. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20120717-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20120731-S-A-MiniTOP|next meeting]]'''
----
= Minutes of the MiniTOP on the 2012-07-24 =
== Setting ==
The MiniTOP will be held via telco 22:00 CEST
Attendees: Marcus, Uli, Benny, dirk, Michael, magu
== Topics ==
(skip to [[#AGENDA|agenda]])
Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]'''
<<Include(Software/Assessment/ActionItems)>>
<<Anchor(AGENDA)>>
== Agenda ==
## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP
=== 1. Preface ===
1. Cebit brainstorming
* dirk: request for events report
* (2012-03-27) Marcus awaiting translation from Marc
* (2012-06-19) Marcus: translation received, will send within the next upcoming days
* (2012-06-26) Marcus: not yet finished
* 2nd draft finished
* Sat report missing
=== 2. 2nd review of about 5 patches ===
||<#ff8080> '''Software-Assessors task''' ||
1. Benny pre-views done
|| neo || [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run || tested by 4, ok || 2 {0} ||
|| Michael || [[https://bugs.cacert.org/view.php?id=540|bug #540]] || p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing<<BR>>uli, marcus: needs full cert create tests<<BR>>duplicate report to bug#978 || 3 {0} ||
|| inopiae || [[https://bugs.cacert.org/view.php?id=981|bug #981]] OA overview (dupe of [[https://bugs.cacert.org/view.php?id=943|bug #943]]) || New layout of view for Organisation Administrators in account/id35 || 4 {0} ||
|| neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<<BR>>duplicate report to bug#540 || 5 {0} ||
|| uli, ted || [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix || Editing domain for organisations does not work<<BR>>new update 2011-09-26<<BR>>2 tests, needs 2nd review, deploy || 6 {0} ||
* for #540 uli has sent a short summary to dirk
* from meeting 2012-07-17:
* 5 patches reviewed
* 3 simple, bugs 540 (mostly check policy text), 789, 981
* 2 with some difficultys, complexest one: 1024
1. [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix, Editing domain for organisations does not work<<BR>>new update 2011-09-26<<BR>>2 tests, needs 2nd review, deploy<<BR>>more fixes, more testing
* 2nd review of 1 patch
* Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?)
* [[https://bugs.cacert.org/view.php?id=789|bug #789]] reviewed: 2012-07-10
* what is /pages/account/29.php for? edit org domain
* (pc vm crashed)
* 2012-07-17: dirk review bug 789, OA edit domain fix, Editing domain for organisations does not work - started
* gitdiff origin/release..origin/bug789
* [[https://bugs.cacert.org/view.php?id=789|bug #789]] reviewed: 2012-07-10
* what is /pages/account/29.php for? edit org domain
* phone accu breaks
1. [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918)
* invalid key format, no regular error message, something wrong, error code # identified
* debugging infos from user + infos from critical team with error code #, was spkac routine
* one test done 2011-12-17 by JensK
* uli, marcus: more tests: certs routine, weak keys (small keys test), relates to [[https://bugs.cacert.org/view.php?id=540|bug#540]] tests
* (week 7)
1. [[https://bugs.cacert.org/view.php?id=540|bug#540]] No key usage attribute in cacert org certs anymore?
* also: [[https://bugs.cacert.org/view.php?id=905|bug#905]]
* Policy group discussion - Extended key usage -> [[PolicyDecisions#p20111113|p20111113]], motion CARRIED
* deployment
1. prepare fixes -> Michael to prepare diffs, against svn
1. sending to testserver
1. transfer to critical system
* (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
* Michael did transfer the patch to testserver
* signer code update
* changes against svn
* uli, to add to tester portal, done
* uli to inform testers about new tests
* test report from kenneth to transfer to report (email from 2011-12-25)
* Michael: where to find the report from kenneth? link?
* NEO has added the report (written to private dl)
* who has adobe 8 for testing?
* magu has, please test
* next: needs testing (week 6)
* uli, marcus: needs full cert create tests
* uli (2012-01-25): sent notification to software testers
* awaiting testing ... problem FULL test, including all possible variations with certs creation
* also to report under [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918)
* Testers: test all certs veriations, functions
* dirk 2nd review of patches, reviewed 2012-07-10
* [[https://bugs.cacert.org/view.php?id=540|bug #540]]
* diff line 23ff unclear, what does section ($root==2) mean?
