. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20120424-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20120522-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2012-05-08 = == Setting == The MiniTOP will be held via telco 22:00 CEST Attendees: Magu, Marcus, Uli, Michael, dirk == Topics == (skip to [[#AGENDA|agenda]]) Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> <> == Agenda == ## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP === 1. Preface === 1. dirk topics 1. Cebit brainstorming * dirk: request for events report * (2012-03-27) Marcus awaiting translation from Marc * (2012-04-03) Marcus will do upcoming (easter) weekend * (2012-04-17) no update * (2012-04-24) no update 1. new action item from last meeting, who picks up this task? create new bug# ? || ? || cap.php review different languages || from meeting 2012-04-24 || {0} || 1. dispute cases * new bug: [[https://bugs.cacert.org/view.php?id=1038|bug #1038]] Provide a script for board/tverify reset flags by arbitration a20110118.1 * re [[https://bugs.cacert.org/view.php?id=1003|bug #1003]] Permissions review script, to incorporate new intermediate ruling === 2. Software-Assessment === 1. Software-Assessment teamleader? * to propose to board and approved by board 1. Software-Assessors candidates * Problem: . 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive * candidate to contact by ... * kotek? (-> neo) - neo is doing reviewing * aphexer? (-> ?) * bjoern? (-> magu) - what attracts programming for CAcert? * willm (-> neo) (xing contact, developer), will contact next * stephan (-> marcus) * reactivte PG? * how we get SA attractive? * Marcus: blockers? eg. dpa * dirk: newsletters, last one last year * 2nd one should be 3 months later about security settings, now its about 5-6 months later * open dpa discussion (uli: added to next board meeting agenda), not yet continued === 3. bug #1023 Testing (6.php) === 1. Thawte points removal, final step * relates to 6.php * this also relates to TTP * dirk will work on this last weekend (2012-01-21) * current state: not yet finished * expected finishing? upcoming weekend (2012-01-23 to 2012-01-30) * not finished, upcoming weekend 2012-02-06? * not finished, last weekend 2012-03-12? * 2012-03-13: new bug#1023 [[https://bugs.cacert.org/view.php?id=1023|bug#1023]] * transfered to git cacert * to test: * assure someone * w/ and w/o ttp * in all variations * Added to testserver Tue 13.3., Wed 14.3. || dirk || [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] Consolidate changes into the Assure Someone page || 6.php global re-design project<
>assurance, wot area (Thawte points removal effective) || {0} || * current state: patch removed from testserver, needs work (DEV) * (2012-03-27) back on testserver: bug #1023 (6.php), has a bug, needs work * 2 new bugs within meeting 2012-03-27 * (2012-04-03) bugs analyze, empty results analyse, new patch transfered to testserver * current state 2012-04-17 {{{ * dirk: didn't we concluded 14 days ago, that the current patch state is the revision similar on the production system * potential bugs on production system can be identified against wot.php on testserver (-> diff wot.php, if no difference bugs are also in production system) * Michael: diff is empty, this means wot.php is identical between production and testserver * Michael: didn't pushed one patch, as it has at least one error * Michael: fix and push to git / testserver, patch is transfered to testserver * testing: failures occured * last time we've added method transfer * if board=1, method empty -> results in garbage in database * new bug, that methods aren't checked that needs to be checked [[https://bugs.cacert.org/view.php?id=1032|bug#1032]] * req by Marcus to add maxpoints limit definition: 35 assurance points (by AP) in a f2f meeting, upto 50 assurance points possible though a subpolicy (currently none available), new bug [[https://bugs.cacert.org/view.php?id=1033|bug#1033]] }}} * #1033 passed to production * 2012-04-24: 2nd review by neo [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] (6.php) (next time) * 2012-05-05: dirk_: @neo ... is the review of 6.php done? / NEOatNHNG: almost === 4. testing of certs patches === 1. [[https://bugs.cacert.org/view.php?id=440|bug#440]] Problem with subjectAltName (CSR, renew certs) * "There seems to be a problem with the subjectAltName. Dupes, missing entries, and more" * patch by gagern * Software-Assessors: needs 1st review + transfer to testserver (week 4) * (2012-01-23) michael picked up * Whats about [[https://bugs.cacert.org/view.php?id=440|bug#440]] vs. [[https://bugs.cacert.org/view.php?id=540|bug#540]] ? 1. [[https://bugs.cacert.org/view.php?id=812|bug #812]] CAcert certificate not working with Windows Encrypting Filesystem (EFS) 1. [[https://bugs.cacert.org/view.php?id=905|bug #905]] Unable to sign PDF file with Acrobat === 5. 2nd review of about 7 patches === ||<#ff8080> '''Software-Assessors task''' || 1. [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix, Editing domain for organisations does not work<
>new update 2011-09-26<
>2 tests, needs 2nd review, deploy<
