djyKWKt1mr3ykWab7jnrAJ 2011-09-27T18:28:47-05:00 Tilburg reported that adding a & in the password cause strange behaviour when AuthN to Comodo's CCC endpoint. This is somewhat related to ticket 315 0 7232253 318 false 413168 djyKWKt1mr3ykWab7jnrAJ 318 2 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

AuthN to Comodo explodes when using restricted characters in password.

2011-10-11T15:49:17-05:00 4.0 4.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2011-01-28T04:32:32-06:00 Leif writes: "I think this is general for all forms in the application that does validation: if you get a validation error the form state isn't preserved so you have to type everything in from scratch :(" 0 3027229 307 false 413168 djyKWKt1mr3ykWab7jnrAJ 307 3 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

Form state not preserved on validation error

2012-01-04T13:50:37-06:00 2.0 2.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk djyKWKt1mr3ykWab7jnrAJ 2011-02-25T08:07:45-06:00 Confusa installs two cronjobs: db_backup and db_clean, but both do not work with a recent setup. They try to parse database login data and other settings from confusa_config.php, but some settings are loaded from confusa_config.inc.php, and the scripts do not interpolate variables. db_backup also tries to use /root/mysql_root.pw which does not exist on our systems. We do have the scripts like bootstrap_idp that can already execute queries to the database, so perhaps it's best to implement at least db_clean in that way. As for db_backup, at least on Debian systems this can be implemented by running something along the lines of mysqldump --defaults-file=/etc/mysql/debian.cnf -t confusa, but alternatively it could also use the existing shell script libraries to get the right parameters to pass to mysqldump. 0 3223369 310 false 413168 afWxtcVJSr3OFEeJe5aVNr,djyKWKt1mr3ykWab7jnrAJ 310 3 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

backup_db and clean_db cronjobs do not work

2011-09-21T23:45:16-05:00 0.0 0.0 None 0.0 1.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk djyKWKt1mr3ykWab7jnrAJ 2011-03-28T05:46:20-05:00 If for whatever reason a portal to one NREN is not available, it is currently not possible to display a user-friendly message "NREN X portal not available right now, see link X for details" message. The entire portal can be taken down but if only one NREN is affected this is overkill. So the idea would be that if for whatever reason the portal does not work for one NREN, a nice message for users of that NREN "NREN X portal not available" can be displayed. 0 3478451 311 false 413168 dPS9kyuyur3zYrab7jnrAJ,djyKWKt1mr3ykWab7jnrAJ 311 3 dPS9kyuyur3zYrab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

For shared portal: allow individual instances to go in "maintenance mode"

2011-11-24T16:11:19-06:00 1.0 1.0 None 0.0 8.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau dPS9kyuyur3zYrab7jnrAJmeijermeijerJan Meijerjan.meijer@uninett.noUNINETTSkypejenever42Jabbermeijer@jabber.uninett.no djyKWKt1mr3ykWab7jnrAJ 2011-05-03T17:33:23-05:00 When the AP-name or username for the CA Account is updated, the password must also be provided, otherwise it is treated as "", encrypted and base64-encoded. This will result in unexpected errors and is a needless bug. Suggested fix: - detect empty passwords, ""s - adapt insert to handle different values in CP_Accountant::updateNRENAccount() - display a warning telling the user that the password was not supplied and therefore is *not* changed in the database. 0 3769890 315 false 413168 djyKWKt1mr3ykWab7jnrAJ 315 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

