To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2012-07-31

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, Uli, magu, Michael, dirk, benny

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Software/Assessment/ActionItems

all	proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls Proposal from Sysadm list 2013-09-06	{0}
SA	documentation server cert design concept to SystemAdministration/Systems/Development/Prepare	{0}
all	review Software patches Update Cycle	{0}
BenBE, Marcus	documentation: developer git repos under github bug #1131 history @ github CAcertOrg @ github started under Software/Assessment/Documentation/UpdateCycle/step1	{0}
NEO	BenBe: request: htttps header on bugtracker bug #1116	{0}
all	read x509 guide	{0}
all	bug#1068 blog problem (also relates to community) debian lenny - edge - squeeze upgrades needed alternate: new server with squeeze, install wordpress, transfer domain workaround: configure your FF FAQ/BrowserClients	{g}
uli	Experience points for ATE attendance check board motions and/or trigger if not yet passed	{0}
uli	Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 current state: see Funding Landing Page May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished	{0}
All	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment	{0}
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, deferred to next events (?) next round: picked up by Benedikt new proposal 2013-06-02	{0}
Uli, Michael	Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png	{0}

Development, Deployment, Discussion

OAO, Ted	bug #943 change OA admin/assurer text	needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected	{-}
uli, Ted	bug #824 Org User cert fix Case study	Organisation User Certificates: Need UI improvement for proper production usage	{0}
uli, ted	bug #823 email address removal fix	No warning when removing e-mail address from account that certificates will be revoked checked by 4, needs 2nd review, deploy rejected	{-}
inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number	{0}
uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface rejected, certs login doesn't modify "modified" field	{r}
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978 tested by 3, 2nd review done, transfered Ken reported: still has problems, bug kept open	{0}
gagern, NEO	bug #440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development	{r}
neo	bug #1025 Domain Dispute issue	disputes rc and rc2 var prob needs work	{r}
dirk	bug #1054 0001054: Review the code regarding the new point calculation	Thawte patch part II needs further work	{r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

Software-Assessors task

Testing

Testers task

neo	bug #1004 Stats page improvement	tested by 2, needs 2nd review	{0}
neo	Bugs #1159 it might be possible to execute commands on the signing server		{0}
inopiae	bug #1065 Wrong wording when sending mails during the assurance process		{0}
inopiae	bug #1162 calcutate (the passwords) hash in php instead of in mysql	create test scenarios for the software testers $/!\$ Full testing $/!\$	{0}
inopiae	bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails		{0}
inopiae	bug #988 TTP cap form deployment		{0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

Software-Assessors task

Ted	bug #500 Get contact mail adress after resolving test	tested by 3, requires review	{0}
Ted	bug #1140 Show if a test is passed in learnprogress	tested by 3, requires review	{0}
magu	bug #1131 Rename _all_ Policies from .php to .html and fix all links	global policy directory maintenance and update	{0}
inopiae	bug #1010 Reorder the view on organisation certificates	tested by 3	{0}

Software Assessors: Bundle Package to Critical Team

Software-Assessors task

inopiae

bug #1139 Add new fields to the database

tests through #500 and #1140, 2nd review done, requires transfer

{0}

Awaiting Response from Critical Team

inopiae

bug #411 Wrong text is made into link

{g}

CategorySoftwareAssessment

Agenda

1. Preface

Cebit brainstorming
- dirk: request for events report
- (2012-03-27) Marcus awaiting translation from Marc
- (2012-06-19) Marcus: translation received, will send within the next upcoming days
- (2012-06-26) Marcus: not yet finished
- 2nd draft finished
- Sat report missing
Three patches transfered:
1. bug #540 Extended Keyusage
  - Michael
    
    bug #540
    
    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    
    3 {g}
    - transfered to critical
    - report by Ken in dev mailing list
    - There are references to: bug#905 "Unable to sign PDF file with Acrobat"
    - Can reports from bug #540 also be found under bug #978 bug 978 (weak keys)
    - reference bug #918 Weak keys in certificates (closed)
2. bug #789 OA edit domain fix, Editing domain for organisations does not work
  - uli, ted
    
    bug #789 OA edit domain fix
    
    Editing domain for organisations does not work
    new update 2011-09-26
    2 tests, needs 2nd review, deploy
    
