[IT 513/1-024] 14:05:15
yeah, we must be connected because

[IT 513/1-024] 14:05:15
Just moved his head over

[IT 513/1-024] 14:05:23
What about doing? Let's note, Okay, See you close captioning is running again.

[IT 513/1-024] 14:05:30
So we come, save everything that we discussed

[IT 513/1-024] 14:05:40
I've got another one which is sucks me

[IT 513/1-024] 14:05:48
Or this afternoon after the audience to go through a self assessment based on Geo.

[IT 513/1-024] 14:05:55
Second, one for Ukraine, Irs, and for Wcg.

[IT 513/1-024] 14:06:05
I could try to keep those in in my scratchy.

[IT 513/1-024] 14:06:11
Goodbye hopefully it over from the document itself, but probably Tom, you have also some ideas on how to go about it.

[IT 513/1-024] 14:06:25
What did you plan on doing or presenting this afternoon?

[IT 513/1-024] 14:06:38
Cool.

[Thomas Dack - STFC UKRI] 14:06:39
I hadn't really, and much I was gonna work through the got that you had.

[Thomas Dack - STFC UKRI] 14:06:46
I assumed fairly interactively. Discussion wise.

[IT 513/1-024] 14:06:51
Yeah.

[IT 513/1-024] 14:06:55
that's come for you. Drive into David. You drive into Hitline

[Thomas Dack - STFC UKRI] 14:06:58
Well, I mean appreciate sharing the screen. I'm happy to walk through it, and we can discuss it.

[Thomas Dack - STFC UKRI] 14:07:08
I know there's quite a few people from the Irs side in the call as well, including yourself, Dave, and I believe Ian is in the room as well, so

[IT 513/1-024] 14:07:19
this time.

[IT 513/1-024] 14:07:20
Listen to late. Oh, the David! Are they connected

[Thomas Dack - STFC UKRI] 14:07:22
David's here. Ian is here, the other Ian.

[Thomas Dack - STFC UKRI] 14:07:26
Let's see you've got well represented, for the Irs idea

[IT 513/1-024] 14:07:29
I'll represent it

[IT 513/1-024] 14:07:35
Wonderful.

[Thomas Dack - STFC UKRI] 14:07:36
Bye.

[IT 513/1-024] 14:07:41
So what I have done. I haven't come far yet.

[IT 513/1-024] 14:07:47
But I've taken the document, and everywhere where there was a requirement I'll put in the description in a spreadsheet.

[Thomas Dack - STFC UKRI] 14:07:52
yeah.

[Thomas Dack - STFC UKRI] 14:07:53
Yeah.

[IT 513/1-024] 14:07:54
Sorry. Mind me, the document does that have numbered requirements.

[IT 513/1-024] 14:07:58
It has names, requirement? A and one or a and r, one or o E one.

[IT 513/1-024] 14:08:03
So they are well identified, So that's the number you put in there.

[IT 513/1-024] 14:08:07
okay.

[IT 513/1-024] 14:08:10
We learned something about India assessment spreadsheets and the and development.

[IT 513/1-024] 14:08:16
So. This was inspired by certify and sei, which uses the same kind of mechanism.

[IT 513/1-024] 14:08:25
We could do it in here, we could also do it in a Google sheet.

[IT 513/1-024] 14:08:29
That's more convenient

[Thomas Dack - STFC UKRI] 14:08:34
I think that's probably fine.

[Thomas Dack - STFC UKRI] 14:08:40
I guess we stick a Google sheet up. It can easy to review you in the future, but we can always just upload this somewhere more accessible later

[IT 513/1-024] 14:08:51
Yeah, I will share it with everyone. Oh, there is probably here.

[IT 513/1-024] 14:09:08
New

[IT 513/1-024] 14:09:09
File upload

[IT 513/1-024] 14:09:14
This one I will find a right document against

[IT 513/1-024] 14:09:25
Okay.

[IT 513/1-024] 14:09:34
Then I'll just share the Google. Doc Oh.

[IT 513/1-024] 14:09:50
now you should be seeing a refugees shaft with

[Thomas Dack - STFC UKRI] 14:09:58
yeah, I see that

[IT 513/1-024] 14:10:08
And to Link is in the chat window like the type of review sheep

[IT 513/1-024] 14:10:15
Okay, I'll fix that. No, no, no, don't leave it.