Update CA Account resets password to "" if not supplied

2011-10-11T15:49:17-05:00 4.0 4.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2011-05-05T10:04:45-05:00 Certificate requests now trigger the following log lines: May 5 15:39:25 mobius confusa: [23191]: Uploaded CSR to remote CA. Received order number 10361319 for user Jan Klaassen jan.klaassen@uni.edu Person contacted us from 2001:760:2a14:fffe:21xxx May 5 15:39:25 mobius confusa: [23191]: Authorized remote certificate for person Jan Klaassen jan.klaassen@uni.edu with order number 10361319 Person contacted us from 2001:760:2a14:fffe:21xxx We cannot really link these to the NREN and subscriber involved. It would be good to have the NREN id and the subscriber id in the same log lines when there are problems with a request. This may also make the statistics module (#299) not as needed, because with this (seemingly simple) change we can use grep to determine basic agregates like number of certs per nren and per subscriber. 0 3785990 316 false 413168 afWxtcVJSr3OFEeJe5aVNr,meynell@terena.org,djyKWKt1mr3ykWab7jnrAJ 316 3 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

Improve logging to include NREN+subscriber

2011-10-24T17:00:09-05:00 4.0 4.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk 2010-01-12T01:59:55-06:00 A sensitive action is either to create a new cert, or revoke an existing. This should trigger a reauth *every* time the action is performed. This could also remove the need for the timeout-session constraint in place today, however, not all NRENs support reAuth, and we may be forced to log out and in again. And if so, the session-timeout we enforce today is a good choice. The timeout-limit should be per-NREN configurable. 0 826193 207 false 104207 djyKWKt1mr3ykWab7jnrAJ 207 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Forced reauth when performing a 'sensitive action'

2010-08-24T07:51:13-05:00 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau 2010-06-15T08:41:00-05:00 If a certificate has not been downloaded, it will have state - Issued, Awaiting Collection It can also have the following states: - Valid (normal state, this will trigger the revoke-logic) - Awaiting Validation (waiting for the Reseller to approve it, should happen automatically) If all certificates have this state (or, anything *but* 'Valid'), it is not possible for a user to do the 'revoke all' action. However, if only *one* certificate is 'Valid', then the user can revoke *all*. When revoke: - revoke the valid - block the Awaiting validation - delete the Awaiting collection from Comodo And regardless of state, show the list of DN and options to the user if there's a certificate present. 0 1589163 291 false 104207 djyKWKt1mr3ykWab7jnrAJ 291 4 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Do not filter revocation only upon 'Issued'

2010-08-24T10:42:33-05:00 0.0 0.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau dPS9kyuyur3zYrab7jnrAJ 2010-06-17T00:57:59-05:00 If you're someone who doesn't know how all the pieces of the service are connected together and you want to see all the steps the various actors need to undertake to get from nothing to an issued certificate, that's currently a bit hard. We need a piece of glue documentation that summarises the steps from nothing to issued certificate to revoked certificate with pointers to the right piece of detailed documentation. 0 1597873 294 false 236413 dPS9kyuyur3zYrab7jnrAJ 294 3 dPS9kyuyur3zYrab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 1 Accepted 0

Add 'glue' documentation

2010-08-24T10:44:44-05:00 0.0 0.0 None 0.0 0.0 dPS9kyuyur3zYrab7jnrAJmeijermeijerJan Meijerjan.meijer@uninett.noUNINETTSkypejenever42Jabbermeijer@jabber.uninett.no dPS9kyuyur3zYrab7jnrAJmeijermeijerJan Meijerjan.meijer@uninett.noUNINETTSkypejenever42Jabbermeijer@jabber.uninett.no djyKWKt1mr3ykWab7jnrAJ 2011-12-13T02:45:25-06:00 Hi, Confusa should send the HTTP Header X-Frame-Options so we can prevent clickjacking in modern browsers. This header prevents Confusa from being framed by rogue sites. For a high-security site this definitely makes sense. All that's needed is to output the following HTTP header: <pre><code> X-Frame-Options: DENY </code></pre> or in PHP-speak: <pre><code> header('X-Frame-Options: DENY'); </code></pre> I'm not sending a patch because I'm not sure what the right code point would be to add this line. 0 11347563 320 false 994263 afWxtcVJSr3OFEeJe5aVNr,djyKWKt1mr3ykWab7jnrAJ 320 2 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

