To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2012-08-14
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: Marcus, magu, uli, benny, Michael, dirk
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
Full testing{0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}
Agenda
1. Preface
- Cebit brainstorming
- dirk: request for events report
- (2012-03-27) Marcus awaiting translation from Marc
- (2012-06-19) Marcus: translation received, will send within the next upcoming days
- (2012-06-26) Marcus: not yet finished
- 2nd draft finished
Sat report missing, Uli sent a report 2012-03-22 (with wiki link Assurance/Procedures/RLO
- Marcus to compile final report
2. Testing session on bug 1070
Testing working session of bug #1070
all
bug #1070 Certain account passwords are logged in web server error log
patch applied on production and testserver
arbitration still open a20120614.1
2nd review done by dirk
Testing working session for agenda of upcoming meeting{0}
3. DEV on bug 1023
"Thawte points removal, final step" bug #1023
- bug #1023 Testing (6.php)
- last patch transfered to production system 2012-05-30
- what are the next steps for thawte points revoke?
- points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
4. 2nd review of about 1 remaining patches
Software-Assessors task
- Benny pre-views done
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#5405 {0}
- from meeting 2012-07-17:
- 5 patches reviewed
- 3 simple, bugs 540 (fixed), 789 (fixed), 981 (reviewed)
- 2 with some difficultys, 978 (related to bug#540), complexest one: 1024 (reviewed)
bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
- (week 7)
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#5405 {0}
5. Patches to transfer to production
6. Patches Overview - DEV and Testing
- Bugs under Testing
- English Translation Problems
how to handle typing error in web phrase Software/TranslationMisspelling
- "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
- create shared bug
- probably make part a. and b. a. that is clear, b. that is questionable
new bug #1086
- Marcus Bugs list
see also Software/BugsOverview
bug#1023 related
bug#583 "Assure Somebody" allows future assurance dates
bug#648 send message from Assurer to Member
bug#802 Name parts should be designated in assurance form
bug#870 My Details - My Points show bugus time stamp
bug#914 Information about Practice on Name while entering an Assurance
bug#930 types wrong points in "Assure Someone" form
bug#931 Date of assurance in future don't throw any exception
bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.
bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field
- Others
bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed
bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed
bug#489 Pb on rewarding 2 points for an assurance
bug#567 case sensitive email: tested by 2, cannot be confirmed, closed
bug#767 Single-quotes escaped in Web-of-Trust contact form.
- info pages to wiki pages
bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected
* username/password half of the combination is known to potential attacker * login prevents login to several email addresses * acceptance to several email addresses is prevented * no notification if primary email address has been changed * note regarding Policy Group * dirk: proposal: response email address exists, but isn't primary email ? * create new account results in "email address exists" * what is a proper response? * requestor has to be an assurer for assure someone * neo: for registration process chaptcha required * no good solution * for assurance only primary, for all other services allow also secondary addresses * search needs enhancement: search not only primary, also secondary
bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix
* primary and secondary email addresses are shown in admin console
bug #591 "CPS has to be improved for audit." - proposes: Closed
* CPS is a working revision also DRAFT revision included * relates to policy repository bug# final place finding
- addtl. groups:
- OA
- CCA rollout
- TTP
bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked
- wrong description, problem removing domains, bugfix solves this problem
- async removal of certs by signer
- needs review and testing
- inopiae will try testing on upcoming weekend
- to test: email- and domain dispute
bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked
- patch seems to be ok
- white spaces cleanup
includes/account.php var $id shall be fixed within recursion, new bug #1078
- 2 tests initiated by inopiae and u60
- principle ok, but very confusing
- test reports Marcus:
- discussions, Marcus got 71 or 72 notifications
- Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
bug #922 test report / review
- one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
- 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
- needs further inspection
- Bug Testing / Reporting bug #922 difficult
- Marcus writes a tool to collect Email infos from TMS
benny will try to debug mass mailing problem with local image
bug #1019 "Contact form does not work when logged in"
- Michael: rework contact form
- usability: 1 form, option box with public/support delivery, default support
- current form 1: public, form 2: private
- spam prevention via java, on disabled java the mail is marked [possible spam]
- mass mailing possible if adding multiple emails separated by commas
- account.php - email address from sender, no address validation, several other places it passes address validation
- neo: why not use primary email address?
- works only if logged-in
- index?id=11 has also been changed
- url was hardcoded
- account.php?id=14
- sendmail() routine in includes/mysql.php
- Michael: rework contact form
- Findings from David
- (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
- todo: doing whitelist of allowable chars
- \xA0 is a problem too (at least in Win32/64)
- todo: file a new bug#
- subjectAltName is occasionally not checked for problems
- todo: file a new bug#
- (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
7. Benny reviews
- bug #922 debugging
benny
bug #922 will try to debug mass mailing problem with local image
{0}
8. New SA candidates and Coders
ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel
- ABC Benny, no fixed date set yet
- ABC David
- at board meeting 2012-08-05 ATE-Melbourne report by Ian the interview was probably named as ABC interview
Philipp will pickup ABC David a20120721.1
- Case closed: 2012-08-10
- Ruling:
Since this Arbitration has been aborted, no conclusions are reached. David is a person who could help CAcert a lot. Doing so in a security sensitive are is not recommended at this time.
