To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2012-09-18
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: Benny, Marcus, Uli, Timo, magu, Michael, dirk
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
![/!\](/moin_static199/cacert/img/alert.png "/!\")
Full testing {0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}
Agenda
1. Preface
- Cebit brainstorming
- dirk: request for events report
- (2012-03-27) Marcus awaiting translation from Marc
- (2012-06-19) Marcus: translation received, will send within the next upcoming days
- (2012-06-26) Marcus: not yet finished
- 2nd draft finished
Sat report missing, Uli sent a report 2012-03-22 (with wiki link Assurance/Procedures/RLO
- Marcus to compile final report
- will do Froscon report too
- barbados: /account/index.php 17 - transfer to java
- dirk proposal: certs w/o roots
- add fingerprints of servers to a wiki page
- no one understands realy what dirk means ....
Encoding problem of Simplified Chinese
Simplified Chinese version of cacert.org is encoded in GB18030 (an encoding specific to simplified Chinese and incompatible with UTF-8) and lacks a <meta charset="gb18030"/> in the <head>. Since most browsers assume UTF-8 encoding nowadays, it causes garbaged text and requires manual adjusting of encoding. This can be fixed by either adding a aforementioned <meta> tag or converting to UTF-8 (or better still, do both).
2. DEV on bug 1023/1054 "Thawte Patch"
"Thawte points removal, final step" bug #1023
- bug #1023 Testing (6.php)
- last patch transfered to production system 2012-05-30
- what are the next steps for thawte points revoke?
- points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
next step in: bug #1054 Review the code regarding the new point calculation in ./includes/general.php (current state: testing)
- email debug notification, search for other solution
testing scenarios: see bug note c3163
- some explanations
- assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed
- ongoing testing
3. 2nd review of about again 4 remaining patches
Software-Assessors task
- Benny pre-views done
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#5405 {0}
- from meeting 2012-07-17:
- 5 patches reviewed
- 3 simple, bugs 540 (fixed), 789 (fixed), 981 (reviewed)
- 2 with some difficultys, 978 (related to bug#540), complexest one: 1024 (reviewed)
bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
- (week 7)
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#5405 {0}
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
bug #1091 contact assurer improvement
tested by 2, needs 2nd review
{0}
neo
bug #860 someone accessed your password and secret questions notification
tested by 2, needs 2nd review
{0}
- awaiting transfer to production system
4. Patches Overview - DEV and Testing
- Bugs under Testing
bug#1004, stats, Marcus + Uli did some tests, one problem identified
- English Translation Problems
how to handle typing error in web phrase Software/TranslationMisspelling
- "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
- create shared bug
- probably make part a. and b. a. that is clear, b. that is questionable
new bug #1086
- Marcus Bugs list
see also Software/BugsOverview
bug#1023 related
bug#583 "Assure Somebody" allows future assurance dates
bug#648 send message from Assurer to Member
bug#802 Name parts should be designated in assurance form
bug#870 My Details - My Points show bugus time stamp
bug#914 Information about Practice on Name while entering an Assurance
bug#930 types wrong points in "Assure Someone" form
bug#931 Date of assurance in future don't throw any exception
bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.
bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field
- Others
bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed
bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed
bug#489 Pb on rewarding 2 points for an assurance
bug#567 case sensitive email: tested by 2, cannot be confirmed, closed
bug#767 Single-quotes escaped in Web-of-Trust contact form.
- info pages to wiki pages
bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected
* username/password half of the combination is known to potential attacker * login prevents login to several email addresses * acceptance to several email addresses is prevented * no notification if primary email address has been changed * note regarding Policy Group * dirk: proposal: response email address exists, but isn't primary email ? * create new account results in "email address exists" * what is a proper response? * requestor has to be an assurer for assure someone * neo: for registration process chaptcha required * no good solution * for assurance only primary, for all other services allow also secondary addresses * search needs enhancement: search not only primary, also secondary
bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix
* primary and secondary email addresses are shown in admin console
bug #591 "CPS has to be improved for audit." - proposes: Closed
* CPS is a working revision also DRAFT revision included * relates to policy repository bug# final place finding
- addtl. groups:
- OA
- CCA rollout
- TTP
bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked
- wrong description, problem removing domains, bugfix solves this problem
- async removal of certs by signer
- needs review and testing
- inopiae will try testing on upcoming weekend
- to test: email- and domain dispute
- bug 1025, needs testing
bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked
- patch seems to be ok
- white spaces cleanup
includes/account.php var $id shall be fixed within recursion, new bug #1078
- 2 tests initiated by inopiae and u60
- principle ok, but very confusing
- test reports Marcus:
- discussions, Marcus got 71 or 72 notifications
- Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
bug #922 test report / review
- one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
- 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
- needs further inspection
- Bug Testing / Reporting bug #922 difficult
- Marcus writes a tool to collect Email infos from TMS
