- To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting 
Minutes of the MiniTOP on the 2013-01-08
Setting
The MiniTOP will be held via telco 22:00 CET (21:00 UTC)
Attendees: inopiae, magu, uli
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
- all - proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems 
 see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
 Proposal from Sysadm list 2013-09-06- {0} - SA - documentation server cert design concept to SystemAdministration/Systems/Development/Prepare - {0} - all - {0} - BenBE, Marcus - documentation: developer git repos under github 
 bug #1131 history @ github
 CAcertOrg @ github
 started under Software/Assessment/Documentation/UpdateCycle/step1- {0} - NEO - {0} - all - read x509 guide - {0} - all - bug#1068 blog problem (also relates to community) 
 debian lenny - edge - squeeze upgrades needed
 alternate: new server with squeeze, install wordpress, transfer domain
 workaround: configure your FF FAQ/BrowserClients- {g} - uli - Experience points for ATE attendance 
 check board motions and/or trigger if not yet passed- {0} - uli - Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 
 current state: see Funding Landing Page
 May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished- {0} - All - 1. next: strategy for "New Roots & Escrow" - using indirect crl's ? 
 indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment- {0} - dirk, Michael - 3. next: strategy for "New Roots & Escrow" - how does debian work? 
 to contact, deferred to next events (?)
 next round: picked up by Benedikt new proposal 2013-06-02- {0} - Uli, Michael - Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png - {0} 
Development, Deployment, Discussion
- OAO, Ted - bug #943 change OA admin/assurer text - needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected - {-} - uli, Ted - bug #824 Org User cert fix Case study - Organisation User Certificates: Need UI improvement for proper production usage - {0} - uli, ted - bug #823 email address removal fix - No warning when removing e-mail address from account that certificates will be revoked 
 checked by 4, needs 2nd review, deploy
 rejected- {-} - inopiae - bug #920 Join - single name only (eg Indonesian) - details under bug number - {0} - uli - bug #859 admin console interface - feature request: show activity on an account in the admin interface 
 rejected, certs login doesn't modify "modified" field- {r} - Michael - p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing 
 uli, marcus: needs full cert create tests
 duplicate report to bug#978
 tested by 3, 2nd review done, transfered
 Ken reported: still has problems, bug kept open- {0} - gagern, NEO - bug #440 Problem with subjectAltName (CSR, renew certs) - There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development - {r} - neo - bug #1025 Domain Dispute issue - disputes rc and rc2 var prob 
 needs work- {r} - dirk - bug #1054 0001054: Review the code regarding the new point calculation - Thawte patch part II 
 needs further work- {r} 
Software Assessors: Review 1 / add to cacert-devel, add to testserver
- Software-Assessors task 
Testing
- Testers task - neo - bug #1004 Stats page improvement - tested by 2, needs 2nd review - {0} - neo - Bugs #1159 it might be possible to execute commands on the signing server - {0} - inopiae - bug #1065 Wrong wording when sending mails during the assurance process - {0} - inopiae - bug #1162 calcutate (the passwords) hash in php instead of in mysql - create test scenarios for the software testers   
 Full testing  - {0} - inopiae - bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails - {0} - inopiae - bug #988 TTP cap form deployment - {0} 
Software Assessors: 2nd Review, Bundle Package to Critical Team
- Software-Assessors task - Ted - bug #500 Get contact mail adress after resolving test - tested by 3, requires review - {0} - Ted - bug #1140 Show if a test is passed in learnprogress - tested by 3, requires review - {0} - magu - bug #1131 Rename _all_ Policies from .php to .html and fix all links - global policy directory maintenance and update - {0} - inopiae - bug #1010 Reorder the view on organisation certificates - tested by 3 - {0} 
Software Assessors: Bundle Package to Critical Team
- Software-Assessors task - inopiae - bug #1139 Add new fields to the database - tests through #500 and #1140, 2nd review done, requires transfer - {0} 
Awaiting Response from Critical Team
- inopiae - bug #411 Wrong text is made into link - {g} 
Agenda
1. Preface
- inopiae, BenBe - Coding style
 
