Participants: DavidC, Maarten, DaveK, Andrei, Tom, DaveD, Romain, Enrico, Federica, Irwin, Jeny, Jim, Julie, Marcelo, Jeffrey, Sven, Fabrizio

Notes

• Central suspension
  • This meeting is to set the scene for future meetings
  • EGI can centrally suspend a DN, some question over whether this happens in practice. Argus is not necessarily used.
  • Designed so that there were various policy points where policies could be evaluated and enforced. Wanted to allow others to apply policy as well as just certificate revocation. Was an EU focused architecture.
  • We should avoid making something that is too complex. Current system is over-engineered.
  • We do need to have the same, or similar, functionality.
  • Who should be involved in defining this?
    • Technical
    • Policy
  • How does this happen technically?
  • How does this overlap with threat intelligence sharing?
  • VO level suspension is effectively solved (this is what we have). However, we have no possibility at the site level when using native OIDC.
  • How can we deal with people overloading a site? Sites would want to be able to block activity from that user immediately. 
  • We have never had an incident where site level blocking was seen as critical, however we shouldn't assume this for the future
• Capability sets
  • If a client requests a capability set and a scope that happen to be the same e.g. storage-read but for different paths, they should both be returned
  • Returning an error if not entitled
    • Plenty of error handling in the OIDC spec
    • Consider adding how the error response should look
    • https://tools.ietf.org/html/rfc6749#section-4.1.2 error response could be access_denied
    • We should make it consistent between group requests and capability set requests 
• IAM needs to start issuing kerberos principal name

Actions

• Hannah to send WLCG IAM DNs to Maarten to be included in RPMs
• DavidC form subgroup to work on this topic
• Hannah to look up how we deal with requesting groups that we're not entitled to 
• Dave to edit capabilitiset 
  • Remove part about "different values"
  • Make groups and capabilityset request failure consistent 
• Andrea and Hannah to start issuing kerberos principal claim, see with DaveD which claim name to use