benny will try to debug mass mailing problem with local image
- bug #922 debugging
- probably distinct missing in sql query
- continue testing
- current production: notifications not rcvd
- emails on ca-mgr1 reset, done
- Findings from David
- (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
- todo: doing whitelist of allowable chars
- \xA0 is a problem too (at least in Win32/64)
- todo: file a new bug#
- subjectAltName is occasionally not checked for problems
- todo: file a new bug#
- (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
- Thawte patch part II
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
{0}
Uli, Marcus: continued Thawte patch part II bug #1054 testing
according to bug #1054 test matrix
- still ongoing
- requires action by Ted to transfer CATS results from ca-mgr1 to cacert1 testserver, done
bug #1017 Chrome certificate enrollement (relates to #964 "Black Jack")
- updated
- /account.php?id=6 list 3 options
- Install the certificate into your browser
- Download the certificate in PEM format
- Download the certificate in DER format
new bug #1095 "Problems with creating server sertificate where the csr is created with Java SDK Tools"
- cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
- NEO couldn't reproduce the problem using keytool, tested against production and testserver
5. Benny reviews
6. New SA candidates and Coders
ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel
- potential dates: 2012-09-08 mrmcd or 2012-09-15 Itzehoe
- ABC Benny, Philipp picked up, interview Uli can do F2F at weekend 14-16 Sept., but needs instructed by PD
- interview passed
- Heino, not yet prepared, needs first contact
- How to find coders? Experiences from the Gentoo project
- report from last board meeting - topic Arbitration
is added to upcoming board meeting 2012-08-19
7. Long Term Projects
2012-07-17 NEO: has finished IE patch, http://cacert.nhng.de/IEkeygen/keygen.html
- meeting 2012-07-24: working session: testing "Black Jack"
- marcus: tested chrome
- marcus, uli: enable-login flag set after key has been signed with unset flag on request, fixed
- 2012-07-24 working session
- NEO: (964) enable-login flag fixed, to transfer to testserver
- NEO: org-certs prob
- ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
- "Fehler: Nachricht (0x80000095 / -2147.....)"
error messages on ms website: http://msdn.microsoft.com/en-us/library/ms953432.aspx#smartcardcspcook_topic3
- magu: tests bug #964
- error messages:
- available key sizes: 512-1024 Bit (in 64 Bit steps)
Schlumberger CSP, Keysize 1024 --> 2146435043
- Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962)
- error messages:
NEO: "BlackJack" bug #964 testing from last week -> error codes
- started implementing
Marcus testing bug #964 in meeting 2012-08-14
- some error messages fixed
- Magu to test
- Marek's sql class project:
- is working on charset replacement
- api project, Carsten continues with portal project not waiting for vendor-api to be delivered
- potential candidates for development
- Marek's sql class proposal
- needs probably db upgrades
- needs addtl. indices
- needs testing
- archaios
- builds daemon as unpreviliged user
- Marek's sql class proposal
- vendor-api delayed
- no coders
- other projects
- related to sql class project
- portal project continues with a workaround, needs an assurer
- arbitration case on locations database orders outsourcing of find-an-assurer asap
- with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
- relation to location database
- website find an assurer
- scripted mailing for ATE invitations
- user check that data is still valid eg every 1 year
- notification at login upto 6 months not online
- notification by email if not logged in within last 6 months
- potential candidates for development
8. next meeting
- Tuesday, September 25th, 2012 22:00 CEST
Minutes
- Preface
- Marcus Event reports, not yet finished
- bug #1019 passed to production this week
- csr request for portal, for www.cacert.eu and cacert.eu passed
- Neo: who has msi experiences?
- relates to Install Roots plugin
- 2nd reviews: next
neo
bug #1091 contact assurer improvement
tested by 2, needs 2nd review
{0}
- 1091: unclean EOL, give info to support in case of spamming/pishing
- DEV on bug 1023/1054 "Thawte Patch"
checked open test scenarios bug 1054 test matrix
- DEV on bug 1054 "Thawte Patch" (update 2012-09-18)
- new patches by dirk, pushed to cacert-devel, testserver
- tverify removed
merge conflict with account id 60 (eg email removal), see bug #823
- max_points() routine replaced by new max_points() routine
- get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points()
- received_points()
- general rewrite of get info from csr routine in includes/general.php (bug 1054, bug 440)
- Timo will check
- Timo: Unit-test testsystem, phpunit jenkins
- can we merge both environments? frontend tests and unit tests?
- dirk proposal: certs w/o roots
- add fingerprints of servers to a wiki page
- no one understands realy what dirk means ....
- for each webserver you can approve the server cert individualy
- proposal to list fingerprints of default webservers from CAcert
- Neo: much work, unsecure link (to the wiki), to get the fingerprints needs a secure channel
- wiki page with list of issued certs (admin page exist), but "unsecure" page
- general boot straping problem
- proposal: download cert over unsecure channel, check fingerprint, then you can use the secure channel
pages to update: www, secure, wiki, community under Current Cerctificate List
- NEO: bug #1097 fix avail, to test
neo
bug #1097 Special characters which have no HTML-entities are not properly escaped
needs testing
{0}
- crypto stick
- xca not simple usable, not dau compatible
- under linux not simple usable, install ppa's, initialize and so on, not dau compatible
- 1054 next tests
- continue with open test cases
- add new test scenarios of 2010-09-18 update
- next meeting:
- Tuesday, September 25th, 2012 22:00 CEST
Fixed Action Items since last or within meeting
neo
bug #1019 Contact form does not work when logged in
tested by 3, needs 2nd review
{g}
Action Items New
Action items: Meeting Action Items