To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2012-10-30
Setting
The MiniTOP will be held via telco 22:00 CET (21:00 UTC)
Attendees: BenBe, uli, marcus, michael, dirk
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
![/!\](/moin_static199/cacert/img/alert.png "/!\")
Full testing {0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}
Agenda
1. Preface
2. DEV on bug 1023/1054 "Thawte Patch"
"Thawte points removal, final step" bug #1023
- bug #1023 Testing (6.php)
- last patch transfered to production system 2012-05-30
- what are the next steps for thawte points revoke?
- points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
next step in: bug #1054 Review the code regarding the new point calculation in ./includes/general.php (current state: testing)
- email debug notification, search for other solution
testing scenarios: see bug note c3163
- some explanations
- assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed
- new patches by dirk, pushed to cacert-devel, (update 2012-09-18)
- tverify removed (?)
merge conflict with account id 60 (eg email removal), see bug #823
- max_points() routine replaced by new max_points() routine
- get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points()
- received_points()
- Status testing ?
3. 2nd review of about again 4 remaining patches
Software-Assessors task
bug #978 Invalid SPKAC requests are not properly validated
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#5405 {0}
bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
2012-10-16: bug #540 no new findings regarding iOS5 problem
recheck full certs signing procedures
duplicate report to bug#540- routines that checks for weak keys
- new in lib runcommand()
- cleanup in other functions
-> BenBe, assigned
bug #1004 Stats page improvement
- stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO
- fully re-tested by 2: 2012-08-25 (at froscon)
- needs 2nd review
- moved out to cron job routine
-> BenBe, assigned
bug #860 someone accessed your password and secret questions notification
- tested by 2, needs 2nd review
- strings to translate, gettext combined
-> BenBe, assigned
bug #922 missing "certificate about to expire" messages
- you can use previous test to also check "certificate about to expire" messages
- notification expected: 1d, 15d, 30d, 45d
- Uli: Marcus plz test again
- Marcus+Uli: plz add serno of cert about to expire into the message text
- NEO: added serno on Oct 2nd
- Uli: 15d notification rcvd at 5th, 6th Oct, last 1d expiry warning expected: Oct 19, passed ok
- moved to 2nd review
BenBe: 922 2nd review, currently busy, feels not ready to review this patch
tested by 2, needs 2nd review, BenBe passed to other SA
-> dirk, assigned
neo, BenBe
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#540{0}
neo, BenBe
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo, BenBe
bug #860 someone accessed your password and secret questions notification
tested by 2, needs 2nd review
{0}
neo, dirk
bug #922 missing "certificate about to expire" messages
tested, reviewed by 2, needs 2nd review
{0}
defered
4. Patches Overview - Testing, Development
bug #1054, test 1054.3.6, bug #1035
create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs
- renew the certs
addtl. tests ? Marcus? Magu? BenBe?
- 2012-10-02 dirk: problems with git push #1054, got fixed
- DEV on bug 1023/1054 "Thawte Patch"
- check last changes by dirk to transfer into test scenarios
see reference notes note 3225 on bug #1101 and note 3245 on bug #1101
bug #964 and bug #1017
, relates also to bug #1054, test 1054.3.6 - Chrome certificate enrollement (relates to #964 "Black Jack") - create client certs, go to signing routine
- new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
- Install the certificate into your browser (tested)
- Download the certificate in PEM format
- Download the certificate in DER format
bug #1017 Chrome certificate enrollement
BenBe will pickup
bug #1017, doing some more tests?
- new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
- Install the certificate into your browser (tested)
- Download the certificate in PEM format
- Download the certificate in DER format
- Alex, Marcus doing some more tests
- new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
bug #1054 (Thawte patch) tests passed ?
- Marcus Bugs list
according to Bugs # 976
- 0000976: List of update request for webdb database structure upgrade with tables / fields
addtl_notes table hasn't been added in patch bug 976 on 2011-11-25
- OU info from Org cert not stored
addtl_notes table hasn't been added in patch bug 976 on 2011-11-25
- extend org certs table ? new bug?
- OU in subject?
- includes/account.php (17)
- in org certs it is in subject
- addtl. field ou ? new bug# ?
- used bug #1010
new bug #1095 "Problems with creating server sertificate where the csr is created with Java SDK Tools"
- cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
- NEO couldn't reproduce the problem using keytool, tested against production and testserver
- identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message
bug #440, bug #1101 (extract CSR) (back under development)
- ASN.1 format
- CSR extract: needed for signing: email address, hostname
- Timo will write a CSR parser
- Current:
- CN will be parsed
- some information about public key
- ASN.1 php library
- Whats about UTF-8 ?
- IDN's
Policy: p20091108 CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets
Assurance Handbook - Some more Information
Code signing and IDN certificates If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names). Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space.
- current only client and server certs, other options currently not selectable, except Code Signing
- parameters: domains, current first becomes CN, others SANs
- rebuild subject routine ... to check
- Michael: shall we enforce cn from csr?