- inopiae, BenBe - WebDb Functions listing: Used functions 
 
- SE activity audit tables
2. TTP program related patches
- Discrepancy between Testserver system and production system (solved) - Software current state on testserver and production 
- problem relates to bug #855 
- Fix adding TTP assurance method on testserver (was: admin console lists "empty" and "Unknown" ...)
- Despite the fact bug #855 has been deployed to production January 19,2012, current state seems to be broken again
 - TTP program related patches, Discrepancy between Testserver system and production system - Software current state on testserver and production 
- problem relates to bug #855 
- Fix adding TTP assurance method on testserver (was: admin console lists "empty" and "Unknown" ...)
- Despite the fact bug #855 has been deployed to production January 19,2012, current state seems to be broken again
 
- checking testscenario: - software revision ok
- database table record shows method ' ' for those records
- problems identified, screenshots under TTP admins wiki page 
 
- Arbitration case a20121127.1 interupt (fast path), interactive - test result shows that TTP assurances is entered into the production system
 
 
- TTP program related bugs for review/transfer to testserver (2012-12-04: BenBe not today, NEO not today) - bug #1118 small changes in database to fix TTP assurance method according to TTP-Assisted-Assurance-Policy and org client certificate. fix available - transfered to cacert-devel
 
- bug #888 add TTP method (old: Trusted Third Party) to TTP-Assisted according to TTP-Assisted-Assurance-Policy. Fix can only be deployed if bug 1118 is deployed. fix available - working session 2012-12-10 (21:38:56) BenBE: $ git merge bug-888 (21:38:56) BenBE: Auto-merging www/wot.php (21:38:56) BenBE: CONFLICT (modify/delete): includes/wot.inc.php deleted in HEAD and modified in bug-888. Version bug-888 of includes/wot.inc.php left in tree. (21:38:59) BenBE: Automatic merge failed; fix conflicts and then commit the result. (21:43:22) BenBE: $ git log release...testserver includes/wot.inc.php (22:04:43) BenBE: <<<<<<< HEAD (22:04:44) BenBE: <------>include_once($_SESSION['_config']['filepath']."notary.inc.php"); (22:04:44) BenBE: ======= (22:04:44) BenBE: <------>require_once("../includes/lib/general.php"); (22:04:46) BenBE: >>>>>>> bug-512
 
 
3. DEV on bug 1023/1054 "Thawte Patch"
- "Thawte points removal, final step" bug #1023 - bug #1023 Testing (6.php)
 
- last patch transfered to production system 2012-05-30
- what are the next steps for thawte points revoke? - points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
 
- next step in: bug #1054 Review the code regarding the new point calculation in ./includes/general.php (current state: testing) - email debug notification, search for other solution
- testing scenarios: see bug note c3163 - some explanations
 
- assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed
- new patches by dirk, pushed to cacert-devel, (update 2012-09-18)
- tverify removed (?)
- merge conflict with account id 60 (eg email removal), see bug #823 
- max_points() routine replaced by new max_points() routine
- get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points()
- received_points()
- Status testing ? - debug messages on testserver (1054) - test account 1 - variant 1 (pwd login): points3 (185/100)
- variant 2 (cert login): points3 (185/100)points4 (185/100)
- first value relates to wot.php?id=10 count of pts
 
- test account 2 - points3 (350/394)points4 (350/394)
- 484 AP, anderer weg 64
- 100
 
- test account 3 - points3 (200/662)
- problem identified, fix transfered to testserver
 
 
- test account 1 
 
- debug messages on testserver (1054) 
 
- current state: runs in debug mode  points1, points2, points3, points4 that reflects conditions - conditions points1 and points2 yet undefined
- identified points1 + points2 debug points in routine
- Logged-in, My Details, Edit, change something, submit changes
- calculate points will be used to select edit mode for name, dob
- if points==0 edit allowed, otherwise edit prevented
 
 
- Patch moved out from testserver - new testserver branch stable - reason: more and more merge conflicts caused by bug #1054
- patches to add: 512 1118 795 1097 964 888
- also: 1070 + 782 (?)
 
