Participants: DaveD, DavidC, Andrea, Petr, Jim, Linda, Jeffrey, Federica, Tom, Brian, Irwin, Julie, Brian, Maarten, Andrii, Enrico

Notes

• Capability sets
  • Generally remove the term Role
  • Discussion that roles could have been kept, unclear whether there is much value
  • Capability sets may eventually be used instead of groups, to be seen in the future
• Securing bearer tokens
  • Have already discussed that we need to think about permissions of bearer token storage
  • We can be generic in the wording and add OS specific recommendations
  • In a container environment this is a little different
  • Can we borrow from "EUGridPMA Guidelines on Private Key Protection" (https://www.eugridpma.org/guidelines/pkp/)?
  • Maybe IETF has some guidelines
• ID token claim for Kerberos principal
  • cern_kerberos_principal
• CMS Migration
  • Duplicates can be merged since no generic attributes and no possibility of conflict
  • Secondary accounts can be dropped
  • If needed we can ask for more memory in OpenShift
  • Take a backup first :)
  • Tests should be run by CMS members afterwards
  • Require LSC files, Marten or Brian W take care help@opensciencegrid.org 

Actions

• JWT Doc
  • Hannah: clarify what a VOMS role is as a footnote
  • Andrea: Provide example of error handling based on missing group
  • Brian to revisit https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/2/files
• Bearer Token Doc
  • Hannah check whether Guidelines on key protection (from EUGridPMA) can apply and add reference if so
  • Hannah check whether IETF has bearer token protection guidelines
  • Andrea add Linux example for token protection
• IAM
  • Andrea to enable propagation of kerberos principal to Vault
  • Andrea to plan CMS migration and Hannah and Andrea to run next week