- optional?
- enforce copy cn to SAN
asn1 parse procedure, http://lapo.it/asn1js/
- getcn, getalt procedure
docs für extractit() und getcn(): general.php line.230
- felicitus: how someone get "CN" from "commonName"? where is it documented that "CN" is "commonName"?
- OID of commonName is 2.5.4.3, but there is nothing about "CN"
- BenBE: see Header of OpenSSL-Header
bug #1101 refactoring getalt getcn (Timo)
might 1101 comment c3225
- tries to build a php library for openssl parsing replacement
- asn.1 parsing, own library
- ???
- openssl does escaping (per man page) (input? output?)
- library test thru unit tests
- openssl command for multiple san's ?
- undocumented feature?
currently only known with -extfile creating-a-certificate-with-multiple-hostnames
- needs first review, transfer to testserver
uli
bug #977 admin console text fix
admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue
{0}
- New patches
bug #1080 0001080: The link on page to iso code on account.php?id=24 show no result
bug #1083 0001083: Resize comment field for adding new organisation administrators
BenBe will transfer to testserver
- Marcus: OA sql query procedure, NEO to test on testserver
relates to a20110118.1 intermediate ruling Part IV.2
also bug #512
5. New SA candidates and Coders
- Heino, not yet prepared, needs first contact
- How to find coders? Experiences from the Gentoo project
- report from last board meeting - topic Arbitration
is added to upcoming board meeting 2012-10-31
6. Long Term Projects
NEO: "BlackJack" bug #964 testing from last week -> error codes
- started implementing
how does bug #1017 relate to this bug?
- cert signing routine
- ie5 ie6 automatic storage of signed key in local keystore
- doesn't work under vista, win7
- msi package is to download and import the keys to the local keystore under vista, win7
relates to bug #1099 but is quite different
- neo sent msi package for testing to u60, benbe; test successful passed
- Marek's sql class project:
- is working on charset replacement
- api project, Carsten continues with portal project not waiting for vendor-api to be delivered
- vendor-api delayed
- no coders
- other projects
- related to sql class project
- portal project continues with a workaround, needs an assurer
- arbitration case on locations database orders outsourcing of find-an-assurer asap
- with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
- relation to location database
- website find an assurer
- scripted mailing for ATE invitations
- user check that data is still valid eg every 1 year
- notification at login upto 6 months not online
- notification by email if not logged in within last 6 months
- vendor-api delayed
- Automated testing system
- Timo: Unit-test testsystem, phpunit jenkins
- can we merge both environments? frontend tests and unit tests?
- Timo: automated testing systems are mergable
- frontend test: java, may become a problem, alternate php version?
- focus on unittests
- dirk: code or screen?
- code and screen
- frontend and unit tests on one machine?
- trial: port frontend tests
- Timo: monitoring signer, not yet done
- Probably Wytze monitors the systems externaly ?!?
see Systems overview
- monitoring system eg Zabbix instead of Nagios?
- BenBE: Icinga as alternate?
- Zabbix agents: requires to be the same revision as server
- Timo, Benny: Distro needs upgrade
- lenny - support ended Feb 2012
- upgrade etch to lenny was a long running project
- squeeze (current stable release) - tests started by critical team
- "wheezy close before release date
- Michael: email sent 2012-10-09 regarding squeeze upgrade to critical team
- response received
- testing WIP
- move to sun2 proposed
7. next meeting
- Tuesday, November 6, 2012 22:00 CET
Minutes
- preface
- new patches to test, needs 2nd review
bug #1080 0001080: The link on page to iso code on account.php?id=24 show no result
- NEO's 2nd reviewed, needs testing
tested by 2, BenBe to transfer to critical team
bug #1083 0001083: Resize comment field for adding new organisation administrators
- to transfer from cacert-devel to testserver
- git pull on testserver
- 2nd review by NEO done, needs testing
tested by 2, BenBe to transfer to critical team
bug #977 user/org table definition in admin console
- Marcus: OA sql query procedure, NEO to test on testserver
relates to a20110118.1 intermediate ruling Part IV.2
also bug #512
- line wise readin (eg file read), change is not required
- needs 2nd review, testing by NEO
- new patches to test, needs 2nd review
- reminder 2nd review #922 to dirk
1083, 977 tested, 2nd reviewed, needs transfer to critical team => BenBe assigned
1004 ... on review by BenBe
checked BenBe
- work done by NEO, pushed to cacert-devel, transfered to testserver
- needs 2nd review, needs testing
978 ... transfered to critical team by BenBe
860 ... tested by 2, needs 2nd review, good to go, assigned to BenBe
1097 ... needs testing, 2nd review, BenBe will check
Fixed Action Items since last or within meeting
Ted
bug #835 Assurer challenge (on testserver)
needs testing
{g}
- OA sql query procedure, List returned on 2012-10-24
Action Items New
Action items: Meeting Action Items