 
- new testserver branch stable 
4. 2nd review of remaining patches
- Software-Assessors task 
Michaels Task 2nd review
- 1119
- 1118
- 888 (1118 needs installed first)
- 1034
- 795
5. Patches Overview - Testing, Development
- summary - state of patches - 922 needs work
- 782 needs work
- 440 needs work (NEO) (see also below) - Patch bug #440 was defered (timo addtl. work), but this project stalls. What to do with bug #440 ?
 
- 1004 needs work by neo
- 1113 needs work by benbe, transfered to cacert-devel
- 1097 needs work by neo
- 1017 needs work by neo
- 1025 needs testing
- 512 needs work
- copied to cacert-devel, on testserver - inopiae - Bugs #1112 Exchange the text on the TTP page according to the new TTP programm - live testing, probs with form (if pts < 100) - {0} - inopiae - Bugs #1124 Selection of additional languages, sorting is somewhat strange - {0} - inopiae - bug #795 contact form does not signal whether filed request is senstive or open - needs review + testing - {0} - inopiae - bug #1034 Delete files that are no longer needed as they are obsolete after bug fixing - needs review - {0} 
 
 
- Policy text and Arbitration ruling bug# fixes - Policy text changes
- Arbitration ruling text fixes - CAcert must update the web page on disputes, and include an explanation how to file a dispute (a20091206.1)
 
 
- Board orders
 
- bug #922 problem, transfered to critical, Wytze did a rollback - neo, dirk - bug #922 missing "certificate about to expire" messages - tested, reviewed by 2, needs 2nd review - {0} 
- you can use previous test to also check "certificate about to expire" messages
- notification expected: 1d, 15d, 30d, 45d
- Uli: Marcus plz test again
- Marcus+Uli: plz add serno of cert about to expire into the message text
- NEO: added serno on Oct 2nd
- Uli: 15d notification rcvd at 5th, 6th Oct, last 1d expiry warning expected: Oct 19, passed ok
- moved to 2nd review
- BenBe: 922 2nd review, currently busy, feels not ready to review this patch 
- tested by 2, needs 2nd review, BenBe passed to other SA 
- -> dirk, assigned 
- seems to be ok, ready to go
- BenBe to transfer to critical team 
- patch transfered, but rolled back. reason: patch brings critical system to hung - Analysis - testserver less data then production system
- potential problem distinct clause in query
- whats about proposals by Timo?
- data count: 1000 on testserver, 900.000 on production - create a test set of 900k certs in database?
 
- tables used, record counts: domaincerts 74, domlink 75, domains 52 - which tables, table structure, db format: default myisam
- domain*, email*, users
- to contact critical team with general infos about above tables
 
 
- wytze, timo, dirk, benbe, michael discussion by email - proposal to wytze, to add indixes (all tables selected by where clauses created, modified, expired, revoke)
- confirmation by 2nd SA
 
 
- Analysis 
 
- bug #1004 Stats page improvement - stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO
- fully re-tested by 2: 2012-08-25 (at froscon)
- needs 2nd review
- moved out to cron job routine
- -> BenBe, assigned 
- 1004 ... on review by BenBe 
- checked BenBe 
- work done by NEO, pushed to cacert-devel, transfered to testserver
- needs 2nd review, tested
- current state:
- open issues - How are deleted users handled?
- Isn't "verified_certs" misleading as the affected tables also contain certs that failed to be signed?
- User Statistics don't take removed assurances into account (???)
- Why not calculate backwards in the year-dependent loop from the already known values? The loop runs backwards already anyway.
 