[IT 513/1-024] 14:10:17
It starts, is, she

[IT 513/1-024] 14:10:32
who

[IT 513/1-024] 14:10:36
Yeah, no, you're the anonymous raccoon.

[IT 513/1-024] 14:10:39
Okay.

[IT 513/1-024] 14:10:54
yeah, he saw the arms on this. Shall we go through the various requirements?

[IT 513/1-024] 14:11:01
And you know your eye comments both on the correctors of the guideline and maybe on the implementation.

[IT 513/1-024] 14:11:10
So the first one

[IT 513/1-024] 14:11:15
Is on naming. Yeah, identifiers of the Aa operator.

[IT 513/1-024] 14:11:22
Mpa must be numerous, assigned, and globally unique.

[IT 513/1-024] 14:11:27
In addition, the Antifarth community should be unique and chosen in importance with the our guidelines on community membership management policies

[IT 513/1-024] 14:11:40
I'm sure, define a naming scheme for subjective attributes.

[IT 513/1-024] 14:11:45
Oh!

[IT 513/1-024] 14:11:48
What is your answer to this question? Do you plead known guilty

[Thomas Dack - STFC UKRI] 14:11:53
well subjects subjects, identify, as I feel like, that's just using the standard.

[Thomas Dack - STFC UKRI] 14:12:00
I plan to connect ones for subject most of the time, So as long as you're using unique user identifies within the scope of your tribute authority, that one should be fine

[Thomas Dack - STFC UKRI] 14:12:16
The identifies the a operator, and the Aa itself is a bit more.

[Thomas Dack - STFC UKRI] 14:12:22
I mean, Obviously, ours is registered within the Federation, and has all that identity associated with it.

[Thomas Dack - STFC UKRI] 14:12:30
But I'm not sure what other identifies would be involved

[IT 513/1-024] 14:12:36
Can I ask a stupid question? Is it completely obvious?

[IT 513/1-024] 14:12:38
What an identifier of the aol operator exactly is

[Thomas Dack - STFC UKRI] 14:12:42
That's what I'm a bit confused about, like we have our own St.

[Thomas Dack - STFC UKRI] 14:12:46
Id within the Federation, which the Ncid. Within the Federation is a URL service, which will be unique, because no one else be operating on The same host, which I assume you could probably use within other scopes as well because as the

[Thomas Dack - STFC UKRI] 14:13:16
Oh, Iris, we have

[Thomas Dack - STFC UKRI] 14:13:33
Let me just check what it is. There's there's the entity, the Federation first, to which

[IT 513/1-024] 14:13:35
Yeah.

[IT 513/1-024] 14:13:35
yeah.

[Thomas Dack - STFC UKRI] 14:13:43
By nature of that is unique, and could I guess reason to be used to be and identify.

[Thomas Dack - STFC UKRI] 14:13:48
But I'm not sure what other things you'd be using

[IT 513/1-024] 14:13:52
The if you issue. Doug could probably also be her community.

[IT 513/1-024] 14:13:58
The issuers unique. So the iss value in the double

[Thomas Dack - STFC UKRI] 14:14:01
Yeah.

[IT 513/1-024] 14:14:09
And that Iss URL is based off the domain name of Uk Iris, or

[Thomas Dack - STFC UKRI] 14:14:17
Yeah.

[Thomas Dack - STFC UKRI] 14:14:21
Yeah, the issue with URL: We didn't already see?

[Thomas Dack - STFC UKRI] 14:14:26
It's just the main domain. URL

[David Crooks - STFC UKRI] 14:14:30
Is there? Is there something here about the fact that so the domain for that is Stsc.

[David Crooks - STFC UKRI] 14:14:40
Though no irs.

[Thomas Dack - STFC UKRI] 14:14:43
Yeah, it's

[David Crooks - STFC UKRI] 14:14:47
Because it's Iris I am. Don't sdc.com

[Thomas Dack - STFC UKRI] 14:15:00
That's the line in the already. See? My today to for it

[IT 513/1-024] 14:15:04
how are you?

