• Software
• Assessment
• 20120925-S-A-MiniTOP

• To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2012-09-25

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: uli, benbe, timo, Marcus, Michael, dirk

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Agenda

1. Preface

2. DEV on bug 1023/1054 "Thawte Patch"

• "Thawte points removal, final step" bug #1023

  • bug #1023 Testing (6.php)
• last patch transfered to production system 2012-05-30
• what are the next steps for thawte points revoke?
  • points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
  • 15.php needs rename to 10.php

• next step in: bug #1054 Review the code regarding the new point calculation in ./includes/general.php (current state: testing)

  • email debug notification, search for other solution

  • testing scenarios: see bug note c3163

    • some explanations
  • assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed
  • new patches by dirk, pushed to cacert-devel, (update 2012-09-18)
  • tverify removed (?)

  • merge conflict with account id 60 (eg email removal), see bug #823

  • max_points() routine replaced by new max_points() routine
  • get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points()
  • received_points()

3. 2nd review of about again 4 remaining patches

• Software-Assessors task

• Benny pre-views done

  • neo

    bug #978 Invalid SPKAC requests are not properly validated

    recheck full certs signing procedures duplicate report to bug#540

    5 {0}

  • from meeting 2012-07-17:
    • 5 patches reviewed
    • 3 simple, bugs 540 (fixed), 789 (fixed), 981 (reviewed)
    • 2 with some difficultys, 978 (related to bug#540), complexest one: 1024 (reviewed)

• bug #978 bug 978 (weak keys) (bug 918)

  • invalid key format, no regular error message, something wrong, error code # identified
  • debugging infos from user + infos from critical team with error code #, was spkac routine
  • one test done 2011-12-17 by JensK

  • uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests

  • (week 7)

• bug#1004, stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO

  • fully re-tested by 2: 2012-08-25 (at froscon)

• bug #1091 contact assurer improvement

  • 2nd review still started by dirk two times within last 3 weeks

  neo	bug #1091 contact assurer improvement	tested by 2, needs 2nd review	{0} 1
  neo	bug #978 Invalid SPKAC requests are not properly validated	recheck full certs signing procedures duplicate report to bug#540	5 {0}
  neo	bug #1004 Stats page improvement	tested by 2, needs 2nd review	{0}
  neo	bug #860 someone accessed your password and secret questions notification	tested by 2, needs 2nd review	{0}
  gagern, neo	bug #440 Problem with subjectAltName	tested, needs 2nd review	{0}

4. Patches Overview - Testing

1. bug #835 CATS test on testserver http://cats1.it-sls.de/

   • create client cert

   • go over to http://cats1.it-sls.de/ pass a cats test

   • inform Ted to trigger a transfer of the tests to the testserver
   • check if CATS test passed to testserver
   • test with different accounts
     1. members age GT 18

        1. member < 100 pts, pass the CATS test

        2. member >= 100 pts, pass the CATS test

     2. members age GT 14 and LT 18

        1. member < 100 pts, pass the CATS test

        2. member >= 100 pts, pass the CATS test

     3. members age LT 14

        1. member < 100 pts, pass the CATS test

        2. member >= 100 pts, pass the CATS test

   • finish and report the tests, no need to transfer to production

2. Problem with subjectAltName: bugs: bug #440, bug #1054, test 1054.3.6, bug #1035

   • create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs

   • renew the certs

3. bug #922 missing "certificate about to expire" messages

   • you can use previous test to also check "certificate about to expire" messages

4. bug #964 and bug #1017, relates also to bug #1054, test 1054.3.6 - Chrome certificate enrollement (relates to #964 "Black Jack")

   • create client certs, go to signing routine
   • new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
     1. Install the certificate into your browser (tested)
     2. Download the certificate in PEM format
     3. Download the certificate in DER format

5. bug #1054 (Thawte patch) tests passed ?

6. Marcus Bugs list

   • see Software/BugsOverview

7. new bug #1095 "Problems with creating server sertificate where the csr is created with Java SDK Tools"

   • cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
   • NEO couldn't reproduce the problem using keytool, tested against production and testserver

5. New SA candidates and Coders

1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel

   • ABC Benny passed/closed

2. Heino, not yet prepared, needs first contact
3. How to find coders? Experiences from the Gentoo project

   • http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/

   • http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code

   • use as blueprint for other recruits?
4. report from last board meeting - topic Arbitration

   • is added to upcoming board meeting 2012-08-19

6. Long Term Projects

1. NEO: "BlackJack" bug #964

   • how does bug #1017 relate to this bug?

   • NEO: "BlackJack" bug #964 testing from last week -> error codes

     • started implementing
2. Marek's sql class project:
   • is working on charset replacement
3. api project, Carsten continues with portal project not waiting for vendor-api to be delivered
   • vendor-api delayed
     • no coders
     • other projects
     • related to sql class project
   • portal project continues with a workaround, needs an assurer
     • arbitration case on locations database orders outsourcing of find-an-assurer asap
     • with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
     • relation to location database
       1. website find an assurer
       2. scripted mailing for ATE invitations
     • user check that data is still valid eg every 1 year
       • notification at login upto 6 months not online
       • notification by email if not logged in within last 6 months
4. Automated testing system
   • Timo: Unit-test testsystem, phpunit jenkins

   • http://ci.partkeepr.org/job/PartKeepr/

   • https://github.com/NEOatNHNG/cacert-frontendtests

   • can we merge both environments? frontend tests and unit tests?

7. next meeting

• Tuesday, October 2nd, 2012 22:00 CEST

Minutes

1. Preface

   1. BenBe reviewed repo changes from within last 2 weeks

      • found bug #1023 "Thawte Patch" changes
      • mysql query, bug 967 1e98bc7a
      • includes/account.php: lines 2295, 2296; related to line 2259 ?
      • new function to document (description, input parameters, output parameters)
   2. timo: signer monitoring?
   3. BenBE: 453ad50d line 77: is there a missing [=] ???
   4. scripted mailings source (with win-line-endings), can be removed after some time

   5. commit message: bug <number> text

2. bug 1054 "Thawte Patch" testing
   • u60 stumbled over bug 440, 1017, 1035 bugs in testing
   • parse routines, get_alt, get_cn checks domains etc

3. bug 440 review -> dirk

   • not started, not finished
4. neo sent msi package for testing to u60, benbe

   • >openssl sha1 CAcert_Root_Certificates.msi
     SHA1(CAcert_Root_Certificates.msi)= f95043eb19828d3d1bce671dbc944c80cf41ba16
     >openssl dgst -sha256 CAcert_Root_Certificates.msi
     SHA256(CAcert_Root_Certificates.msi)= c59901773f79929e675e9ebc1ac4d723a02220fcc4465304bab4557305ba8cf4

5. bug #922 missing "certificate about to expire" messages

   • notification expected: 1d, 15d, 30d, 45d

6. new bug #1095 "Problems with creating server sertificate where the csr is created with Java SDK Tools"

   • cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
   • NEO couldn't reproduce the problem using keytool, tested against production and testserver
   • identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl

7. NEO: "BlackJack" bug #964

   • how does bug #1017 relate to this bug?

   • NEO: "BlackJack" bug #964 testing from last week -> error codes

     • started implementing
   • cert signing routine
     • ie5 ie6 automatic storage of signed key in local keystore
     • doesn't work under vista, win7
     • msi package is to download and import the keys to the local keystore under vista, win7

     • relates to bug #1099 but is quite different

8. next meeting
   • Tuesday, October 2nd, 2012 22:00 CEST

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

• CategorySoftwareAssessment