- the latter is still open
 
- bug #1025 Domain Dispute issue - BenBe will pickup for 2nd review 
- needs further testing
- magu, inopiae, u60 -> testing https://bugs.cacert.org/view.php?id=1025 - several test accounts, variations of one or more email addresses, 0 or 1 domain added
- test the full disputes procedure for all variations
- tested by u60
 
 
- bug #1054, test 1054.3.6, bug #1035 - create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs 
- renew the certs
- addtl. tests ? Marcus? Magu? BenBe? 
- 2012-10-02 dirk: problems with git push #1054, got fixed
- DEV on bug 1023/1054 "Thawte Patch" - check last changes by dirk to transfer into test scenarios
 
- see reference notes note 3225 on bug #1101 and note 3245 on bug #1101 
 
- bug #964 and bug #1017  , relates also to bug #1054, test 1054.3.6 - Chrome certificate enrollement (relates to #964 "Black Jack") , relates also to bug #1054, test 1054.3.6 - Chrome certificate enrollement (relates to #964 "Black Jack")- create client certs, go to signing routine
- new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options - Install the certificate into your browser (tested)
- Download the certificate in PEM format
- Download the certificate in DER format
 
- bug #1017 Chrome certificate enrollement - BenBe will pickup 
- bug #1017, doing some more tests? - new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options - Install the certificate into your browser (tested)
- Download the certificate in PEM format
- Download the certificate in DER format
 
- Alex, Marcus doing some more tests
 
- new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options 
 
 
- Marcus Bugs list - according to Bugs # 976 - 0000976: List of update request for webdb database structure upgrade with tables / fields
- addtl_notes table hasn't been added in patch bug 976 on 2011-11-25 
- OU info from Org cert not stored
- addtl_notes table hasn't been added in patch bug 976 on 2011-11-25 
- extend org certs table ? new bug?
- OU in subject?
- includes/account.php (17)
- in org certs it is in subject
- addtl. field ou ? new bug# ?
- used bug #1010
 
 
- new bug #1095 "Problems with creating server sertificate where the csr is created with Java SDK Tools" - cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
- NEO couldn't reproduce the problem using keytool, tested against production and testserver
- identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message
 
- bug #440, bug #1101 (extract CSR) (back under development) - ASN.1 format
- CSR extract: needed for signing: email address, hostname
- Timo will write a CSR parser
- Current: - CN will be parsed
- some information about public key
 
- ASN.1 php library
- Whats about UTF-8 ?
- IDN's - Policy: p20091108 CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets 
- Assurance Handbook - Some more Information - Code signing and IDN certificates If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names). Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space. 
 
 
- current only client and server certs, other options currently not selectable, except Code Signing
- parameters: domains, current first becomes CN, others SANs
- rebuild subject routine ... to check
- Michael: shall we enforce cn from csr? - optional?
- enforce copy cn to SAN
 
- asn1 parse procedure, http://lapo.it/asn1js/ - getcn, getalt procedure
- docs für extractit() und getcn(): general.php line.230 
- felicitus: how someone get "CN" from "commonName"? where is it documented that "CN" is "commonName"?
- OID of commonName is 2.5.4.3, but there is nothing about "CN" - BenBE: see Header of OpenSSL-Header
 
 
- Patch bug #440 was defered (timo's addtl. work), but this project stalls. What to do with bug #440 ? - comments https://bugs.cacert.org/view.php?id=440#c3243, https://bugs.cacert.org/view.php?id=440#c3251 checked? 
- Neo started some fixes (getcn and ...), to be continued
 
- ASN.1 parser - planned: incorporate asn.1 from openssl
 
- bug #1101 refactoring getalt getcn (Timo) - might 1101 comment c3225 
- tries to build a php library for openssl parsing replacement - asn.1 parsing, own library
- ???
 
- openssl does escaping (per man page) (input? output?)
- library test thru unit tests
- openssl command for multiple san's ? - undocumented feature?
- currently only known with -extfile creating-a-certificate-with-multiple-hostnames 
 
 
- New patches - Marcus: Bug #512, OA sql query procedure, NEO to test on testserver - Marcus - bug #512 Org admin requires 100 AP - software untestable, needs checked on console, 2nd review - {0} 
- relates to a20110118.1 intermediate ruling Part IV.2 
- also bug #512 
- line wise readin (eg file read), change is not required
- needs 2nd review, testing by NEO
- Neo to test, Neo has currently no working console connection
- BenBe to test 
- bugfixed revision added under bug#
- includes general.php isn't scritable
- Marcus: next: move function in include/general to include/lib/general and add in include/general include(lib/general)
 
- bug #782 Add "notes" field to certificate information - inopiae - bug #782 Add "notes" field to certificate information - {0} 
- moved to testserver
- Client certs
- Current: - Renew/Revoke/Delete | Status | Email Address | SerialNumber | Comment | Revoked | Expires | Login 
 
- move comment to end - Renew/Revoke/Delete | Status | Email Address | SerialNumber | Revoked | Expires | Login | Comment | edit 
 
- create new cert below all mandatory fields?
 