[IT 513/1-024] 14:15:04
There is later on a requirement that it must be preferably persistent over time

[IT 513/1-024] 14:15:22
If you look at the I'll put this one in format

[IT 513/1-024] 14:15:33
If you look at the document guidance, I think there is a there should be

[IT 513/1-024] 14:15:45
Persistent. They identify the aa, operator

[IT 513/1-024] 14:15:50
So forever. You have to hang on to Delta Domain name.

[IT 513/1-024] 14:15:55
Is that actually doable? So it's not Uk, iris thoughts Sdl: A. C. W.

[IT 513/1-024] 14:16:03
K

[Thomas Dack - STFC UKRI] 14:16:04
It's it's in the chair.

[David Crooks - STFC UKRI] 14:16:06
Yeah, it's Iris Dash. I am dot Sdfc.

[Thomas Dack - STFC UKRI] 14:16:09
I mean for the duration of the services and operation that feels reasonable

[David Crooks - STFC UKRI] 14:16:12
Yeah.

[David Crooks - STFC UKRI] 14:16:17
Yeah. And and you know we for some value if we own the Sdc domain.

[David Crooks - STFC UKRI] 14:16:23
So

[IT 513/1-024] 14:16:28
Yeah, and at least it's not really pro check-based.

[IT 513/1-024] 14:16:33
Look. Iris is supposed to be there forever, essentially

[David Crooks - STFC UKRI] 14:16:37
For the for the purposes of argument. Yes.

[Thomas Dack - STFC UKRI] 14:16:38
Yeah.

[IT 513/1-024] 14:16:44
Long as the Irish item is there. Yeah, that's a circular argument.

[Thomas Dack - STFC UKRI] 14:16:48
But are I said, for the scope of the scope of the service.

[IT 513/1-024] 14:16:48
We go, we have

[Thomas Dack - STFC UKRI] 14:16:52
the domain will remain that

[David Crooks - STFC UKRI] 14:16:55
Yeah.

[IT 513/1-024] 14:16:56
Yeah, and that's probably personal. Yeah, I can't see the Okay, crystal

[Thomas Dack - STFC UKRI] 14:16:59
group. I could see. Christos has a hand up if we wanted to

[Thomas Dack - STFC UKRI] 14:17:06
I can point that out and keep it on that. But yeah.

[Christos Kanellopoulos] 14:17:11
Oops, David, did you? Did you ask me to see something for?

[IT 513/1-024] 14:17:22
Yeah, you. You had your hands up

[Christos Kanellopoulos] 14:17:24
yes, yes, so I think one aspect is the is that in 5 for the operator, which of course, it is either the Id or the the issue.

[Christos Kanellopoulos] 14:17:38
But I think deciding has also a much broader scope, and I think it relates also to 0 26.

[Christos Kanellopoulos] 14:17:51
And basically, how also to have unique identified for subjects.

[Christos Kanellopoulos] 14:17:55
And the namespace they are, and and how to carve also unicated files for attributes.

[Christos Kanellopoulos] 14:18:01
It is 0 69 and group memberships. So it is actually not only just the then issue it right

[IT 513/1-024] 14:18:04
Okay.

[Thomas Dack - STFC UKRI] 14:18:15
well in terms of subjects being user identities or client identity is that is, managed to be ident unique within the configuration least with the video.

[Thomas Dack - STFC UKRI] 14:18:29
I am so, but obviously that's only within the scope of this service.

[Thomas Dack - STFC UKRI] 14:18:35
That doesn't prevent their ever being a class you to Ims into operating

[Christos Kanellopoulos] 14:18:42
But but this is this is not enough for for our compliance.

[Christos Kanellopoulos] 14:18:49
So so

[Christos Kanellopoulos] 14:18:55
and they talk about them, the identifies, and then the namespace for its attribute authority.

[Christos Kanellopoulos] 14:19:04
So they are. There are some requirements regarding the subject identified, and some requirements regarding basically the expression of group membership.

[Christos Kanellopoulos] 14:19:17
How this should be defined, and and both of these things have characteristics of identifying also the parent

[Christos Kanellopoulos] 14:19:26
And I think I think this this requirement is. This is exactly what it writes here in the description, Right?

[Christos Kanellopoulos] 14:19:34
It mentioned the identified for the operator, for the community members, management policy for the subject identifiers and the attributes

[Thomas Dack - STFC UKRI] 14:19:34
Yeah.

