To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2012-08-07
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: magu, benny, uli, michael, marcus, dirk
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
Full testing{0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}
Agenda
1. Preface
- Cebit brainstorming
- dirk: request for events report
- (2012-03-27) Marcus awaiting translation from Marc
- (2012-06-19) Marcus: translation received, will send within the next upcoming days
- (2012-06-26) Marcus: not yet finished
- 2nd draft finished
Sat report missing, Uli sent a report 2012-03-22 (with wiki link Assurance/Procedures/RLO
- Marcus to compile final report
- Three patches transfered:
bug #540 Extended Keyusage
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#9783 {g}
- transfered to critical
- report by Ken in dev mailing list
Whats about bug #540 Extended Keyusage - related patches
- report by Ken in dev mailing list
- potential 2 problems
- test before patch comes in effect
- root keys from production system not installed
- differences between production and testserver roots/class3 roots ?
- production root
X509v3 Basic Constraints: critical CA:TRUE X509v3 CRL Distribution Points: URI:https://www.cacert.org/revoke.crl Netscape CA Revocation Url: https://www.cacert.org/revoke.crl Netscape CA Policy Url: http://www.cacert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE head over to http://www.cacert.org
- testserver root
X509v3 Basic Constraints: critical CA:TRUE Authority Information Access: OCSP - URI:http://ocsp.CAcert.org/ CA Issuers - URI:http://www.CAcert.org/ca.crt X509v3 Certificate Policies: Policy: Security CPS: http://www.CAcert.org/index.php?id=10 Netscape CA Policy Url: http://www.CAcert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE, go to http://www.CAcert.org
- production class3
X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.18506 CPS: http://www.CAcert.org/index.php?id=10
- testserver class3
X509v3 Certificate Policies: Policy: Security CPS: http://www.CAcert.org/index.php?id=10
- production root
- main difference: OCSP / CRL links in root cert
- test scenario
- create new root identical to production root
- existing config file results in the current testserver root, in svn
- svn copy of config has been added late (Dec 2010)
SVN:/CAcert/SystemAdministration/signer/ssl
- potential 2 problems
- report by Ken in dev mailing list
There are references to: bug#905 "Unable to sign PDF file with Acrobat"
- who can test acrobat ???
Can reports from bug #540 also be found under bug #978 bug 978 (weak keys)
reference bug #918 Weak keys in certificates (closed)
2. 2nd review of about 3 remaining patches
Software-Assessors task
- Benny pre-views done
neo
bug #1024 Assurer flag is not set correctly on updatesort.php run
tested by 4, ok
2 {0}
inopiae
New layout of view for Organisation Administrators in account/id35
4 {0}
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#5405 {0}
- from meeting 2012-07-17:
- 5 patches reviewed
- 3 simple, bugs 540 (fixed), 789 (fixed), 981
- 2 with some difficultys, 978 (related to bug#540), complexest one: 1024
bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
- (week 7)
bug #1024 reviewed 2012-07-10
server.pl, too much changes to review in a working session, skipped
dirk 2nd review: bug #1024 Assurer flag is not set correctly on updatesort.php run
- michael: fix assurer flag from library
- with userid for one special user
- w/o userid, for all users
- to continue upcoming week
- see also 3.1 "Thawte points removal, final step"
- michael: fix assurer flag from library
neo
bug #1024 Assurer flag is not set correctly on updatesort.php run
tested by 4, ok
2 {0}
inopiae
New layout of view for Organisation Administrators in account/id35
4 {0}
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#5405 {0}
3. Patches Overview - DEV and Testing
- bug #1023 Testing (6.php)
- Thawte points removal, final step
- last patch transfered to production system 2012-05-30
- what are the next steps for thawte points revoke?
- points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
- cannot move forward without dirk
- when?
- blocked by software-reviews
- Marcus: reviews dirk is doing only in meetings
- upcoming week ?