>more fixes, more testing * 2nd review of 1 patch * Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?) 1. [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918) * invalid key format, no regular error message, something wrong, error code # identified * debugging infos from user + infos from critical team with error code #, was spkac routine * one test done 2011-12-17 by JensK * uli, marcus: more tests: certs routine, weak keys (small keys test), relates to [[https://bugs.cacert.org/view.php?id=540|bug#540]] tests * (week 7) 1. [[https://bugs.cacert.org/view.php?id=540|bug#540]] No key usage attribute in cacert org certs anymore? * also: [[https://bugs.cacert.org/view.php?id=905|bug#905]] * Policy group discussion - Extended key usage -> [[PolicyDecisions#p20111113|p20111113]], motion CARRIED * deployment 1. prepare fixes -> Michael to prepare diffs, against svn 1. sending to testserver 1. transfer to critical system * (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go * Michael did transfer the patch to testserver * signer code update * changes against svn * uli, to add to tester portal, done * uli to inform testers about new tests * test report from kenneth to transfer to report (email from 2011-12-25) * Michael: where to find the report from kenneth? link? * NEO has added the report (written to private dl) * who has adobe 8 for testing? * magu has, please test * next: needs testing (week 6) * uli, marcus: needs full cert create tests * uli (2012-01-25): sent notification to software testers * awaiting testing ... problem FULL test, including all possible variations with certs creation * also to report under [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918) * Testers: test all certs veriations, functions || uli, ted || [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix || Editing domain for organisations does not work<
>new update 2011-09-26<
>2 tests, needs 2nd review, deploy<
>more fixes, more testing || 6 {0} || || uli || [[https://bugs.cacert.org/view.php?id=967|bug #967]] OA isassurer check || Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer || {0} || || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || {0} || || Michael || [[https://bugs.cacert.org/view.php?id=540|bug #540]] || p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing<
>uli, marcus: needs full cert create tests<
>duplicate report to bug#978 || {0} || || neo || [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run || tested by 4, ok || {0} || || dirk || [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] Consolidate changes into the Assure Someone page || 6.php global re-design project<
>assurance, wot area (Thawte points removal effective) || {0} || || inopiae || [[https://bugs.cacert.org/view.php?id=981|bug #981]] OA overview (dupe of [[https://bugs.cacert.org/view.php?id=943|bug #943]]) || New layout of view for Organisation Administrators in account/id35 || {0} || === 6. continue BlackJack coding by Michael === 1. [[https://bugs.cacert.org/view.php?id=964|bug#964]], [[https://bugs.cacert.org/view.php?id=918|bug#918 (Part II)]] Codename "BlackJack" - VBscript for Vista/Win7 (select keysize >= 1024) || x^1^ Dirk, new [[https://bugs.cacert.org/view.php?id=964|bug#964]]<
>DEV: [[https://bugs.cacert.org/view.php?id=918|bug#918 (Part II)]] ([[Arbitrations/a20110312.1|a20110312.1]]) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' || current state: test /account/4.php added to testserver<
>Marcus will do detailed tests on Wed<
>some references added to [[https://bugs.cacert.org/view.php?id=964|bug#964]] || {0} || * as part of * x^1^ Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] Weak keys [[https://bugs.cacert.org/view.php?id=918|bug #918]] / [[https://bugs.cacert.org/view.php?id=954|bug #954]] / [[https://bugs.cacert.org/view.php?id=964|bug#964]] * Current state: || {g} || pre mailing sent || || {g} || keys revocation script to bulk revoke weak keys, new [[https://bugs.cacert.org/view.php?id=954|bug #954]], finished || || {-} || dirk: DEV: [[Arbitrations/a20110312.1|a20110312.1]] [[https://bugs.cacert.org/view.php?id=918|bug#918]] Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' <
>vbscript needs to be improved with select box key size and lower limit to 2048 (based on [[https://wiki.mozilla.org/CA:MD5and1024]])<
>Api CertEnroll (MS crypto provider)<
>new [[https://bugs.cacert.org/view.php?id=964|bug#964]]<
>current state: test /account/4.php added to testserver<
>Marcus will do detailed tests on Wed<
>some references added to [[https://bugs.cacert.org/view.php?id=964|bug#964]] - codename "BlackJack" || || {g} || Weak keys blog post, published || || {g} || Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30) || || {b} || weak keys: problems with cryptostick (to test at [[events/FrOSCon2011|Froscon]] with Juergen ?) || * cert enroll infos under [[https://bugs.cacert.org/view.php?id=964|bug#964]] * vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation * [[http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx]] * Marcus: added notes for Win7 [[https://bugs.cacert.org/view.php?id=964#c2249]] * dirk: has not started the virtual machine * Question from Marcus: did someone contacted illuminat? * No, Marcus: to contact illuminat * illuminat will give it a try, first needs download of testserver image * Update? * marcus: illuminat not yet seen last time * baseline requirement - keyssize >= 2048 to fix till end of 2011 * how to proceed? * dirk: 1st step, to bring win test server localy online * marcus: to contact illuminat * Do we have other developers who may pick up this project? * Marcus -> dirk: announcement of vbscript bug to developers mailing