[IT 513/1-024] 14:19:54
so

[IT 513/1-024] 14:19:57
After these clients been taken into account for Irish, I am at the moment

[Thomas Dack - STFC UKRI] 14:20:03
I guess not. Within the subject or group membership namespaces

[IT 513/1-024] 14:20:14
Okay. So that's a that's actually a recommendation.

[IT 513/1-024] 14:20:17
Then to refugos

[IT 513/1-024] 14:20:23
Crystal. She still

[Thomas Dack - STFC UKRI] 14:20:23
the subject.

[Thomas Dack - STFC UKRI] 14:20:24
The subject. One is interesting, because with the indigo I am implementation.

[Thomas Dack - STFC UKRI] 14:20:28
The user subject is the open Id connect unique identifier, which will be, is just generated.

[Thomas Dack - STFC UKRI] 14:20:38
Account, Creation, Time.

[Thomas Dack - STFC UKRI] 14:20:44
Obviously that results in a unique identifier for every user.

[Thomas Dack - STFC UKRI] 14:20:48
Within an instance of indigo. I am but

[Thomas Dack - STFC UKRI] 14:20:54
It wouldn't be unique without extra tags, you know why, to community space

[Christos Kanellopoulos] 14:21:03
so? So what is being discussed in art? 0 26 is exactly that in open at theconnect is in company practices.

[Christos Kanellopoulos] 14:21:12
They use a combination of issuer, and they have to really grab and define users.

[Christos Kanellopoulos] 14:21:15
But in order to be able to interoperate with with other infrastructure, this is why we need to have a proper main issue also, for because you might require to do approval also over other other protocols.

[Christos Kanellopoulos] 14:21:31
And then and then this is an important password

[Thomas Dack - STFC UKRI] 14:21:35
I I do believe actually it does combine issue of sub

[Thomas Dack - STFC UKRI] 14:21:43
Cause you. They usually come through with the Uid app the issue address, but

[Christos Kanellopoulos] 14:21:43
Hmm.

[Thomas Dack - STFC UKRI] 14:22:08
yeah.

[IT 513/1-024] 14:22:24
okay.

[Christos Kanellopoulos] 14:22:26
David.

[IT 513/1-024] 14:22:33
Okay.

[Christos Kanellopoulos] 14:22:34
So so if you go, if you go back to the left of the document in the modern Ukraine, which is not the requirement, this description it says, that supports openly connect it, which it's in principle it's fine But again for interoperability.

[Christos Kanellopoulos] 14:22:53
Purposes. Some Elizabeth required, and this is something also to to point that upon a bit, because basic supporting only open at the connect.

[Christos Kanellopoulos] 14:23:07
This means that by definition it becomes, I usually need to only open at the connect flows

[Thomas Dack - STFC UKRI] 14:23:15
Sam always supported. We just primarily operate There's no plan You can't enter Provider.

[Thomas Dack - STFC UKRI] 14:23:24
And so I was addressing the questions in the scope of our main use cases.

[Thomas Dack - STFC UKRI] 14:23:29
We haven't had a well, we have some partner services that connect to, someel identity providers for the IM and the scope of the Durant to use the community can be used and edited, provider for the IM sorry that was just me.

[Thomas Dack - STFC UKRI] 14:23:54
Addressing the questions in the main scope of the what we pass information out, as at the moment

[Christos Kanellopoulos] 14:24:03
The reason I'm making this comment is because I guess I mean the the the the spirit of this document, easy to be able to have interruptable, secure attribute authorities right?

[Christos Kanellopoulos] 14:24:14
And and then, and there are 2 aspects regarding the protocol support.

[Christos Kanellopoulos] 14:24:18
One is what kind of identity providers are supported with the supports open and the connect sample, etc.

[Christos Kanellopoulos] 14:24:24
And that is called kind of of client services you supported.

[Christos Kanellopoulos] 14:24:28
So, if Youki is, is supposed to be thought only as an infrastructure level proxy connecting all internal services to the Uk infrastructure, supporting 1 million protocol is fine.

[Christos Kanellopoulos] 14:24:42
But if there's expectations that it would be the concept of Ukraine community and that community should be able to access using Uk Ids, I've either with the arc that that are compliant then then some is easy requirement.

[Christos Kanellopoulos] 14:25:02
To be there, as also on on on the IP. Side of the of the I'm just saying this again, in terms of interoperability.