Send X-Frame-Options HTTP header

2012-03-28T16:34:34-05:00 0.0 0.0 None 0.0 2.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk djyKWKt1mr3ykWab7jnrAJ 2012-01-11T04:06:09-06:00 If an IE-user forgets to allow active-X, or otherwise walks through the wizard without uploading a valid CSR, Confusa should detect this and provide a more meaningful error-message. Pushing an empty string to Comodo is moot. 1 12674553 322 false 994263 djyKWKt1mr3ykWab7jnrAJ 322 2 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

Notify user and stop wizard if CSR is empty

2012-03-28T16:35:56-05:00 0.0 0.0 None 0.0 3.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2012-01-30T02:58:15-06:00 Pieter van der Meulen writes: In the confusa setup used by TCS for SURFfederatie there is an issue when requesting a certificate using Internet Explorer on Windows 7 when the CN contains a comma. For example when requesting a certificate with a CN component of "Meulen, van der, Pieter". The generation of the PKCS#10 CSR in the browser fails. When firefox is used the certificate is requested and generated correctly. This "lastname, firstname" format is used by some of the more Microsoft loving institutions in SURFfederatie. Note that these institutions use SAML authentication to confusa. The CN to use in de certificates Subject DN is taken from the attributes provided by the identity provider and must not be under control of the user. Investigating the above issue I noticed the following: * It is the Encode() method call of the X509Enrollment.CX500DistinguishedName object that fails. The javascript containing the failed call is located in the smarty template: templates/browser_csr/vista7.tpl @line 23 * The DN in the generated PKCS#10 is not used by confusa or the Comodo CA. And since the PKCS#10 is under control of the requesting user this is a good thing. Instead confusa provides the components of the DN separately in the HTTP POST to the CA apply endpoint in the function capiUploadCSR() in lib/ca/CA_Comodo.php @line 991. * In theory the Comodo CA could verify that the DN in the PKCS#10 CSR mataches the DN specified using the subject_xxx_ post fields. This is unlikely. Most likely it just extracts the public key from the PKCS#10 CSR and ignores the DN thats in there. Possible fixes: * A very simple fix to the IE comma issue would be to specify a dummy DN when generating the PKCS#10 CSR. E.g. change templates/browser_csr/vista7.tpl line 45 to: objDN.Encode(dn, "CN=Dummy"); A similar change can be made in templates/browser_csr/xp2003.tpl * The other solution is to generate a DN that is properly coded for the X509Enrollment component this would be a bit more work obviously. For the X509Enrollment component I know how to encode the DN so that any character may be included. I haven't tested with or investigated the XEnroll control (yet) for pre vista users but it is likely to have a similar issue. Should the simple fix above not be possible for some reason I'm willing to investigate how this can be fixed for the XEnroll control. 1 13817193 323 false 994263 afWxtcVJSr3OFEeJe5aVNr,djyKWKt1mr3ykWab7jnrAJ 323 3 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

Comma issue when using IE

2012-03-28T16:36:21-05:00 0.0 0.0 None 0.0 8.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk djyKWKt1mr3ykWab7jnrAJ 2012-01-31T12:56:47-06:00 We ran into the following alert: 1. 2012-01-31 12:52:59 (Confusa) -= [ ALERT ] =- Too many account-results returned from DB for NREN 4 for an NREN which had two accounts in account_map. Not sure how those two got there but they've been there for a long time. If this alert can be triggered, shouldn't the nren_id attribute in account_map be UNIQUE to prevent this from happening in the first place? 1 13927913 324 false 994263 afWxtcVJSr3OFEeJe5aVNr,djyKWKt1mr3ykWab7jnrAJ 324 3 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

account_map entries per nren must be 1?