list * change keysize * merge 2 scripts to one * fix on script 1 needs fix in 2nd script too, solutions: include, one file, or comment fix script 2 too * interrupt: [[https://bugs.cacert.org/view.php?id=964|bug#964]] -> codename "BlackJack" * relates to IE8 problem, that certs cannot be created * is there a security issue with available fix? also [[https://bugs.cacert.org/view.php?id=918|bug#918]] * related 927, 901, 847 * a patch is online on testserver, but cannot found * related patch files, /pages/account/ 3,4,16,17; /include/account.php * there are other vbscript pages: ../account/ 6 + 19 * Brian [[https://bugs.cacert.org/view.php?id=964|bug#964]] * Michael: Marcus to test with IE * IE select provider only * code from Brian needs some corrections, corrections to do, 4 + 17 inclusions, checkin * notification to Brian, done * quickfix has problems too * next step(s) * check error codes / debug routines * open developer mode, create cert * resulting error: line 213, put length, wrong parameter {{{ Zeile: 213 Fehler: CertEnroll::CX509PrivateKey::put_Length: Falscher Parameter. 0x80070057 (WIN32: 87) Zeile 213: objPrivateKey.Length = &h08000000 }}} * current state: an undef error with current patch * we need someone who has experience with vbscript, to come into telco, reviews interface/api beforehand * illuminat: not before eastern * marcus: will ask users on assurance party Wed 18th Jan * 2012-01-23: * also cabforum requirement, keysize under IE limited to 1024 * how to find programmers ? * windows webserver programmers: Outlook, Citrix portals * new API's can use java, new apis have web-enabled * splitting vbscript for os revisions < vista, java for os revisions >= vista ? * NEO started development, not yet finished * next: for XP: rewrite vbscript to JavaScript === 7. next meeting === * Tuesday, May 22, 2012 22:00 CEST == Minutes == 1. Preface 1. request for bitcoin account ? * currently not available 1. dirk topics 1. Cebit brainstorming * dirk: request for events report * (2012-03-27) Marcus awaiting translation from Marc * (2012-04-03) Marcus will do upcoming (easter) weekend * (2012-04-17) no update * (2012-04-24) no update * (2012-05-08) no update 1. new action item from last meeting, who picks up this task? create new bug# ? || Marcus || cap.php review different languages || from meeting 2012-04-24 || {0} || * translations problem, response from translators needed * encoding problem * Marcus picks up this task 1. dispute cases * new bug: [[https://bugs.cacert.org/view.php?id=1038|bug #1038]] Provide a script for board/tverify reset flags by arbitration a20110118.1 * re [[https://bugs.cacert.org/view.php?id=1003|bug #1003]] Permissions review script, to incorporate new intermediate ruling 1. disputes.php problems (by Marcus) * see [[https://bugs.cacert.org/view.php?id=1025|bug #1025]] 1. events planning * Sigint, LT2012 preparations * req Marcus 2 uli: Perl conf, info to Carsten 1. Software-Assessment, part 1 1. Software-Assessment teamleader? * to propose to board and to be approved by board * Magu: candidate NEO * Marcus: candidate NEO * Uli: 2nd and aye * Dirk: 2nd and aye * Magu: aye * Marcus: aye * NEO: abstain * 4 aye, 1 abstain, carried * add to next agenda 1. Internship project discussions * general structure given (by board) 1. Software-Assessment, part 2 1. Software-Assessors candidates * Problem: . 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive * candidate to contact by ... * kotek? (-> neo) - neo is doing reviewing * aphexer? (-> ?) * willm (-> neo) (xing contact, developer), will contact next * stephan (-> marcus) * reactivte PG? 1. dirk: newsletters, last one last year * 2nd one should be 3 months later about security settings, now its about 5-6 months later * main topic "Security" * weak keys * weak passwords * backup for lost passwords * openssl prob * php prob * probably more 1. testing of certs patches * #540 needs 2nd review * #978 needs 2nd review * #440, only one test 1. bug #1023 Testing (6.php) * Neo walks through code with dirk 1. NEO 2 dirk: next patch to review: 1003, permission review 1. next meeting * Tuesday, May 22, 2012 22:00 CEST === Post Meeting notes === 1. Software-Assessment, part 3 1. Software-Assessment teamleader? * late votes by email * Michael as Software-Assessment t/l to propose to board and to be approved by board * Markus: aye ## * 5 aye, 1 abstain, carried ## * add to next agenda ==== Fixed Action Items since last or within meeting ==== || neo || [[https://bugs.cacert.org/view.php?id=1027|bug #1027]] Add information for affiliate program from booking.com || Inform users about the affilate program on the donations page (index.php?id=13) || {g} || || Michael || [[https://bugs.cacert.org/view.php?id=1011|bug #1011]] problem fix || needs review by Software-Assessor - priority: high {-} <
>untestable, needs 2nd review || {g} || || Michael || [[https://bugs.cacert.org/view.php?id=1002|bug #1002]] || 0001002: Contact Assurer form leaves a funny comment after sending || {g} || || neo || [[https://bugs.cacert.org/view.php?id=1033|bug #1033]] User can grant more then 35 points || see also [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] || {g} || || neo || system maintenance ca-mgr1, git-cacert, scheduled 2012 KW 14 || done 2012-04-29 || {g} || ---- ==== Action Items New ==== Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' ---- . CategorySoftwareAssessment