. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20120508-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20120529-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2012-05-22 = == Setting == The MiniTOP will be held via telco 22:00 CEST Attendees: Michael, Magu, Dirk, Marcus == Topics == (skip to [[#AGENDA|agenda]]) Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> <> == Agenda == ## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP === 1. Preface === 1. dirk topics 1. Cebit brainstorming * dirk: request for events report * (2012-03-27) Marcus awaiting translation from Marc * (2012-04-03) Marcus will do upcoming (easter) weekend * (2012-04-17) no update * (2012-04-24) no update 1. dispute cases * new bug: [[https://bugs.cacert.org/view.php?id=1038|bug #1038]] Provide a script for board/tverify reset flags by arbitration a20110118.1 * re [[https://bugs.cacert.org/view.php?id=1003|bug #1003]] Permissions review script, to incorporate new intermediate ruling === 2. Software-Assessment === 1. Software-Assessors candidates * Problem: . 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive * candidate to contact by ... * kotek? (-> neo) - neo is doing reviewing * aphexer? (-> ?) * bjoern? (-> magu) - what attracts programming for CAcert? * willm (-> neo) (xing contact, developer), will contact next * stephan (-> marcus) * reactivte PG? * how we get SA attractive? * Marcus: blockers? eg. dpa * dirk: newsletters, last one last year * 2nd one should be 3 months later about security settings, now its about 5-6 months later * open dpa discussion (uli: added to next board meeting agenda), not yet continued === 3. bug #1023 Testing (6.php) === 1. Thawte points removal, final step * relates to 6.php * this also relates to TTP * dirk will work on this last weekend (2012-01-21) * current state: not yet finished * expected finishing? upcoming weekend (2012-01-23 to 2012-01-30) * not finished, upcoming weekend 2012-02-06? * not finished, last weekend 2012-03-12? * 2012-03-13: new bug#1023 [[https://bugs.cacert.org/view.php?id=1023|bug#1023]] * transfered to git cacert * to test: * assure someone * w/ and w/o ttp * in all variations * Added to testserver Tue 13.3., Wed 14.3. || dirk || [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] Consolidate changes into the Assure Someone page || 6.php global re-design project<
>assurance, wot area (Thawte points removal effective) || {0} || * current state: patch removed from testserver, needs work (DEV) * (2012-03-27) back on testserver: bug #1023 (6.php), has a bug, needs work * 2 new bugs within meeting 2012-03-27 * (2012-04-03) bugs analyze, empty results analyse, new patch transfered to testserver * current state 2012-04-17 {{{ * dirk: didn't we concluded 14 days ago, that the current patch state is the revision similar on the production system * potential bugs on production system can be identified against wot.php on testserver (-> diff wot.php, if no difference bugs are also in production system) * Michael: diff is empty, this means wot.php is identical between production and testserver * Michael: didn't pushed one patch, as it has at least one error * Michael: fix and push to git / testserver, patch is transfered to testserver * testing: failures occured * last time we've added method transfer * if board=1, method empty -> results in garbage in database * new bug, that methods aren't checked that needs to be checked [[https://bugs.cacert.org/view.php?id=1032|bug#1032]] * req by Marcus to add maxpoints limit definition: 35 assurance points (by AP) in a f2f meeting, upto 50 assurance points possible though a subpolicy (currently none available), new bug [[https://bugs.cacert.org/view.php?id=1033|bug#1033]] }}} * #1033 passed to production * 2012-04-24: 2nd review by neo [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] (6.php) (next time) * 2012-05-05: dirk_: @neo ... is the review of 6.php done? / NEOatNHNG: almost === 4. testing of certs patches === 1. [[https://bugs.cacert.org/view.php?id=440|bug#440]] Problem with subjectAltName (CSR, renew certs) * "There seems to be a problem with the subjectAltName. Dupes, missing entries, and more" * patch by gagern * Software-Assessors: needs 1st review + transfer to testserver (week 4) * (2012-01-23) michael picked up * Whats about [[https://bugs.cacert.org/view.php?id=440|bug#440]] vs. [[https://bugs.cacert.org/view.php?id=540|bug#540]] ? 1. [[https://bugs.cacert.org/view.php?id=812|bug #812]] CAcert certificate not working with Windows Encrypting Filesystem (EFS) 1. [[https://bugs.cacert.org/view.php?id=905|bug #905]] Unable to sign PDF file with Acrobat === 5. 2nd review of about 7 patches === ||<#ff8080> '''Software-Assessors task''' || 1. [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix, Editing domain for organisations does not work<