* also unclear: else section $CRLUrl="http://crl.cacert.org/root${root}.crl";
* skipped /!\
* gitdiff origin/release..origin/bug540
* dirk 2nd review of patches, reviewed 2012-07-10
* [[https://bugs.cacert.org/view.php?id=540|bug #540]]
* diff line 23ff unclear, what does section ($root==2) mean?
* class 3 server (in signer), comm module, each root client certs, there is a config #, root=0 class1, root=1 class3, root=2 newroots project class3s.crl (from 2008 new roots project)
* root=2 not avail on current system
* also unclear: else section $CRLUrl="http://crl.cacert.org/root${root}.crl";
* 5 root vars defined (in client.pl)
* crl for other keys, not class1, class3. all other keys not active on current system
* server.pl: root.crl, class3, class3s, for further still unused keys
* related policy decision: [[https://wiki.cacert.org/PolicyDecisions#p20111113]]
* review ok
* first round of 2nd review done at meeting 2012-07-17
* config files not reviewed, 2nd review not finished
1. [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] reviewed 2012-07-10
* server.pl, too much changes to review in a working session, skipped /!\
|| neo || [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run || tested by 4, ok || 2 {0} ||
|| Michael || [[https://bugs.cacert.org/view.php?id=540|bug #540]] || p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing<<BR>>uli, marcus: needs full cert create tests<<BR>>duplicate report to bug#978 || 3 {0} ||
|| inopiae || [[https://bugs.cacert.org/view.php?id=981|bug #981]] OA overview (dupe of [[https://bugs.cacert.org/view.php?id=943|bug #943]]) || New layout of view for Organisation Administrators in account/id35 || 4 {0} ||
|| neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<<BR>>duplicate report to bug#540 || 5 {0} ||
|| uli, ted || [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix || Editing domain for organisations does not work<<BR>>new update 2011-09-26<<BR>>2 tests, needs 2nd review, deploy<<BR>>more fixes, more testing || 6 {0} ||
=== 3. Patches Overview - DEV and Testing ===
1. bug #1023 Testing (6.php)
1. Thawte points removal, final step
* last patch transfered to production system 2012-05-30
1. what are the next steps for thawte points revoke?
* points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
* 15.php needs rename to 10.php
* cannot move forward without dirk
1. Bugs under Testing
1. [[https://bugs.cacert.org/view.php?id=1075|bug #1075]] cap form link wrong under pages/wot/6.php
|| neo || [[https://bugs.cacert.org/view.php?id=1075|bug #1075]] cap form link wrong under pages/wot/6.php || cap link removed, moved to testserver || {0} ||
* data protection problem to pickup user data before assurance f2f meeting starts
* what does assurance process means? assurance "process" starts from request of assuree to an assurer to do an assurance over assuree
* problem in ttp process too, to have a view over data before f2f meeting and signed cap is in the hands of an assurer. ttp-admin can request confirmation from ttp-user to access online data
* simple patch: remove links
* edited by NEO: transfered to testserver
1. Marcus Bugs list
* see also [[Software/BugsOverview]]
* [[https://bugs.cacert.org/view.php?id=1023|bug#1023]] related
* [[https://bugs.cacert.org/view.php?id=583|bug#583]] "Assure Somebody" allows future assurance dates
* [[https://bugs.cacert.org/view.php?id=648|bug#648]] send message from Assurer to Member
* [[https://bugs.cacert.org/view.php?id=802|bug#802]] Name parts should be designated in assurance form
* [[https://bugs.cacert.org/view.php?id=870|bug#870]] My Details - My Points show bugus time stamp
* [[https://bugs.cacert.org/view.php?id=914|bug#914]] Information about Practice on Name while entering an Assurance
* [[https://bugs.cacert.org/view.php?id=930|bug#930]] types wrong points in "Assure Someone" form
* [[https://bugs.cacert.org/view.php?id=931|bug#931]] Date of assurance in future don't throw any exception
* [[https://bugs.cacert.org/view.php?id=998|bug#998]] When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.