[Christos Kanellopoulos] 14:25:10
I'm not sure whether this is relevant, or not to this discussion here, but but these I need an interrupt issue for sure, I don't know.

[Christos Kanellopoulos] 14:25:21
What do you think

[IT 513/1-024] 14:25:25
yeah, whoo, without sample support, downstream. It cannot really act as community proxy.

[IT 513/1-024] 14:25:32
Awesome. Yeah, all those federations are at least for the moment, Samel.

[Christos Kanellopoulos] 14:25:32
exactly.

[John Kewley - STFC UKRI] 14:25:34
yeah.

[IT 513/1-024] 14:25:40
Only there is no Iuc felt that actually works so

[IT 513/1-024] 14:25:48
Before in infrastructure proxy. It works with only upstream sample. That's that's also true.

[IT 513/1-024] 14:25:59
But I think we should try to distinguish between meeting G.

[IT 513/1-024] 14:26:02
O 71, and being able to interoperate with other federations as community proxy.

[IT 513/1-024] 14:26:11
But this is the operational security bit. The other one is a policy depth I don't think you you need both in the end were trying to combine everything into one document.

[IT 513/1-024] 14:26:22
We'll probably never get there

[IT 513/1-024] 14:26:26
Roger. It is worth making a note of that much time.

[IT 513/1-024] 14:26:30
That's a new field in the at the top

[IT 513/1-024] 14:26:46
but meeting Rko 26, and oh! 69, I think, or required for a and one to be met

[IT 513/1-024] 14:26:58
So

[IT 513/1-024] 14:27:12
is this a fair assessment for now? But it's awesome.

[Thomas Dack - STFC UKRI] 14:27:16
I think so.

[IT 513/1-024] 14:27:19
there's a bit about. Oh, I DC.

[IT 513/1-024] 14:27:24
The scope of the entity r D. And assure.

[IT 513/1-024] 14:27:29
But Gio and G. O. 69 have to be considered before it can become compliant

[Thomas Dack - STFC UKRI] 14:27:37
yeah, no, I think that's bye.

[IT 513/1-024] 14:27:46
So now I don't know something that occurs to me in terms of the layout of the spreadsheet in the past.

[IT 513/1-024] 14:27:53
We've tried to split up with some components, and because there's lots of requirements in A in a and 6 or 7 or 12, and you a and one is too complex as a requirement.

[IT 513/1-024] 14:28:11
It would be good to pull out which bits of it I mean, I know that's probably in the comments but I've been easy.

[IT 513/1-024] 14:28:17
Is it worth splitting it up to say, you know that the requirement that the identifier for the aa operator must be non-assigned food the requirement for the Aa That's the second one Yeah, identify should be something I I don't know is It a n one.

[IT 513/1-024] 14:28:34
Dash! One day, and one that to me. I don't know.

[IT 513/1-024] 14:28:39
What do you see here? But you've got experience of trying to do this for sci and everything often, and do not kind of splitting it up so that each each line, each row, is one specific thing that you can answer you've got 7 things you might be Yes, on 5 to I think it

[IT 513/1-024] 14:29:02
helps to simplify how it can be done like that. It also makes sure that everybody's answer

[IT 513/1-024] 14:29:12
But then you end up with it. Questions, too, if you have some No, another.

[IT 513/1-024] 14:29:19
Yeah, what does it mean? What does it mean over? Are you scoring it or something?

[IT 513/1-024] 14:29:27
Cause, then? Yeah, for a Ci: we have maturity.

[IT 513/1-024] 14:29:35
So whatever makes the assessment easier for the hey operator, for people summarize.

[IT 513/1-024] 14:29:46
I just don't

[IT 513/1-024] 14:29:54
2, I kind of like the idea that each row is a single ring.

[IT 513/1-024] 14:29:59
You can, either, else, maybe, but that can become extremely known, and it becomes much longer.

[IT 513/1-024] 14:30:09
Is that easier, or just

[IT 513/1-024] 14:30:16
So

[IT 513/1-024] 14:30:27
less obvious. If somebody comes and looks at this spreadsheet, are they answering all 7 questions?

[IT 513/1-024] 14:30:39
This is obvious from you. Comments show you guys. Yes.

[IT 513/1-024] 14:30:54
Is that easier to pause? I don't know. What do you think, Toll?