2012-04-23T16:08:31-05:00 1.0 1.0 None 0.0 3.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk djyKWKt1mr3ykWab7jnrAJ 2012-02-14T04:46:53-06:00 The invocation of openssl-vulnkey in CSR upload is broken in Squeeze, which prevents us from upgrading the portal infrastructure. It looks like the problem is the use of 'echo $content | openssl-vulnkey -'. The echo removes the newlines, and openssl-vulnkey doesn't like that. This can be solved by opening openssl-vulnkey and writing the certificate content to it. It may be the case that this was already broken in lenny but didn't generate a fatal error there. 1 14938633 325 false 994263 afWxtcVJSr3OFEeJe5aVNr,djyKWKt1mr3ykWab7jnrAJ 325 3 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

openssl-vulnkey breaks on removed newlines

2012-04-22T13:52:28-05:00 0.0 0.0 None 0.0 4.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk djyKWKt1mr3ykWab7jnrAJ 2012-03-28T15:47:00-05:00 As a default, the about_nren and privacy-notice should contain some basic information, probably telling the user that the NREN has not configured the portal yet. A bouns would be to post a warning-message when an NREN-admin logs in if these pages is not configurued yet. 1 17861113 328 false 994263 djyKWKt1mr3ykWab7jnrAJ 328 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 1 Accepted 0

Set default text for about-nren and privacy notice

2012-05-14T15:35:57-05:00 1.0 1.0 None 0.0 16.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2012-03-28T15:51:10-05:00 When a cert is revoked, it will take a while (a few minutes typically) before the whole process has been completed and the cert is marked as 'revoked' in the Comodo database and the CRL is updated. In the meanwhile, the cert should be marked as "revocation in progress" or something along those lines. This should be l10n'd. 1 17862403 329 false 994263 djyKWKt1mr3ykWab7jnrAJ 329 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Newly revoked certificates should me marked as 'in progress'

2012-03-28T16:38:28-05:00 4.0 4.0 None 0.0 8.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2012-03-28T15:54:01-05:00 There are FAQs on several locations and the display of these depends on whether a user is AuthNd or not. Go through index.php and help.php and coordinate the information, the user should expect to find FAQ/Help at _one_ location, not spread between several. 1 17863013 330 false 994263 djyKWKt1mr3ykWab7jnrAJ 330 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

FAQ/help cleanup

2012-03-28T16:38:44-05:00 4.0 4.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2012-03-28T15:54:41-05:00 1 17863143 331 false 994263 djyKWKt1mr3ykWab7jnrAJ 331 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Display help to non-AuthN users

2012-03-28T16:39:04-05:00 4.0 4.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2012-05-15T01:53:37-05:00 Modern Chrome versions has an interface for importing/exporting certificates, similar to what exists in firefox etc. This is something we should do alongside updating the FAQ, help and about (#328, #330, #331) 1 21283533 332 false 994263 djyKWKt1mr3ykWab7jnrAJ,torkel@hpc2n.umu.se 332 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Chrome/Linux help text in the confusa portal is outdated

2012-05-15T01:53:37-05:00 0.0 0.0 Small 1.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2010-06-16T07:22:37-05:00 When an NREN-admin tries to update the CSS, a new file is created in the custom CSS-directory. If this is not created and the webserver does not have permission to create the folder, an ugly warning is thrown at the user. To help identify the problem: - create an error-code and show to the user. - log the issue, include the error-code That way, portal admins will have an easier time narrowing down the issue. 0 1593973 293 false 994263 djyKWKt1mr3ykWab7jnrAJ 293 4 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

Log path when custom-css cannot be created due to perm. denied, make ref in error-msg