 
- Marcus: Bug #512, OA sql query procedure, NEO to test on testserver 
- bug #1097 "Special characters which have no HTML-entities are not properly escaped" - needs testing, 2nd review, BenBe will check 
- first test variations shows: there are remaining problems
 
- bug #1119 problem with importing CRL in Mozilla products FF/TB. fix needed - current bug #1119 test result matrix 
- BenBe: potential Mozilla removal of certs md5 support 
- BenBe: whats about OpenSSL issues? 
- Michael: splitting CRL's into smaller segments (eg yearly split)
- BenBe: CRL encryption algorythm is: md5 rsa 
- create diff's of openssl configs
- FF about:config parameter security.enable_md5_signatures -> - false: crl import fails with error code:ffffe0b0
- true: crl import success
 
- proposed solution (2012-12-04): crl to use encryption of sha1
- proposed test scenario: bug #1119 crl patch - crl download still gets redirected to crl.cacert.org under cacert1 testserver - patch untestable
- new links defined under cacert1 testserver:
 
- under testing, tested by 6, needs 2nd review and transfer
 
- Marcus: new contact form bug #795 development/deployment - working session 2012-12-10 (21:10:32) BenBE: bug 795, www/index.php, Change Hunk 1 @ 576ff. (21:10:53) BenBE: s/576/563/ (21:15:44) BenBE: git diff release...bug-795 (21:22:37) BenBE: if(!isset($_REQUEST[...]) || !empty($_REQUEST[...])) ... (21:38:40) BenBE: https://www.youtube.com/watch?v=POjj67bIQiU 
 
- GPG bugs - import prob (eg bug #992 ) - rfc standards: - rfc 4880, defaults to utf-8, section 5.11 - RFC 4880 updated by https://tools.ietf.org/html/rfc5581 
 
- email rfc-2822
 
- rfc 4880, defaults to utf-8, section 5.11 
 
- rfc standards: 
- delete/revoke GPG keys (eg bug #1079 ) - trust signatures can be revoked
- CRL's have to be added to keyservers, but no one will check
- revocation: 5 reasons given
- should be possible, but project needs a developer
 
 
- bug #279 bad domains - .*top.*
- regexp list
- database table exist
- update procedure?
- whats about recuring distribution of update files via cabforum?
- arbitration?
- SE console for update?
- critical admins?
- check routine on add-domain
- add domain under OA should be possible ...
- one-time check of current existing domains ? - first time check against full filter list
- individual check in event add domain
- global check in event add entry to filter list
- replace/update full filter list (case 1 + 4)
 
- meta infos: - datasources
- attributes (?)
- creation date
- delete entry / revocation date
 
 
6. Long Term Projects
- NEO: "BlackJack" bug #964 testing from last week -> error codes - started implementing
 
- how does bug #1017 relate to this bug? - cert signing routine
- ie5 ie6 automatic storage of signed key in local keystore
- doesn't work under vista, win7
- msi package is to download and import the keys to the local keystore under vista, win7
- relates to bug #1099 but is quite different 
- neo sent msi package for testing to u60, benbe; test successful passed
 
 
- Marek's sql class project: - is working on charset replacement
 
- api project, Carsten continues with portal project not waiting for vendor-api to be delivered - vendor-api delayed - no coders
- other projects
- related to sql class project
 
- portal project continues with a workaround, needs an assurer - arbitration case on locations database orders outsourcing of find-an-assurer asap
- with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
- relation to location database - website find an assurer
- scripted mailing for ATE invitations
 
- user check that data is still valid eg every 1 year - notification at login upto 6 months not online
- notification by email if not logged in within last 6 months
 
 
 