- Heino, not yet prepared, needs first contact
- How to find coders? Experiences from the Gentoo project
- report from last board meeting - topic Arbitration
is added to upcoming board meeting 2012-08-19
9. Long Term Projects
2012-07-17 NEO: has finished IE patch, http://cacert.nhng.de/IEkeygen/keygen.html
- meeting 2012-07-24: working session: testing "Black Jack"
- marcus: tested chrome
- marcus, uli: enable-login flag set after key has been signed with unset flag on request, fixed
- 2012-07-24 working session
- NEO: (964) enable-login flag fixed, to transfer to testserver
- NEO: org-certs prob
- ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
- "Fehler: Nachricht (0x80000095 / -2147.....)"
error messages on ms website: http://msdn.microsoft.com/en-us/library/ms953432.aspx#smartcardcspcook_topic3
- magu: tests bug #964
- error messages:
- available key sizes: 512-1024 Bit (in 64 Bit steps)
Schlumberger CSP, Keysize 1024 --> 2146435043
- Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962)
- error messages:
NEO: "BlackJack" bug #964 testing from last week -> error codes
- started implementing
- Marek's sql class project:
- is working on charset replacement
- api project, Carsten continues with portal project not waiting for vendor-api to be delivered
- potential candidates for development
- Marek's sql class proposal
- needs probably db upgrades
- needs addtl. indices
- needs testing
- archaios
- builds daemon as unpreviliged user
- Marek's sql class proposal
- vendor-api delayed
- no coders
- other projects
- related to sql class project
- portal project continues with a workaround, needs an assurer
- arbitration case on locations database orders outsourcing of find-an-assurer asap
- with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
- relation to location database
- website find an assurer
- scripted mailing for ATE invitations
- user check that data is still valid eg every 1 year
- notification at login upto 6 months not online
- notification by email if not logged in within last 6 months
- potential candidates for development
10. next meeting
- Tuesday, August 14th, 2012 22:00 CEST
Minutes
- Benny tried to get dev vm running
- had problems with network settings, finaly fixed
- error "key length too short" don't redirects to new page, so session environment gets lost
- testing default crypto providers
- testing gooze crypto stick
- cacert git repository requires update
bug #1024 passed to production
- dfference seen under wot?id=1 (hidden stat)
- displays users as "is assurer: yes" and "is assurer: not yet (in red)"
Marcus testing bug #964
- some error messages fixed
Testing working session of bug #1070
all
bug #1070 Certain account passwords are logged in web server error log
patch applied on production and testserver
arbitration still open a20120614.1
2nd review done by dirk
Testing working session for agenda of upcoming meeting{0}
- from testing side, good to go
- pass back to arbitration
- bug #922 debugging
- probably distinct missing in sql query
- current production: notifications not rcvd
- emails on ca-mgr1 reset, done
- blog post for bug #1024 ?
- Marcus will do
- Marcus: cap, ttpcap generation outsourcing to portal server?
- New SA candidates and Coders
ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel
- ABC Benny, no fixed date set yet
- potential dates: 2012-09-08 mrmcd or 2012-09-15 Itzehoe
- ABC David
- at board meeting 2012-08-05 ATE-Melbourne report by Ian the interview was probably named as ABC interview
Philipp will pickup ABC David a20120721.1
- Case closed: 2012-08-10
- Ruling:
Since this Arbitration has been aborted, no conclusions are reached. David is a person who could help CAcert a lot. Doing so in a security sensitive are is not recommended at this time.
- next meeting
- Tuesday, August 21st, 2012 22:00 CEST
Fixed Action Items since last or within meeting
neo
bug #1024 Assurer flag is not set correctly on updatesort.php run
tested by 4, ok
2nd review done by dirk2 {g}
inopiae
New layout of view for Organisation Administrators in account/id35
5 {g}
benny, NEO
bug #922 will try to debug mass mailing problem with local image
mass mailing prob fixed, continue testing
{g}
all
bug #1070 Certain account passwords are logged in web server error log
2nd review done by dirk
Testing working session for agenda of upcoming meetingready to go
{g}
Action Items New
NEO
cacert git repository requires update
{0}
Wytze, NEO
bug #1070 Certain account passwords are logged in web server error log
patch applied on production and testserver
arbitration still open a20120614.1
2nd review done by dirk
from testing side, good to go
pass back to arbitration{0}
Action items: Meeting Action Items