* [[https://bugs.cacert.org/view.php?id=1000|bug#1000]] Entering an assurance into the system after searching for an assurer causes a pre-filled location field
* Others
* [[https://bugs.cacert.org/view.php?id=118|bug#118]] Secure TTP Form upload - outdated, conflicts with new procedure, closed
* [[https://bugs.cacert.org/view.php?id=428|bug#428]] Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed
* [[https://bugs.cacert.org/view.php?id=489|bug#489]] Pb on rewarding 2 points for an assurance
* [[https://bugs.cacert.org/view.php?id=567|bug#567]] case sensitive email: tested by 2, cannot be confirmed, closed
* [[https://bugs.cacert.org/view.php?id=767|bug#767]] Single-quotes escaped in Web-of-Trust contact form.
* info pages to wiki pages
* starting [[https://bugs.cacert.org/view.php?id=671|bug #671]]. there still exist a bug# [[https://bugs.cacert.org/view.php?id=740|bug #740]] (How to become an assurer is missleading)
* [[https://bugs.cacert.org/view.php?id=491|bug #491]] "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected
{{{
* username/password half of the combination is known to potential attacker
* login prevents login to several email addresses
* acceptance to several email addresses is prevented
* no notification if primary email address has been changed
* note regarding Policy Group
* dirk: proposal: response email address exists, but isn't primary email ?
* create new account results in "email address exists"
* what is a proper response?
* requestor has to be an assurer for assure someone
* neo: for registration process chaptcha required
* no good solution
* for assurance only primary, for all other services allow also secondary addresses
* search needs enhancement: search not only primary, also secondary
}}}
* [[https://bugs.cacert.org/view.php?id=571|bug #571]] "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix
{{{
* primary and secondary email addresses are shown in admin console
}}}
* [[https://bugs.cacert.org/view.php?id=591|bug #591]] "CPS has to be improved for audit." - proposes: Closed
{{{
* CPS is a working revision also DRAFT revision included
* relates to policy repository bug# final place finding
}}}
* addtl. groups:
a. OA
a. CCA rollout
a. TTP
1. [[https://bugs.cacert.org/view.php?id=1025|bug #1025]] "Domain Dispute strange behaviour / Domain Dispute issue", checked
* wrong description, problem removing domains, bugfix solves this problem
* async removal of certs by signer
* needs review and testing
* inopiae will try testing on upcoming weekend
* to test: email- and domain dispute
1. [[https://bugs.cacert.org/view.php?id=922|bug #922]] "CAcert application code problem causing missing 'certificate about to expire' messages", checked
* patch seems to be ok
* white spaces cleanup
* includes/account.php var $id shall be fixed within recursion, new [[https://bugs.cacert.org/view.php?id=1078|bug #1078]]
* 2 tests initiated by inopiae and u60
* principle ok, but very confusing
* test reports Marcus:
* discussions, Marcus got 71 or 72 notifications
* Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
* [[https://bugs.cacert.org/view.php?id=922|bug #922]] test report / review
* one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
* 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
* needs further inspection
* Bug Testing / Reporting bug #922 difficult
* Marcus writes a tool to collect Email infos from TMS
1. [[https://bugs.cacert.org/view.php?id=1019|bug #1019]] "Contact form does not work when logged in"
* Michael: rework contact form
* usability: 1 form, option box with public/support delivery, default support
* current form 1: public, form 2: private
* spam prevention via java, on disabled java the mail is marked [possible spam]
* mass mailing possible if adding multiple emails separated by commas
* account.php - email address from sender, no address validation, several other places it passes address validation
* neo: why not use primary email address?
* works only if logged-in
* index?id=11 has also been changed
* url was hardcoded
* account.php?id=14
* sendmail() routine in includes/mysql.php
1. Findings from David
1. (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
* todo: doing whitelist of allowable chars
* \xA0 is a problem too (at least in Win32/64)
* todo: file a new bug#
1. subjectAltName is occasionally not checked for problems
* todo: file a new bug#
=== 4. Benny reviews ===
=== 5. New SA candidates and Coders ===
1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel
* [[Arbitrations/a20120703.1|ABC Benny]]
* ABC Benny, no fixed date set yet
1. ABC David
* [[Arbitrations/a20120721.1|ABC David]]
1. How to find coders? Experiences from the Gentoo project
* [[http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/]]
* [[http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code]]
* use as blueprint for other recruits?