    6 {g}
3. bug #1075 cap form link wrong under pages/wot/6.php
  - neo
    
    bug #1075 cap form link wrong under pages/wot/6.php
    
    cap link removed, moved to testserver
    tested by 3
    
    {g}
  - simple patch: remove links, edited by NEO, transfered to testserver, tested by 3, 2nd review done, transfered to critical

2. 2nd review of about 3 remaining patches

Software-Assessors task

Benny pre-views done

neo	bug #1024 Assurer flag is not set correctly on updatesort.php run	tested by 4, ok	2 {0}
inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administrators in account/id35	4 {0}
neo	bug #978 Invalid SPKAC requests are not properly validated	recheck full certs signing procedures duplicate report to bug#540	5 {0}

from meeting 2012-07-17:
- 5 patches reviewed
- 3 simple, bugs 540 (fixed), 789 (fixed), 981
- 2 with some difficultys, 978 (related to bug#540), complexest one: 1024

bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
- uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
- (week 7)

bug #1024 reviewed 2012-07-10

server.pl, too much changes to review in a working session, skipped $/!\$
dirk 2nd review: bug #1024 Assurer flag is not set correctly on updatesort.php run
- michael: fix assurer flag from library
  - with userid for one special user
  - w/o userid, for all users
- to continue upcoming week
- see also 3.1 "Thawte points removal, final step"

neo	bug #1024 Assurer flag is not set correctly on updatesort.php run	tested by 4, ok	2 {0}
inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administrators in account/id35	4 {0}
neo	bug #978 Invalid SPKAC requests are not properly validated	recheck full certs signing procedures duplicate report to bug#540	5 {0}