2012-04-24T15:33:37-05:00 0.0 0.0 None 0.0 1.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2011-10-03T01:54:42-05:00 If a user revokes a certificate, and then revokes it again, the second revocation is reported to be failed. This results in EMERG log in syslog which also trips Nagios into issuing CRITICAL messages. Here's an example: Oct 2 13:21:13 klein confusa: [1309]: Revoking certificate with order number 10781096 using Comodo's auto-revoke-API. Sending to user with ip 95.74.243.3 Oct 2 13:21:14 klein confusa: [1309]: Revoked certificate with order number 10781096 using Comodo's AutoRevoke API. User contacted us from 95.74.243.3 Oct 2 13:21:22 klein confusa: [1309]: Revoking certificate with order number 10781096 using Comodo's auto-revoke-API. Sending to user with ip 95.74.243.3 Oct 2 13:21:22 klein confusa: [1309]: Revocation of certificate with order_number 10781096 failed! User contacted us from 95.74.243.3 2011 Oct 02 13:21:22 (Confusa) EMERG EMERG EMERG Revocation of certificate with order_number 10781096 failed! User contacted us from 95.74.243.3 It would be nice if revocation of an already revoked certificate wouldn't result in emergency logging. I'm not sure how feasible that is, though. 0 7447473 319 false 994263 afWxtcVJSr3OFEeJe5aVNr,djyKWKt1mr3ykWab7jnrAJ 319 4 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 0 New 0

duplicate revoke results in error message panic

2012-02-05T15:15:17-06:00 8.0 8.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk djyKWKt1mr3ykWab7jnrAJ 2012-03-07T03:58:16-06:00 - Sentence "This is information we have received from your home organization combined with information entered for your NREN (SUNET) and subscriber (Kungliga Tekniska Hogskolan)." is unclear. This is worded that way to be maximally transparent about our datasources, but can be confusing to end users. Proposal to change to: "This is the information we received from your home organization combined with information configured into this portal for your home organization." 0 16350433 327 false 994263 afWxtcVJSr3OFEeJe5aVNr,djyKWKt1mr3ykWab7jnrAJ 327 4 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

Unclear sentence on front page

2012-05-05T16:30:53-05:00 1.0 1.0 None 0.0 1.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk djyKWKt1mr3ykWab7jnrAJ 2012-03-07T03:56:14-06:00 "My certificates" link in left menu is not translated. 0 16350313 326 false 994263 afWxtcVJSr3OFEeJe5aVNr,djyKWKt1mr3ykWab7jnrAJ 326 5 afWxtcVJSr3OFEeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 4 Test 0

"My certificates" link is not translated.

2012-04-24T15:38:56-05:00 2.0 2.0 None 0.0 0.5 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau afWxtcVJSr3OFEeJe5aVNrthijskthijskthijsk djyKWKt1mr3ykWab7jnrAJ 2009-07-15T08:18:57-05:00 When starting Framework, the framework should start the autoloader and let everything be loaded via this. This will save a lot of code and remove the include-burden from the developer, especially when things are included in different files 0 438317 48 false 206065 djyKWKt1mr3ykWab7jnrAJ 48 2 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 1 Accepted 0

Use autoloader

2010-08-24T05:56:52-05:00 8.0 8.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau 2009-08-17T03:34:48-05:00 Split logging into 3 categories: - user-actions (user approves for signing or revokes) - admin: revoke all for a user, manage (nren|subscriber)(sub)admins (add, edit, remove), update layout - robotic logging i.e. when getting list, and when uploading a list for 'massive' revoke - system-generated: when something happens that is maybe a result of user action, but hidden from the user due to abstraction. Example: authorizing an order using the remote API fails. The user does not know what's going on, because she just wanted to get her certificate signed. Contrary to point 1 where we protocol user behavior, this is about system actions. 0 476106 78 false 206065 djyKWKt1mr3ykWab7jnrAJ 78 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Use finegrained logging

2010-08-24T06:13:49-05:00 0.0 0.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2009-11-26T04:06:03-06:00 This only applies to personal, not eScience certificates. 0 677691 172 false 206065 djyKWKt1mr3ykWab7jnrAJ 172 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 1 Accepted 0

Create RI interface for batch-processing of certificates

2010-08-24T07:19:56-05:00 0.0 0.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2010-02-25T06:37:45-06:00 This is needed by the RI, and probably other parts as well. there are 3 different ways to retrieve it - standalone - directly from the certificate - ca_comodo: either from unstructuredName or from the CN. This is something that the CM knows about (both the setup and the state), and should be solved as YAAMFCM (Yet Another Abstract Method For Certificate Manager). 0 1016277 248 false 206065 djyKWKt1mr3ykWab7jnrAJ 248 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 1 Accepted 0

let CertificateManager return the unique identifier used in the certificate.