- vendor-api delayed 
- Automated testing system - Timo: Unit-test testsystem, phpunit jenkins
- can we merge both environments? frontend tests and unit tests?
- Timo: automated testing systems are mergable - frontend test: java, may become a problem, alternate php version?
- focus on unittests - dirk: code or screen?
- code and screen
 
- frontend and unit tests on one machine?
- trial: port frontend tests
 
 
- Timo: monitoring signer, not yet done - Probably Wytze monitors the systems externaly ?!?
- see Systems overview 
- monitoring system eg Zabbix instead of Nagios?
- BenBE: Icinga as alternate?
- Zabbix agents: requires to be the same revision as server
 
- Timo, Benny: Distro needs upgrade - lenny - support ended Feb 2012
- upgrade etch to lenny was a long running project
 - squeeze (current stable release) - tests started by critical team - "wheezy close before release date
 
- Michael: email sent 2012-10-09 regarding squeeze upgrade to critical team - response received
- testing WIP
- move to sun2 proposed
 
 
7. next meeting
- Tuesday, January 15, 2013 22:00 CET
Minutes
- test working session (magu, uli) - 1069, 1009, 1130, 1121, 1122
- probably tests finished: 1069, 1009
 
- 1130: Replace DisputeResolutionPolicy.html - one char to fix in line 1
- updated to testserver
 
- Assure Someone change request (result from 1122: assure someone, CCA acceptance in Assure someone process) - question: where is the CCA acceptance path of an Assurer? - AP defines, Member has accepted CCA by joining CAcert and create an account
- but there are also "old" assurers who didn't accepted CCA yet
- 2 known requirements to become an Assurer: 100 APs, CATS passed
- 3rd yet unverified: CCA acceptance
- Assurance to be AP conform references to AP
- Assurance statement gives no statement, that Assurer has accepted CCA
- AP 4.5 only requests CCA acceptance from Assuree
- CATS test requires a valid client cert. Client certs can be created without CCA acceptance!!!
- There is no addtl. CCA acceptance check under CATS
- so in effect: - an assurer may have created an account before the CCA acceptance request was added to the join form
- an assurer may have received upto 100 APs + 50 EPs before CAcert's policy days
- giving an assurance doesn't request a CCA acceptance from the Assurer, only the request that assurance is AP compliant
 
- so there is no straight verification path that an assurer has accepted CCA except receiving new assurances by -> passive CCA acceptance 
 
- assure someone form enhancement - New I verify that the Assuree accepted CCA
- Location
- Date
- assertion
- Ap
- New I accept CCA
- Policies
- Points
- text (a): I have read and understood the Assurance Policy, the Assurance Handbook and the CCA and am making this Assurance subject to and in compliance with the policy, handbook and CCA.
- text (b): I have read and understood the CCA, the Assurance Policy and the Assurance Handbook. I am making this Assurance subject to and in compliance with the CCA, policy and handbook.
- AH AP CCA & & dup dup read understood comply. 
- text (c): I have read and understood the CCA, the Assurance Policy (AP) and the Assurance Handbook (AH). I am making this Assurance subject to and in compliance with the CCA, AP and AH.
 
 
- question: where is the CCA acceptance path of an Assurer? 
- SE activity audit tables - addtl. recording of arbitration numbers to members
- results in long discussions - requirements, thought cases (eg name change request while another arbitration is running (-> uncritical)) 
- delete account requests handled under precedent case a20111128.3), one "critical" case (certs misusage) is turned in procedure: arbitrator has to follow "emergency case" procedure and to keep track of open "delete account" cases 
- interferance/interaction of 2 of the 3 powers (executive, judicate) (arbitration has to act as executive to forward all new cases to support team with list of open/running arbitration cases)
 
- all ends on (arbitration) "critical" cases
- "critical" cases will be handled under Arbitration eg. a20111128.3 within reasonable (eg 48 hours) window 
- discussion defered
 
- SE console, delete all certs of a member (instead of highjack an account) - probably 1 requirement: addtl. verification step
 
- Homework for testers: - test 893 (delete account) with existing server certs
 
Fixed Action Items since last or within meeting
Action Items New
Action items: Meeting Action Items