3. Patches Overview - DEV and Testing

bug #1023 Testing (6.php)
1. Thawte points removal, final step
  - last patch transfered to production system 2012-05-30
2. what are the next steps for thawte points revoke?
  - points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
  - 15.php needs rename to 10.php
  - cannot move forward without dirk
Bugs under Testing
English Translation Problems
- how to handle typing error in web phrase Software/TranslationMisspelling
  - "Can't continue with certificaterequest." in ../includes/account.php:341 ../includes/account.php:1482
  - create shared bug
  - probably make part a. and b. a. that is clear, b. that is questionable
  - new bug #1086
Marcus Bugs list
- see also Software/BugsOverview
- bug#1023 related
  - bug#583 "Assure Somebody" allows future assurance dates
  - bug#648 send message from Assurer to Member
  - bug#802 Name parts should be designated in assurance form
  - bug#870 My Details - My Points show bugus time stamp
  - bug#914 Information about Practice on Name while entering an Assurance
  - bug#930 types wrong points in "Assure Someone" form
  - bug#931 Date of assurance in future don't throw any exception
  - bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.
  - bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field
- Others
  - bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed
  - bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed
  - bug#489 Pb on rewarding 2 points for an assurance
  - bug#567 case sensitive email: tested by 2, cannot be confirmed, closed
  - bug#767 Single-quotes escaped in Web-of-Trust contact form.
- info pages to wiki pages
  - starting bug #671. there still exist a bug# bug #740 (How to become an assurer is missleading)
- bug #491 "Please allow usage of "secondary" emails user ids." - proposes: Close with rejected
  - ```
    * username/password half of the combination is known to potential attacker
    * login prevents login to several email addresses
    * acceptance to several email addresses is prevented
    * no notification if primary email address has been changed
    * note regarding Policy Group
    * dirk: proposal: response email address exists, but isn't primary email ?
     * create new account results in "email address exists"
     * what is a proper response?
     * requestor has to be an assurer for assure someone
    * neo: for registration process chaptcha required
    * no good solution
    * for assurance only primary, for all other services allow also secondary addresses
     * search needs enhancement: search not only primary, also secondary
```
- bug #571 "need for email addresses (or link) in admin console" - proposes: Closed with solved by other bug fix
```
  * primary and secondary email addresses are shown in admin console
```
- bug #591 "CPS has to be improved for audit." - proposes: Closed
```
  * CPS is a working revision also DRAFT revision included
  * relates to policy repository bug# final place finding
```
- addtl. groups:
  1. OA
  2. CCA rollout
  3. TTP
bug #1025 "Domain Dispute strange behaviour / Domain Dispute issue", checked
- wrong description, problem removing domains, bugfix solves this problem
- async removal of certs by signer
- needs review and testing
- inopiae will try testing on upcoming weekend
- to test: email- and domain dispute
bug #922 "CAcert application code problem causing missing 'certificate about to expire' messages", checked
- patch seems to be ok
- white spaces cleanup
- includes/account.php var $id shall be fixed within recursion, new bug #1078
- 2 tests initiated by inopiae and u60
- principle ok, but very confusing
- test reports Marcus:
  - discussions, Marcus got 71 or 72 notifications
  - Neo: default 5 notifications: 45d, 30d, 15d, 3d, 1d
- bug #922 test report / review
  - one test account, 1 client cert, 1 server cert, received 105 (1) reminders (!!!)
  - 15 reminders checked, 1 for client cert, 14 for server cert (!!!)
  - needs further inspection
- Bug Testing / Reporting bug #922 difficult
  - Marcus writes a tool to collect Email infos from TMS
bug #1019 "Contact form does not work when logged in"
- Michael: rework contact form
  - usability: 1 form, option box with public/support delivery, default support
  - current form 1: public, form 2: private
  - spam prevention via java, on disabled java the mail is marked [possible spam]
- mass mailing possible if adding multiple emails separated by commas
- account.php - email address from sender, no address validation, several other places it passes address validation
- neo: why not use primary email address?
  - works only if logged-in
- index?id=11 has also been changed
- url was hardcoded
- account.php?id=14
- sendmail() routine in includes/mysql.php
Findings from David
1. (char) 160 is problematic in various locales, as it appears as whitespace (160 is not a particularly good val either in ISO-8859-1) in certs
  - todo: doing whitelist of allowable chars
  - \xA0 is a problem too (at least in Win32/64)
  - todo: file a new bug#
2. subjectAltName is occasionally not checked for problems
  - todo: file a new bug#

4. Benny reviews

5. New SA candidates and Coders

ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel
- ABC Benny
- ABC Benny, no fixed date set yet
ABC David
- ABC David
Heino, not yet prepared, needs first contact
How to find coders? Experiences from the Gentoo project
- http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/
- http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code
- use as blueprint for other recruits?

6. Long Term Projects

NEO: "BlackJack" bug #964
- 2012-07-17 NEO: has finished IE patch, http://cacert.nhng.de/IEkeygen/keygen.html
- meeting 2012-07-24: working session: testing "Black Jack"
  - marcus: tested chrome
  - marcus, uli: enable-login flag set after key has been signed with unset flag on request, fixed
- 2012-07-24 working session
  1. NEO: (964) enable-login flag fixed, to transfer to testserver
  2. NEO: org-certs prob
  3. ben: "Bei den Fehlermeldungen der Statuscodes bitte Hex und Int angeben. Au?erdem beim Ablehnen der Best?tigungsmeldungen die Fehlermeldung etwas aussagekr?ftiger."
    - "Fehler: Nachricht (0x80000095 / -2147.....)"
    - error messages on ms website: http://msdn.microsoft.com/en-us/library/ms953432.aspx#smartcardcspcook_topic3
  4. magu: tests bug #964
    - error messages:
      - available key sizes: 512-1024 Bit (in 64 Bit steps)
      - Schlumberger CSP, Keysize 1024 --> 2146435043
      - Infineon SICRYPT Base Smart Card CSP Keysize Nothing Error_ (-7feff92 / -2146434962)
Marek's sql class project:
- is working on charset replacement
api project, Carsten continues with portal project not waiting for vendor-api to be delivered
- potential candidates for development
  1. Marek's sql class proposal
    - needs probably db upgrades
    - needs addtl. indices
    - needs testing
  2. archaios
    - builds daemon as unpreviliged user
- vendor-api delayed
  - no coders
  - other projects
  - related to sql class project
- portal project continues with a workaround, needs an assurer
- arbitration case on locations database orders outsourcing of find-an-assurer asap
- with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)