=== 6. English Translation Problems ===
* how to handle typing error in web phrase [[Software/TranslationMisspelling]]
* "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
* create shared bug
* probably make part a. and b. a. that is clear, b. that is questionable
* new [[https://bugs.cacert.org/view.php?id=1086|bug #1086]]
=== 7. Long Term Projects ===
1. NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]]
* 2012-07-17 NEO: has finished IE patch, [[http://cacert.nhng.de/IEkeygen/keygen.html]]
* will prepare a working patch and will transfer to testserver within the next 7 days
1. Marek's sql class project:
* is working on charset replacement
1. api project, Carsten continues with portal project not waiting for vendor-api to be delivered
* potential candidates for development
1. Marek's sql class proposal
* needs probably db upgrades
* needs addtl. indices
* needs testing
1. archaios
* builds daemon as unpreviliged user
* vendor-api delayed
* no coders
* other projects
* related to sql class project
* portal project continues with a workaround, needs an assurer
* arbitration case on locations database orders outsourcing of find-an-assurer asap
* with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
=== 8. next meeting ===
* Tuesday, July 31, 2012 22:00 CEST
== Minutes ==
1. Preface
1. working session: testing "Black Jack" [[https://bugs.cacert.org/view.php?id=964|bug #964]]
* benny, did not find time for testing
* marcus: tested chrome
* marcus, uli: enable-login flag set after key has been signed with unset flag on request
1. benny, cryptical grafix on main testserver page
* identified as crippled googleads
1. dirk 2nd review: [[https://bugs.cacert.org/view.php?id=540|bug#540]] No key usage attribute in cacert org certs anymore?
* first round of 2nd review done at meeting 2012-07-17
* config files not reviewed, 2nd review not finished
* download configs
* [[https://bugs.cacert.org/file_download.php?file_id=249&type=bug]]
* diff line 37: ocsp ... conf to create ocsp certs
* review done, ok, tested by 3, good to go
1. working session
1. black-jack
1. NEO: (964) enable-login flag fixed, to transfer to testserver
1. NEO: org-certs prob
1. ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
* "Fehler: Nachricht (0x80000095 / -2147.....)"
1. Magu: to test bug #1075
* also bug #964
1. error messages:
* available key sizes: 512-1024 Bit (in 64 Bit steps)
* Schlumberger CSP, Keysize 1024 --> 2146435043
* Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962)
* error messages on ms website: [[ http://msdn.microsoft.com/en-us/library/ms953432.aspx#smartcardcspcook_topic3]]
1. dirk 2nd review: [[https://bugs.cacert.org/view.php?id=1075|bug#1075]] cap form link wrong under pages/wot/6.php
|| neo || [[https://bugs.cacert.org/view.php?id=1075|bug #1075]] cap form link wrong under pages/wot/6.php || cap link removed, moved to testserver || {0} ||
* 2nd review done, ok, good to go, tested by 3
1. dirk 2nd review: [[https://bugs.cacert.org/view.php?id=789|bug #789]] OA edit domain fix, Editing domain for organisations does not work<<BR>>new update 2011-09-26<<BR>>2 tests, needs 2nd review, deploy<<BR>>more fixes, more testing
* 2012-07-17: dirk review bug 789, OA edit domain fix, Editing domain for organisations does not work - started
* gitdiff origin/release..origin/bug789
* [[https://bugs.cacert.org/view.php?id=789|bug #789]] reviewed: 2012-07-10
* what is /pages/account/29.php for? edit org domain
* phone accu breaks
* request domid instead of config/domid to prevent multiple window interactions
* 2nd review ok, tested by 2, good to go
1. NEO transfering to critical:
1. [[https://bugs.cacert.org/view.php?id=540|bug#540]]
1. [[https://bugs.cacert.org/view.php?id=1075|bug#1075]]
1. [[https://bugs.cacert.org/view.php?id=789|bug#789]]
1. dirk question: state of ABC's for SA's
* 2 ABCs filed for Ben and David
* Heino, not yet prepared
1. dirk 2nd review: [[https://bugs.cacert.org/view.php?id=1024|bug #1024]] Assurer flag is not set correctly on updatesort.php run
* michael: fix assurer flag from library
* with userid for one special user
* w/o userid, for all users
* to continue upcoming week
==== Fixed Action Items since last or within meeting ====
==== Action Items New ====
Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]'''
----
. CategorySoftwareAssessment