2011-09-21T14:09:01-05:00 0.0 0.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2010-03-01T06:42:58-06:00 Should only be basic operations, this is to keep it as simple as possible. - query for a certificate - sign a certificate - revoke a certificate .. etc This needs to take the following into perspective: - normal user - admin (doing full revoke of a user, cvs-revoke) - RI - jGridStart Once this is done, a tentative CertManager UML should be drawn up and posted in the wiki under 'development'. 0 1029619 253 false 206065 djyKWKt1mr3ykWab7jnrAJ 253 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 1 Accepted 0

Create a list of CertManager requirements.

2011-09-21T14:09:01-05:00 0.0 0.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau 2010-03-25T05:11:27-05:00 For persons with names full of non-ascii-letters, it is sometimes crucial to obtain a certificate *without* full UTF-8 support because of application restrictions. What needs to be done: - add a per-NREN config option to allow the users to choose between UTF8 and ASCII. This is the 'master switch', if disabled, all the options below should disappear. * option under settings. * entry in database * get/set/save in NREN.php - add a subscriber-ASCII-name (the current is UTF-8), but only in personal, the option should not be visible in eScience-mode. - add option for user to choose, should be stored in the session (CS.php) 0 1138901 263 false 206065 djyKWKt1mr3ykWab7jnrAJ 263 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Allow users to choose between pure UTF8 and ASCII-encoded DN in certificates.

2010-08-24T09:02:50-05:00 0.0 0.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJ 2010-04-20T06:49:44-05:00 When the database-schema has been updated, Confusa will bomb spectacularly when the field is unknown. The MDB2Wrapper should trigger on this and write a sane(r) log-message/throw error (if in debug-mode) stating which field is missing and that the database needs some much needed love and affection. 0 1316363 275 false 206065 djyKWKt1mr3ykWab7jnrAJ 275 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 1 Accepted 0

Trigger special error when db-field is missing

2010-08-24T09:37:34-05:00 0.0 0.0 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau 2011-02-05T04:01:13-06:00 In Confusa 0.7, the Paste CSR View checks if the user has actually pasted a CSR and only then enables the "Next" button. However, this validation requires the textarea to lose focus - and hence the user to click a different part of the screen than the text area. While this functionality was meant to assist the user in correctly proceeding, it turns out to be confusing and counterproductive, as users only see the disabled next button and think that they can not proceed .It's not intuitive to have to click on another region of the screen in order to be able to proceed. If the handler can not be improved, it should be disabled, as it's no help at all. 0 3077709 308 false 206065 bEhVeakBar3RNAeJe5aVNr 308 3 bEhVeakBar3RNAeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Improve jQuery handler in Paste CSR view

2011-02-05T04:01:13-06:00 0.0 0.0 None 0.0 0.0 bEhVeakBar3RNAeJe5aVNrtzangerltzangerltzangerl bEhVeakBar3RNAeJe5aVNr 2010-09-08T09:18:31-05:00 Thijs was collecting statistics of the portal usage and we have agreed that it might be very conclusive to have some of them. The current DB contents don't give us much information, so maybe there should be a statistics function If we add a statistics function to confusa it has to fulfill the following three requirements: 1) reasonably anonymous 2) don't break other stuff if statistics break 3) fits into the current architecture Look into what can be done with reasonable effort. 0 2066963 299 false 206065 bEhVeakBar3RNAeJe5aVNr 299 4 bEhVeakBar3RNAeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 1 Accepted 0