7. next meeting

Tuesday, August 7th, 2012 22:00 CEST

Minutes

Preface
1. Support issue sub-ca or ...
2. Some infos from ATE-Melbourne
3. reminder for ATE-Raleigh, proposed 2012-08-11
  - whats about RedHat meeting?
4. Cebit brainstorming
  - dirk: request for events report
  - 2nd draft finished
  - Sat report missing, Uli sent a report 2012-03-22 (with wiki link Assurance/Procedures/RLO
  - Marcus to compile final report
5. Marcus: getting timeline from dirk for upcoming patches and reviews
6. bug#3 "Single Character Middle Initial clear name from subject" still open
  - tested, problem no longer exist, issue closed
7. Marcus/Neo: gettext routine

Whats about bug #540 Extended Keyusage - related patches

report by Ken in dev mailing list

potential 2 problems
1. test before patch comes in effect
2. root keys from production system not installed

differences between production and testserver roots/class3 roots ?

production root

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 CRL Distribution Points: 
                URI:https://www.cacert.org/revoke.crl

            Netscape CA Revocation Url: 
                https://www.cacert.org/revoke.crl
            Netscape CA Policy Url: 
                http://www.cacert.org/index.php?id=10
            Netscape Comment: 
                To get your own certificate for FREE head over to http://www.cacert.org

testserver root

            X509v3 Basic Constraints: critical
                CA:TRUE
            Authority Information Access: 
                OCSP - URI:http://ocsp.CAcert.org/
                CA Issuers - URI:http://www.CAcert.org/ca.crt

            X509v3 Certificate Policies: 
                Policy: Security
                  CPS: http://www.CAcert.org/index.php?id=10

            Netscape CA Policy Url: 
                http://www.CAcert.org/index.php?id=10
            Netscape Comment: 
                To get your own certificate for FREE, go to http://www.CAcert.org

production class3

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.18506
                  CPS: http://www.CAcert.org/index.php?id=10

testserver class3

            X509v3 Certificate Policies: 
                Policy: Security
                  CPS: http://www.CAcert.org/index.php?id=10

main difference: OCSP / CRL links in root cert
test scenario
- create new root identical to production root
- existing config file results in the current testserver root, in svn
- svn copy of config has been added late (Dec 2010)
- SVN:/CAcert/SystemAdministration/signer/ssl

There are references to: bug#905 "Unable to sign PDF file with Acrobat"
- who can test acrobat ???
Can reports from bug #540 also be found under bug #978 bug 978 (weak keys)
reference bug #918 Weak keys in certificates (closed)

bug #1023 Testing (6.php)
1. Thawte points removal, final step
  - last patch transfered to production system 2012-05-30
2. what are the next steps for thawte points revoke?
  - points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
  - 15.php needs rename to 10.php
  - cannot move forward without dirk
3. when?
  - blocked by software-reviews
    - Marcus: reviews dirk is doing only in meetings
  - upcoming week ?
bug #1088 report analyze
- possible spam, removed
NEO: "BlackJack" bug #964 testing from last week -> error codes
- not yet implemented
meta discussion: SA not working, Arbitration not working
- SA work, review, coding, Arbitration work, DRO
next meeting: Tuesday, August 7th, 2012 22:00 CEST

Fixed Action Items since last or within meeting

Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978	3 {g}
uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26 2 tests, needs 2nd review, deploy more fixes, more testing	6 {g}
neo	bug #1075 cap form link wrong under pages/wot/6.php	cap link removed, moved to testserver tested by 3	{g}

bug#3 "Single Character Middle Initial clear name from subject" still open
- tested, problem no longer exist, issue closed
bug #1088 report analyze
- possible spam, removed

Action Items New

Action items: Meeting Action Items

CategorySoftwareAssessment

Software/Assessment/20120731-S-A-MiniTOP (last edited 2012-08-07 18:36:39 by UlrichSchroeter)