- Thawte points removal, final step
- Bugs under Testing
- English Translation Problems
how to handle typing error in web phrase Software/TranslationMisspelling
- "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
- create shared bug
- probably make part a. and b. a. that is clear, b. that is questionable
new bug #1086
- Marcus Bugs list
see also Software/BugsOverview
bug#1023 related
bug#583 "Assure Somebody" allows future assurance dates
bug#648 send message from Assurer to Member
bug#802 Name parts should be designated in assurance form
bug#870 My Details - My Points show bugus time stamp
bug#914 Information about Practice on Name while entering an Assurance
bug#930 types wrong points in "Assure Someone" form
bug#931 Date of assurance in future don't throw any exception
bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.
bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field
- Others
bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed
bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed
bug#489 Pb on rewarding 2 points for an assurance
bug#567 case sensitive email: tested by 2, cannot be confirmed, closed
bug#767 Single-quotes escaped in Web-of-Trust contact form.
- info pages to wiki pages
bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected
* username/password half of the combination is known to potential attacker * login prevents login to several email addresses * acceptance to several email addresses is prevented * no notification if primary email address has been changed * note regarding Policy Group * dirk: proposal: response email address exists, but isn't primary email ? * create new account results in "email address exists" * what is a proper response? * requestor has to be an assurer for assure someone * neo: for registration process chaptcha required * no good solution * for assurance only primary, for all other services allow also secondary addresses * search needs enhancement: search not only primary, also secondary
bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix
* primary and secondary email addresses are shown in admin console
bug #591 "CPS has to be improved for audit." - proposes: Closed
* CPS is a working revision also DRAFT revision included * relates to policy repository bug# final place finding
- addtl. groups:
- OA
- CCA rollout
- TTP
bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked
- wrong description, problem removing domains, bugfix solves this problem
- async removal of certs by signer
- needs review and testing
- inopiae will try testing on upcoming weekend
- to test: email- and domain dispute
bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked
- patch seems to be ok
- white spaces cleanup
includes/account.php var $id shall be fixed within recursion, new bug #1078
- 2 tests initiated by inopiae and u60
- principle ok, but very confusing
- test reports Marcus:
- discussions, Marcus got 71 or 72 notifications
- Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
bug #922 test report / review
- one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
- 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
- needs further inspection
- Bug Testing / Reporting bug #922 difficult
- Marcus writes a tool to collect Email infos from TMS
bug #1019 "Contact form does not work when logged in"
- Michael: rework contact form
- usability: 1 form, option box with public/support delivery, default support
- current form 1: public, form 2: private
- spam prevention via java, on disabled java the mail is marked [possible spam]
- mass mailing possible if adding multiple emails separated by commas
- account.php - email address from sender, no address validation, several other places it passes address validation
- neo: why not use primary email address?
- works only if logged-in
- index?id=11 has also been changed
- url was hardcoded
- account.php?id=14
- sendmail() routine in includes/mysql.php
- Michael: rework contact form
- Findings from David
- (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
- todo: doing whitelist of allowable chars
- \xA0 is a problem too (at least in Win32/64)
- todo: file a new bug#
- subjectAltName is occasionally not checked for problems
- todo: file a new bug#
- (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
4. Benny reviews
5. New SA candidates and Coders
ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel
- ABC Benny, no fixed date set yet
- ABC David
- Heino, not yet prepared, needs first contact
- How to find coders? Experiences from the Gentoo project
6. Long Term Projects
2012-07-17 NEO: has finished IE patch, http://cacert.nhng.de/IEkeygen/keygen.html
- meeting 2012-07-24: working session: testing "Black Jack"
- marcus: tested chrome
- marcus, uli: enable-login flag set after key has been signed with unset flag on request, fixed
- 2012-07-24 working session
- NEO: (964) enable-login flag fixed, to transfer to testserver
- NEO: org-certs prob
- ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
- "Fehler: Nachricht (0x80000095 / -2147.....)"
