. '''To Software''' '''[[Software|Software]]''' - '''To Software-Assessment - ''' '''[[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20110405-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20110419-S-A-MiniTOP|next meeting]]'''
----
= Minutes of the MiniTOP on the 2011-04-12 =
== Setting ==
The MiniTOP will be held via telco 22:00 CEST
Attendees: Magu, Marcus, Dirk, Uli, Ted, Michael
== Topics ==
* Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]'''
* Arbitration case [[Arbitrations/a20110312.1|a20110312.1]]
* State Testserver Update
* Current Patches on Testserver:
* "Thawte" patch [[https://bugs.cacert.org/view.php?id=827|Bug# 827]]
* triage test on CATS (Update)
* strategy plans ...
* strategy for: "Certificates Class3" problem and "New Roots & Escrow"
* [[https://lists.cacert.org/wws/arc/cacert-root/2011-02/msg00030.html|pragmatic solution proposed]]
* [[https://bugs.cacert.org/view.php?id=637|Bug #637]]: Password suggestion always the same. Proposed solution.
* next meeting: Tuesday, April 19, 2011 22:00
== Minutes ==
* couple of finished action items
|| Uli || write kees mail about telco server: 2 still connections || {+} ||
|| Dirk, Ted, Michael || translingo cacert upload.pl bug #913 (next: test, review) by M. || {+} ||
|| Dirk, Michael, Uli || to write instructions for Critical team about translingo bug by M. || {+} ||
|| Michael, Wytze || environment for vuln-key on testserver, critical system || {+} ||
|| Uli || create wiki page(s) (regarding [[WeakKeys|weak keys]]) || {+} ||
* Arbitration case [[Arbitrations/a20110312.1|a20110312.1]]
* first tests started, some discussions
* tests with ie6, ie8, ie9: ie8 test creates 1024 bit keys, ie6 test creates 1024 bits keys, ie9 creattes 512 bit keys - difference on rsabase.dll vs. rsaenh.dll
* perl script trigger to critical team by ted
* org certs needs to be tested
* org certs: no csr adding is possible - is there a bug# ? -> bug# 363
* create org client certs -> id=16
* win7, ie9, client certs ok keysize visible, org client certs keysize invisible
* /pages/account/.. 4.php, 17.php to combine ?
* triage test on CATS (Update), probably upcoming week
* [[https://bugs.cacert.org/view.php?id=637|Bug #637]]: Password suggestion always the same. Proposed solution.
* topic on mailing list
* signon page sample password
* proposal 1: random password (+1)
* proposal 2: prevent sample password (+4)
* proposal 3: combine 1 & 2 (+2)
* proposal 4: new sample pwd + prevent sample pwd (0)
* proposal 5: new sample pwd from known sentence, using each 3rd char x1) + prevent sample pwd (+3)
. x1) sample [[http://www.gpg4win.de/doc/de/gpg4win-compendium_9.html]]
* proposal 6: no sample, only requirements on how to build a pwd (+3)
* Action Items:
1. Modify text
1. pwd blacklist
1. to move to salted hash
* migration plan: generate salt, convert hash for all users, replace login procedure
* proposal 5 + 6 => 3:3 -> alternate: remove sample pwd and let see
* advantage: can be pushed tonight
* starting administrative check or not ? -> weak passwords discussion
* to start with migration to salted hashes
* dirk will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
* adding blocking pwd to dictionary does not make sense, will be replaced on next sys upgrade
* adding addtl. local dictionary ?
* first simple check "Fred Smith" ?
* sub selection on Is-Assurer ? has points ? (if exist notary ?)
* first test: count(hash(simple-pwd)) on pwd column
* "Thawte" patch [[https://bugs.cacert.org/view.php?id=827|Bug# 827]], continued, but not finished
* next meeting: Tuesday, April 19, 2011 22:00
* meeting closed [0:00]
----
Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]'''
new items:
* Arbitration case [[Arbitrations/a20110312.1|a20110312.1]]
* Ted: perl script trigger to critical team by ted
* dirk: /pages/account/.. 4.php, 17.php to combine ?
* Ted: triage test on CATS (Update), probably upcoming week
* [[https://bugs.cacert.org/view.php?id=637|Bug #637]]: Password suggestion always the same. Proposed solution.
* dirk: will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
* marcus: start dispute, first test: sql-query, to be verified by 2nd SA: select count(*) from users where password='xxx';
<<Include(Software/Assessment/ActionItems)>>
----
. CategorySoftwareAssessment