>new update 2011-09-26<
>2 tests, needs 2nd review, deploy<
>more fixes, more testing * 2nd review of 1 patch * Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?) 1. [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918) * invalid key format, no regular error message, something wrong, error code # identified * debugging infos from user + infos from critical team with error code #, was spkac routine * one test done 2011-12-17 by JensK * uli, marcus: more tests: certs routine, weak keys (small keys test), relates to [[https://bugs.cacert.org/view.php?id=540|bug#540]] tests * (week 7) 1. [[https://bugs.cacert.org/view.php?id=540|bug#540]] No key usage attribute in cacert org certs anymore? * also: [[https://bugs.cacert.org/view.php?id=905|bug#905]] * Policy group discussion - Extended key usage -> [[PolicyDecisions#p20111113|p20111113]], motion CARRIED * deployment 1. prepare fixes -> Michael to prepare diffs, against svn 1. sending to testserver 1. transfer to critical system * (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go * Michael did transfer the patch to testserver * signer code update * changes against svn * uli, to add to tester portal, done * uli to inform testers about new tests * test report from kenneth to transfer to report (email from 2011-12-25) * Michael: where to find the report from kenneth? link? * NEO has added the report (written to private dl) * who has adobe 8 for testing? * magu has, please test * next: needs testing (week 6) * uli, marcus: needs full cert create tests * uli (2012-01-25): sent notification to software testers * awaiting testing ... problem FULL test, including all possible variations with certs creation * also to report under [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918) * Testers: test all certs veriations, functions || uli, ted || [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix || Editing domain for organisations does not work<
>new update 2011-09-26<
>2 tests, needs 2nd review, deploy<
>more fixes, more testing || 6 {0} || || uli || [[https://bugs.cacert.org/view.php?id=967|bug #967]] OA isassurer check || Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer || {0} || || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || {0} || || Michael || [[https://bugs.cacert.org/view.php?id=540|bug #540]] || p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing<
>uli, marcus: needs full cert create tests<
>duplicate report to bug#978 || {0} || || neo || [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run || tested by 4, ok || {0} || || dirk || [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] Consolidate changes into the Assure Someone page || 6.php global re-design project<
>assurance, wot area (Thawte points removal effective) || {0} || || inopiae || [[https://bugs.cacert.org/view.php?id=981|bug #981]] OA overview (dupe of [[https://bugs.cacert.org/view.php?id=943|bug #943]]) || New layout of view for Organisation Administrators in account/id35 || {0} || === 6. continue BlackJack coding by Michael === 1. [[https://bugs.cacert.org/view.php?id=964|bug#964]], [[https://bugs.cacert.org/view.php?id=918|bug#918 (Part II)]] Codename "BlackJack" - VBscript for Vista/Win7 (select keysize >= 1024) || x^1^ Dirk, new [[https://bugs.cacert.org/view.php?id=964|bug#964]]<
>DEV: [[https://bugs.cacert.org/view.php?id=918|bug#918 (Part II)]] ([[Arbitrations/a20110312.1|a20110312.1]]) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' || current state: test /account/4.php added to testserver<
>Marcus will do detailed tests on Wed<
>some references added to [[https://bugs.cacert.org/view.php?id=964|bug#964]] || {0} || * as part of * x^1^ Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] Weak keys [[https://bugs.cacert.org/view.php?id=918|bug #918]] / [[https://bugs.cacert.org/view.php?id=954|bug #954]] / [[https://bugs.cacert.org/view.php?id=964|bug#964]] * Current state: || {g} || pre mailing sent || || {g} || keys revocation script to bulk revoke weak keys, new [[https://bugs.cacert.org/view.php?id=954|bug #954]], finished || || {-} || dirk: DEV: [[Arbitrations/a20110312.1|a20110312.1]] [[https://bugs.cacert.org/view.php?id=918|bug#918]] Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' <
>vbscript needs to be improved with select box key size and lower limit to 2048 (based on [[https://wiki.mozilla.org/CA:MD5and1024]])<
>Api CertEnroll (MS crypto provider)<
>new [[https://bugs.cacert.org/view.php?id=964|bug#964]]<
>current state: test /account/4.php added to testserver<
>Marcus will do detailed tests on Wed<