error messages on ms website: http://msdn.microsoft.com/en-us/library/ms953432.aspx#smartcardcspcook_topic3
- magu: tests bug #964
- error messages:
- available key sizes: 512-1024 Bit (in 64 Bit steps)
Schlumberger CSP, Keysize 1024 --> 2146435043
- Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962)
- error messages:
NEO: "BlackJack" bug #964 testing from last week -> error codes
- not yet implemented
- Marek's sql class project:
- is working on charset replacement
- api project, Carsten continues with portal project not waiting for vendor-api to be delivered
- potential candidates for development
- Marek's sql class proposal
- needs probably db upgrades
- needs addtl. indices
- needs testing
- archaios
- builds daemon as unpreviliged user
- Marek's sql class proposal
- vendor-api delayed
- no coders
- other projects
- related to sql class project
- portal project continues with a workaround, needs an assurer
- arbitration case on locations database orders outsourcing of find-an-assurer asap
- with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
- potential candidates for development
7. next meeting
- Tuesday, August 14th, 2012 22:00 CEST
Minutes
- Preface
- report from last board meeting - topic Arbitration
is added to upcoming board meeting 2012-08-19
Philipp not yet handled according Appointment of Case Managers and Arbitrators procedure
- uli: done within meeting
- report from last board meeting - topic Arbitration
- ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
- "Fehler: Nachricht (0x80000095 / -2147.....)"
error messages on ms website: http://msdn.microsoft.com/en-us/library/ms953432.aspx#smartcardcspcook_topic3
- magu: tests bug #964
- error messages:
- available key sizes: 512-1024 Bit (in 64 Bit steps)
Schlumberger CSP, Keysize 1024 --> 2146435043
- Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962)
- error messages:
NEO: "BlackJack" bug #964 testing from last week -> error codes
- started implementing
- ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
bug #540 Extended Keyusage
- Ken report - how to move forward?
- Michael: cannot debug
- so probably no move forward
- uli: added report links from devel list, changed state to needs feedback
- ABC interview David
- state unknown
- probably Philipp will pickup the case
- at board meeting the interview was probably named as ABC interview
- dirk 2nd review:
neo
bug #1024 Assurer flag is not set correctly on updatesort.php run
tested by 4, ok
2 {0}
bug #1024 reviewed 2012-07-10
server.pl, too much changes to review in a working session, skipped
dirk 2nd review: bug #1024 Assurer flag is not set correctly on updatesort.php run
- michael: fix assurer flag from library
- with userid for one special user
- w/o userid, for all users
- to continue upcoming week
- see also 3.1 "Thawte points removal, final step"
- michael: fix assurer flag from library
- restarted review
- is ok, tested by 4
- Portal deployment
- Needs an assurer
- relation to location database
- website find an assurer
- scripted mailing for ATE invitations
- user check that data is still valid eg every 1 year
- notification at login upto 6 months not online
- notification by email if not logged in within last 6 months
bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked
- patch seems to be ok
- white spaces cleanup
includes/account.php var $id shall be fixed within recursion, new bug #1078
- 2 tests initiated by inopiae and u60
- principle ok, but very confusing
- test reports Marcus:
- discussions, Marcus got 71 or 72 notifications
- Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
bug #922 test report / review
- one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
- 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
- needs further inspection
- Bug Testing / Reporting bug #922 difficult
- Marcus writes a tool to collect Email infos from TMS
benny will try to debug mass mailing problem with local image
- dirk to continue with 2nd review:
- what is the difference before / after patch?
- Org-Admin view own org infos
- displays Organisations, their domains, admins, state, city and others
- dirk: coding is ok, if tested ok, good to go
recommendation to check for patch bug #1070 "0001070: Certain account passwords are logged in web server error log"
arbitration still open a20120614.1
- needs testing
added to Current Tests
- dirk to continue with 2nd review:
neo
bug #1070 Certain account passwords are logged in web server error log
patch applied on production and testserver
{0}
- dirk: review ok, good to go if tested
- still needs testing ... for agenda of upcoming meeting
- next meeting
- Tuesday, August 14th, 2012 22:00 CEST
Fixed Action Items since last or within meeting
Action Items New
benny
bug #922 will try to debug mass mailing problem with local image
{0}
all
bug #1070 Certain account passwords are logged in web server error log
2nd review done by dirk
Testing working session for agenda of upcoming meeting{0}
Action items: Meeting Action Items