final place finding

addtl. groups:
1. OA
2. CCA rollout
3. TTP

5. Benny reviews

bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked
- wrong description, problem removing domains, bugfix solves this problem
- async removal of certs by signer
- needs review and testing
- inopiae will try testing on upcoming weekend
- to test: email- and domain dispute
bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked
- patch seems to be ok
- white spaces cleanup
- includes/account.php var $id shall be fixed within recursion, new bug #1078
- 2 tests initiated by inopiae and u60
- principle ok, but very confusing
- test reports Marcus:
  - discussions, Marcus got 71 or 72 notifications
  - Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
- bug #922 test report / review
  - one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
  - 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
  - needs further inspection
bug #1019 "Contact form does not work when logged in"
- Michael: rework contact form
  - usability: 1 form, option box with public/support delivery, default support
  - current form 1: public, form 2: private
  - spam prevention via java, on disabled java the mail is marked [possible spam]
- mass mailing possible if adding multiple emails separated by commas
- account.php - email address from sender, no address validation, several other places it passes address validation
- neo: why not use primary email address?
  - works only if logged-in
- index?id=11 has also been changed
- url was hardcoded
- account.php?id=14
- sendmail() routine in includes/mysql.php

patches 2nd review, Benny to do pre-view

neo	bug #1024 Assurer flag is not set correctly on updatesort.php run	tested by 4, ok	2 {0}
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978	3 {0}
inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administrators in account/id35	4 {0}
neo	bug #978 Invalid SPKAC requests are not properly validated	recheck full certs signing procedures duplicate report to bug#540	5 {0}
uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26 2 tests, needs 2nd review, deploy	6 {0}

for #540 uli has sent a short summary to dirk

6. New SA candidates and Coders

ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel
- ABC Benny
Whats with ABC over archaios?
How to find coders? Experiences from the Gentoo project
- http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/
- http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code

7. English Translation Problems

how to handle typing error in web phrase Software/TranslationMisspelling
- "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482

8. Long Term Projects

NEO: "BlackJack"
- info from NEO: "BlackJack" moved forward
Marek's sql class project:
- is working on charset replacement
api project, Carsten continues with portal project not waiting for vendor-api to be delivered
- potential candidates for development
  1. Marek's sql class proposal
    - needs probably db upgrades
    - needs addtl. indices
    - needs testing
  2. archaios
    - builds daemon as unpreviliged user
- vendor-api delayed
  - no coders
  - other projects
  - related to sql class project
- portal project continues with a workaround, needs an assurer
- arbitration case on locations database orders outsourcing of find-an-assurer asap
- with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)

9. next meeting

Tuesday, July 24, 2012 22:00 CEST

Minutes

Preface
1. Bug Testing / Reporting bug #922 difficult
  - Marcus writes a tool to collect Email infors from TMS
2. Bennys reviews
  - 5 patches reviewed
  - 3 simple, bugs 540 (mostly check policy text), 789, 981
  - 2 with some difficultys, complexest one: 1024
3. Bennys c.o address
  - is active, finished
4. ABC Benny, no fixed date set yet
5. NEO: default pem coded signed key output, chrome expects der
6. How TMS email works: NEO: TMS connects via imap and collects and displays mails
dirk review bug 540
- gitdiff origin/release..origin/bug540
  - dirk 2nd review of patches, reviewed 2012-07-10
    - bug #540
    - diff line 23ff unclear, what does section ($root==2) mean?
      - class 3 server (in signer), comm module, each root client certs, there is a config #, root=0 class1, root=1 class3, root=2 newroots project class3s.crl (from 2008 new roots project)
      - root=2 not avail on current system
    - also unclear: else section $CRLUrl="http://crl.cacert.org/root${root}.crl";
      - 5 root vars defined (in client.pl)
      - crl for other keys, not class1, class3. all other keys not active on current system
    - server.pl: root.crl, class3, class3s, for further still unused keys
    - related policy decision: https://wiki.cacert.org/PolicyDecisions#p20111113
    - review ok
    - config files not reviewed, 2nd review not finished
bug #1075 cap form link wrong under pages/wot/6.php
- neo
  
  bug #1075 cap form link wrong under pages/wot/6.php
  
  cap link removed, moved to testserver
  
  {0}
- data protection problem to pickup user data before assurance f2f meeting starts
- what does assurance process means? assurance "process" starts from request of assuree to an assurer to do an assurance over assuree
- problem in ttp process too, to have a view over data before f2f meeting and signed cap is in the hands of an assurer. ttp-admin can request confirmation from ttp-user to access online data
- simple patch: remove links
- edited by NEO: transfered to testserver
dirk review bug 789, OA edit domain fix, Editing domain for organisations does not work
- gitdiff origin/release..origin/bug789
- bug #789 reviewed: 2012-07-10
  - what is /pages/account/29.php for? edit org domain
  - phone accu breaks
NEO: has finished IE patch, http://cacert.nhng.de/IEkeygen/keygen.html
- will prepare a working patch and will transfer to testserver within the next 7 days
NEO: git diff origin/release...origin/bug-XXX -> search all differences since last release
How to find coders? Experiences from the Gentoo project
- http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/
- http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code
- use as blueprint for all recruits?
- some discussions
English Translation Problems
- how to handle typing error in web phrase Software/TranslationMisspelling
- "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
- create shared bug
- probably make part a. and b. a. that is clear, b. that is questionable
David's posts in irc
1. there is no checks for \00, er, \0
  - the \0 check will be done in signer (-> CommModule client and/or server.pl)
  - server.pl lines 494+495
  - blacklist for domain names for new signer
2. (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
  - todo: doing whitelist of allowable chars
  - \xA0 is a problem too (at least in Win32/64)
3. subjectAltName is occasionally not checked for problems
  - file a new bug
FF prob with favicon verification
- http://forums.mozillazine.org/viewtopic.php?t=636366
- some discussion
next meeting
- Tuesday, July 24, 2012 22:00 CEST

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

CategorySoftwareAssessment

Software/Assessment/20120717-S-A-MiniTOP (last edited 2012-07-24 16:04:07 by UlrichSchroeter)