To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2011-04-12
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: Magu, Marcus, Dirk, Uli, Ted, Michael
Topics
Action items from last meeting Meeting Action Items
Arbitration case a20110312.1
- State Testserver Update
- Current Patches on Testserver:
"Thawte" patch Bug# 827
- Current Patches on Testserver:
- triage test on CATS (Update)
- strategy plans ...
strategy for: "Certificates Class3" problem and "New Roots & Escrow"
Bug #637: Password suggestion always the same. Proposed solution.
- next meeting: Tuesday, April 19, 2011 22:00
Minutes
- couple of finished action items
Uli
write kees mail about telco server: 2 still connections
{+}
Dirk, Ted, Michael
translingo cacert upload.pl bug #913 (next: test, review) by M.
{+}
Dirk, Michael, Uli
to write instructions for Critical team about translingo bug by M.
{+}
Michael, Wytze
environment for vuln-key on testserver, critical system
{+}
Uli
create wiki page(s) (regarding weak keys)
{+}
Arbitration case a20110312.1
- first tests started, some discussions
- tests with ie6, ie8, ie9: ie8 test creates 1024 bit keys, ie6 test creates 1024 bits keys, ie9 creattes 512 bit keys - difference on rsabase.dll vs. rsaenh.dll
- perl script trigger to critical team by ted
- org certs needs to be tested
org certs: no csr adding is possible - is there a bug# ? -> bug# 363
create org client certs -> id=16
- win7, ie9, client certs ok keysize visible, org client certs keysize invisible
- /pages/account/.. 4.php, 17.php to combine ?
- first tests started, some discussions
- triage test on CATS (Update), probably upcoming week
Bug #637: Password suggestion always the same. Proposed solution.
- topic on mailing list
- signon page sample password
- proposal 1: random password (+1)
- proposal 2: prevent sample password (+4)
proposal 3: combine 1 & 2 (+2)
- proposal 4: new sample pwd + prevent sample pwd (0)
- proposal 5: new sample pwd from known sentence, using each 3rd char x1) + prevent sample pwd (+3)
- proposal 6: no sample, only requirements on how to build a pwd (+3)
- Action Items:
- Modify text
- pwd blacklist
- to move to salted hash
- migration plan: generate salt, convert hash for all users, replace login procedure
proposal 5 + 6 => 3:3 -> alternate: remove sample pwd and let see
- advantage: can be pushed tonight
starting administrative check or not ? -> weak passwords discussion
- to start with migration to salted hashes
- dirk will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
- adding blocking pwd to dictionary does not make sense, will be replaced on next sys upgrade
- adding addtl. local dictionary ?
- first simple check "Fred Smith" ?
- sub selection on Is-Assurer ? has points ? (if exist notary ?)
- first test: count(hash(simple-pwd)) on pwd column
"Thawte" patch Bug# 827, continued, but not finished
- next meeting: Tuesday, April 19, 2011 22:00
- meeting closed [0:00]
Action items: Meeting Action Items
new items:
Arbitration case a20110312.1
- Ted: perl script trigger to critical team by ted
- dirk: /pages/account/.. 4.php, 17.php to combine ?
- Ted: triage test on CATS (Update), probably upcoming week
Bug #637: Password suggestion always the same. Proposed solution.
- dirk: will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
- marcus: start dispute, first test: sql-query, to be verified by 2nd SA: select count(*) from users where password='xxx';
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
Full testing{0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}