>some references added to [[https://bugs.cacert.org/view.php?id=964|bug#964]] - codename "BlackJack" || || {g} || Weak keys blog post, published || || {g} || Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30) || || {b} || weak keys: problems with cryptostick (to test at [[events/FrOSCon2011|Froscon]] with Juergen ?) || * cert enroll infos under [[https://bugs.cacert.org/view.php?id=964|bug#964]] * vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation * [[http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx]] * Marcus: added notes for Win7 [[https://bugs.cacert.org/view.php?id=964#c2249]] * dirk: has not started the virtual machine * Question from Marcus: did someone contacted illuminat? * No, Marcus: to contact illuminat * illuminat will give it a try, first needs download of testserver image * Update? * marcus: illuminat not yet seen last time * baseline requirement - keyssize >= 2048 to fix till end of 2011 * how to proceed? * dirk: 1st step, to bring win test server localy online * marcus: to contact illuminat * Do we have other developers who may pick up this project? * Marcus -> dirk: announcement of vbscript bug to developers mailing list * change keysize * merge 2 scripts to one * fix on script 1 needs fix in 2nd script too, solutions: include, one file, or comment fix script 2 too * interrupt: [[https://bugs.cacert.org/view.php?id=964|bug#964]] -> codename "BlackJack" * relates to IE8 problem, that certs cannot be created * is there a security issue with available fix? also [[https://bugs.cacert.org/view.php?id=918|bug#918]] * related 927, 901, 847 * a patch is online on testserver, but cannot found * related patch files, /pages/account/ 3,4,16,17; /include/account.php * there are other vbscript pages: ../account/ 6 + 19 * Brian [[https://bugs.cacert.org/view.php?id=964|bug#964]] * Michael: Marcus to test with IE * IE select provider only * code from Brian needs some corrections, corrections to do, 4 + 17 inclusions, checkin * notification to Brian, done * quickfix has problems too * next step(s) * check error codes / debug routines * open developer mode, create cert * resulting error: line 213, put length, wrong parameter {{{ Zeile: 213 Fehler: CertEnroll::CX509PrivateKey::put_Length: Falscher Parameter. 0x80070057 (WIN32: 87) Zeile 213: objPrivateKey.Length = &h08000000 }}} * current state: an undef error with current patch * we need someone who has experience with vbscript, to come into telco, reviews interface/api beforehand * illuminat: not before eastern * marcus: will ask users on assurance party Wed 18th Jan * 2012-01-23: * also cabforum requirement, keysize under IE limited to 1024 * how to find programmers ? * windows webserver programmers: Outlook, Citrix portals * new API's can use java, new apis have web-enabled * splitting vbscript for os revisions < vista, java for os revisions >= vista ? * NEO started development, not yet finished * next: for XP: rewrite vbscript to JavaScript === 7. next meeting === * Tuesday, May 29, 2012 22:00 CEST == Minutes == 1. Preface 1. Event planning . Luxemburg event 1. Software Assesment 1. Markus is currently busy, no response from PG 1. potential coder Steffen I. has no time before end of august 1. Magu has contact with two new tester candidates found on LUG Flensburg 1. Marcus has contact with two new tester candidates found on ATE Karlsruhe 1. bug #1023 Testing (6.php) 1. did some test and fixed small remaining bugs (removed dropdown for method when only assuer, new text for the date field as it is now prefilled with the actual date if started for the first time in a session) 1. magu and marcus tested the last version, patch ready to review by dirk and deploy to production 1. while testing on the bug we discovered a strage behavior of the WebDB and filed a dispute to this matter. 1. testing of certs patches . no progress 1. 2nd review of about patches that are ready to deploy . no progress 1. continue !BlackJack coding by Michael . no progress 1. bug fix for contact formular ([[https://bugs.cacert.org/view.php?id=1019|bug #1019]]) . Micheal changed the contact form when logged into the account so that is working now. . needs testing 1. Permissions review and revoke of board and tverify flag ([[https://bugs.cacert.org/view.php?id=1003|bug #1003]] and [[https://bugs.cacert.org/view.php?id=1038|bug #1038]]) . Michael run the permission preview script. After finding some formating stuff and fixing it, the script was run a second time. . Afterwards Michael run the script revoke of board and tverify flag. The executing report was added as private to [[https://bugs.cacert.org/view.php?id=1003|bug #1003]] . All tester please review your flags and mails on the test server and report ONLY in [[https://bugs.cacert.org/view.php?id=1003|bug #1003]]. ==== Fixed Action Items since last or within meeting ==== || Marcus || cap.php review different languages, from meeting 2012-04-24, contact translators || {+} || ==== Action Items New ==== Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' ---- . CategorySoftwareAssessment