Add "statistics" module

2011-10-24T17:00:09-05:00 0.0 0.0 None 0.0 0.0 bEhVeakBar3RNAeJe5aVNrtzangerltzangerltzangerl bEhVeakBar3RNAeJe5aVNrtzangerltzangerltzangerl djyKWKt1mr3ykWab7jnrAJ 2009-08-14T11:36:15-05:00 Luzula says: /usr/share/luzula/www/process_csr.php:201 Error signing key. Remote said: KeySignException: [0]: Cannot insert certificate into database. The log says: MDB2 Error: null value violates not-null constraint A vardump reveals: cert: , auth_key f6e75f2ff5bf09d0cde55b661c55d709a6a3af2d, cert_owner Thomas Zangerl tzangerl@rnd.feide.no, organization openidpArray ( [0] => 0 [1] => SECOND ) Obviously the certificate is not read/processed correctly. I would fix this myself but it would take me long to get into the shell scripts. Can you do that, Henrik? 0 474337 76 false 104506 bEhVeakBar3RNAeJe5aVNr,djyKWKt1mr3ykWab7jnrAJ 76 3 bEhVeakBar3RNAeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 1 Accepted 0

Certificate is not signed correctly in standalone

2011-09-21T11:38:49-05:00 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau bEhVeakBar3RNAeJe5aVNrtzangerltzangerltzangerl 2009-09-10T08:32:37-05:00 CertManager_Standalone will need to be able to do the following * insert the CSR into the csr_cache (easy?) * create a pubkey hash over SPKAC (hard - PHP openssl can obviously not do that) * sign SPKAC using "openssl spkac" (change the sign_key script) * return the certificate in the right encoding/form for different browsers (see table in browser section of the wiki) 0 511806 106 false 104506 bEhVeakBar3RNAeJe5aVNr 106 3 bEhVeakBar3RNAeJe5aVNr bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Allow browser CSR generation in standalone

2010-08-24T06:28:36-05:00 None 0.0 0.0 bEhVeakBar3RNAeJe5aVNrtzangerltzangerltzangerl 2010-02-26T04:03:30-06:00 The installer - refers to INSTALL at the end of the cycle. In the .deb version, this file has been renamed to HOWTO_CONFIGURE, the installer should refer to this instead. - refers to config/confusa_config.php but the file lies in /etc/confusa/confusa_config.php If started from confusa-base-directory like so <pre><code> bash bin/install.sh </code></pre> It will fail on line 849 when it tires to cd into a non-existant directory. It does not break the script. 0 1020711 249 false 104506 djyKWKt1mr3ykWab7jnrAJ 249 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

adapt install.sh to .deb

2010-08-24T08:35:30-05:00 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau 2010-03-10T04:05:54-06:00 In personal-mode, the certificates are issued in UTF8. However, these certificates does not always play along well with other applications, and some users may need the certificate to be encoded in ASCII to be able to use it. Not all users are given access to the eScience-portal, and the validity is shorter as well as a more restricted namespace - thus personal is the only solution. The user should be allowed to choose whether or not the certificate will be issued as UTF8 or ascii. The latter requires the *entire* subject to be ascii-encoded, with particular emphasis on: - orgname - full name of user - eppn (should be in ascii already, but you must be sure). As an additional feature, the user should be presented with the last chosen action as default for the next. This is not *that* critical as a certificate is most likely valid for 3 years, but it should be considered. There are (at least) to ways to handle this. 1) Force the NREN to export an additional attribute with the user's name ascii-encoded 2) Do a utf8-decode at the portal side via [[url:http://www.php.net/manual/en/function.utf8-decode.php|utf8-decode()]] The former will move the responsibility for decoding the name properly away from the portal, but will lead to added complexity as the entire auth-chain must be updated to handle the new attribute (mapping, decorate, storing etc). The latter will give the portal better control, it will make the logic simpler and will make it easier for other NRENs to use the additional feature. 0 1069911 258 false 104506 djyKWKt1mr3ykWab7jnrAJ 258 3 djyKWKt1mr3ykWab7jnrAJ bJPkAOuyCr3ykWab7jnrAJ 0 New 0

Allow the user to request an all-ascii certificate

2010-08-24T08:47:35-05:00 None 0.0 0.0 djyKWKt1mr3ykWab7jnrAJhenrikauhenrikauhenrikau