[IT 513/1-024] 14:30:59
So make it easier

[Thomas Dack - STFC UKRI] 14:31:03
I think so, I think, being able to view which aspects are the ones where there's issues, it's good

[IT 513/1-024] 14:31:23
okay.

[Christos Kanellopoulos] 14:31:24
click can make an extra comment. You know that we have speedy.

[IT 513/1-024] 14:31:27
Yeah.

[Christos Kanellopoulos] 14:31:29
I think this this looks better because we can discuss things in a bit of a more detail, I think, for one to 2 at the end of the community should be unique.

[Christos Kanellopoulos] 14:31:38
Indeed, if you see that they that for the community is the issue, the urm we used to basically mapped them.

[Christos Kanellopoulos] 14:31:55
we're using the in the group entitlements.

[Christos Kanellopoulos] 14:31:58
So it was important to to say, What is that inside of the community.

[Christos Kanellopoulos] 14:32:03
So if it is comply, if it has to become large with arc, it has to comply with D 0 69. It does require a urn to be there

[Christos Kanellopoulos] 14:32:15
So yeah, and and so. So this is why I would say we wanted to partial for that identifiers for the I.

[Christos Kanellopoulos] 14:32:25
I think that should be a No, because I'm I'm pretty sure that I am.

[Christos Kanellopoulos] 14:32:29
Doesn't follow the the arc guidelines, and for one does 4 Again, the name, scheme, has to.

[Christos Kanellopoulos] 14:32:43
It is not just because we define the scheme.

[Christos Kanellopoulos] 14:32:45
It has to be the one that is the one that we have described in 0, 69 and 0, 26, so that should be a No. Also.

[Christos Kanellopoulos] 14:32:55
So again, a a way the way that this requirement is written.

[Christos Kanellopoulos] 14:33:00
Now with David Vcs. It is that it has a It's then defining the scheme. But this is now conflicting with your requirements.

[IT 513/1-024] 14:33:09
Yeah, although they help a defined nate. The Mainish find.

[IT 513/1-024] 14:33:15
But it's inconsistent, indeed. Inconsistency is am.

[IT 513/1-024] 14:33:19
1 point, 3 square or no, but it's still defined, so that I think 1 point, 4 is okay.

[IT 513/1-024] 14:33:28
has a defined naming scheme.

[IT 513/1-024] 14:33:29
It's just multi in thundered, naming scream. And that's 1.3

[Christos Kanellopoulos] 14:33:33
Right.

[Christos Kanellopoulos] 14:33:34
So so. Yes, I'm not sure whether 1.3 is this is both about identifies and about attributes.

[Christos Kanellopoulos] 14:33:45
yeah.

[IT 513/1-024] 14:33:48
Oh!

[Christos Kanellopoulos] 14:33:48
I mean 1. One can assume that this is also attributes, because the message community may be smarter than policy, but but not after you are not mentioned in number 3 while in one to 4 subject and atoms are clearly mentioned.

[IT 513/1-024] 14:34:03
And that's actually a book in the policy document. Then

[IT 513/1-024] 14:34:08
The

[Christos Kanellopoulos] 14:34:11
Actually splitting. This was a good idea.

[IT 513/1-024] 14:34:16
Identifiers for subjects and attributes.

[Christos Kanellopoulos] 14:34:19
Yes.

[IT 513/1-024] 14:34:40
but it didn't

[IT 513/1-024] 14:34:41
But it didn't one a 1 point free

[IT 513/1-024] 14:34:49
Or

[IT 513/1-024] 14:34:54
Okay, I've made a note of that in the

[IT 513/1-024] 14:35:01
New version of this sense identify means name.

[IT 513/1-024] 14:35:10
yeah, the name of an attribute. And that's why it's A. M.

[IT 513/1-024] 14:35:14
One, got to be naming. Yup, but then we start about identifies, and then I get bust as to what just the identify.

[IT 513/1-024] 14:35:23
Is it just a name, or is it some other that should be linked to it?

[IT 513/1-024] 14:35:28
You know this should be the name, but the the Texas.

[IT 513/1-024] 14:35:30
I did not. So I mean, maybe it's obvious to people

[Christos Kanellopoulos] 14:35:35
No, actually no, it's not obvious to me. So is it about the name of the attribute or the value?

[IT 513/1-024] 14:35:45
support.

[IT 513/1-024] 14:35:45
Support it should be the value

[Christos Kanellopoulos] 14:35:47
And because if you see the values, because you see also one but 4 is very clear, and took some of the sounds

[Christos Kanellopoulos] 14:35:47
And because

[IT 513/1-024] 14:35:54
Yeah.

[Derek Simmel] 14:35:58
we can avoid overloading the term identifier. That would be very helpful

[Derek Simmel] 14:36:06
Being very specific about what you're talking about

[IT 513/1-024] 14:36:09
Yeah, I I just wanted next release. Should we actually replace that word?

[Christos Kanellopoulos] 14:36:09
so

[IT 513/1-024] 14:36:13
Identified before specific, what we actually need. Thank you.

[IT 513/1-024] 14:36:20
dame of the entity

[Christos Kanellopoulos] 14:36:20
David.

[Christos Kanellopoulos] 14:36:21
David, the that we use for the user and fire in in all the other documents is is the community user and fire.

[Christos Kanellopoulos] 14:36:31
So have the committee user in the file, and then it will have the attributes that required to have

[Christos Kanellopoulos] 14:36:40
Uniqueness across communities. And this is really basically the equipment

[IT 513/1-024] 14:36:45
So so Crystal, did you say? That is defined in one of the other? Don't keep it so good

[Christos Kanellopoulos] 14:36:49
In in the other. Do you know the other documents that we are using for the architecture?

[Christos Kanellopoulos] 14:36:54
We use the term C Uid community user and fire for the identified of the user

[IT 513/1-024] 14:36:57
Okay technology here.

[IT 513/1-024] 14:37:03
Community order, so community.

[Christos Kanellopoulos] 14:37:06
Community user identifier

[Christos Kanellopoulos] 14:37:11
it's not mean that if I commute a user default because it is about the user, it is really identified that the community use to the user

[IT 513/1-024] 14:37:18
Yup

[IT 513/1-024] 14:37:23
So community user identifies for subjects and attributes should be chosen according to the our guidelines.

[IT 513/1-024] 14:37:30
Okay.

[Christos Kanellopoulos] 14:37:32
Yes, and I think I think they're there. We need to include the need to include 0 26, and 69, because I think when this goes through them, these were not there

[Christos Kanellopoulos] 14:37:44
Yeah, yeah, yeah, yeah.

[IT 513/1-024] 14:37:44
Now it's just test with the art guidelines.

[IT 513/1-024] 14:37:52
So, Tom, Are you still happy, or are you? It's still possible, I think Yeah, Yeah.

[Thomas Dack - STFC UKRI] 14:38:02
awesome. Happy sounds like I could also. Yeah, I'm just thinking about the situation.

[IT 513/1-024] 14:38:06
Okay.

[Thomas Dack - STFC UKRI] 14:38:11
Because with with the indigo, I am yeah, the application itself, I believe the user identifies that get passed over the uid.

[Thomas Dack - STFC UKRI] 14:38:22
Alright. This issue escape, which, if that meets the criteria for users, then that's fine. That's all.

[Thomas Dack - STFC UKRI] 14:38:30
Working is intended the group structure would need more revision.

[Thomas Dack - STFC UKRI] 14:38:37
and Review.

[Thomas Dack - STFC UKRI] 14:38:44
And then at that point, that's then hitting the nose.

[Thomas Dack - STFC UKRI] 14:38:47
We've identified

[IT 513/1-024] 14:38:54
Okay.

[Thomas Dack - STFC UKRI] 14:38:59
1.5 is 1 1 point, 5 is easy. Guess at least

[IT 513/1-024] 14:38:59
Done just briefly

[IT 513/1-024] 14:39:05
Yeah.

[IT 513/1-024] 14:39:10
That's okay. Implicit. Yeah.

[Thomas Dack - STFC UKRI] 14:39:12
Yeah, yeah, that's

[IT 513/1-024] 14:39:20
Okay.

[IT 513/1-024] 14:39:23
I'm sorry I wasn't in the room, and you probably covered this.

[IT 513/1-024] 14:39:26
The subjects that you have in Uk Iris? Are they just opaque ids?

[IT 513/1-024] 14:39:31
Or do you have like scoping, or something done just to pick ids

[Thomas Dack - STFC UKRI] 14:39:36
for the user

[Thomas Dack - STFC UKRI] 14:39:37
For the users that just to pick ids

[IT 513/1-024] 14:39:39
Okay.

[IT 513/1-024] 14:39:42
Yeah, same here.

[Thomas Dack - STFC UKRI] 14:39:49
Any, yeah, form of scoping of the users, access will be done via group claims.

[Thomas Dack - STFC UKRI] 14:39:55
But obviously we aren't certain that aligns with what the AI guidelines for groups.

[Thomas Dack - STFC UKRI] 14:40:03
And so that new review

[IT 513/1-024] 14:40:09
Good, hey? I'm r one You won't.

[IT 513/1-024] 14:40:15
the community must define and document the semantics, lifecycle, data, protection and release policy of attributes stored or asserted by the Aa.

[IT 513/1-024] 14:40:27
Is actually a requirement that you should put all the communities that's for some to separate out some things.

[IT 513/1-024] 14:40:36
Life cycle. Take the Britain

[IT 513/1-024] 14:40:41
Because again, you know, I'm concerned that if everything's that, people will say, Yes, that's okay.

[IT 513/1-024] 14:40:46
And then we say, But what about David? Oh, no! You have a an explicit 9 by 9 I don't. I don't know.

[IT 513/1-024] 14:40:55
Maybe I'm being too

[IT 513/1-024] 14:41:01
Multiple requirements, all sentences.

[IT 513/1-024] 14:41:13
people disagree with the link, shout, This is stupid!

[IT 513/1-024] 14:41:23
Hello. Okay, Yeah, for perhaps in this context, for it's a naturally first one through.

[Thomas Dack - STFC UKRI] 14:41:24
to me.

[IT 513/1-024] 14:41:32
Yeah, I mean we could. We would get after experience. So someone's taking access to why it's possible.

[IT 513/1-024] 14:41:43
Yeah, we need to go through document

[IT 513/1-024] 14:41:49
course the operator, and then you reviews. Yeah, but can we do something here?

[IT 513/1-024] 14:41:59
Okay, too bad Christmas, but great that you were able to join for a bit of it has already been extremely useful.

[Thomas Dack - STFC UKRI] 14:42:09
Yes.

[IT 513/1-024] 14:42:13
hey? M. R. One Do the Irish communities actually define the semantics, lifecycle data perfection and release policy

[Thomas Dack - STFC UKRI] 14:42:26
Well, this is Heyan and Dave's extra area for Iris

[IT 513/1-024] 14:42:31
Good. Yeah. So this is a This is a tricky one.

[IT 513/1-024] 14:42:35
So what is the requirement on the aa operator to tell the community?

[IT 513/1-024] 14:42:38
You've got to do this to make sure they do it.

[Ian Collier - STFC UKRI] 14:42:44
Hmm.

[IT 513/1-024] 14:42:45
Are you holding The aa operator responsible for the actions of the you?

[IT 513/1-024] 14:42:48
This. It's different entities, doing different things as well

[Ian Collier - STFC UKRI] 14:42:55
Well.

[IT 513/1-024] 14:42:56
Which we should have considered all this when we were writing into one. Of course but it's it's only when you do these reviews and you stuff

[Ian Collier - STFC UKRI] 14:43:02
But hmm. But when we say community here we mean Irs as a whole.

[Ian Collier - STFC UKRI] 14:43:09
Don't wait. Well, I think we. I I assume so, because Iris Iris can just you know Iris in its policy, can define all of this and for anybody using it.

[IT 513/1-024] 14:43:11
Do we? And I don't know. Or is it this?

[IT 513/1-024] 14:43:15
I mean good. A definition is

[IT 513/1-024] 14:43:22
Yeah.

[Ian Collier - STFC UKRI] 14:43:25
Then they you know, for where? Where we, where we allow effectively videos management, you can.

[Ian Collier - STFC UKRI] 14:43:38
Tell them you. You know th this this is you know the these are constraints, you know.

[Ian Collier - STFC UKRI] 14:43:42
These are the constraints that you work under

[John Kewley - STFC UKRI] 14:43:45
hmm.

[IT 513/1-024] 14:43:46
But then I mean, that's the decision we need to make within Iris.

[Ian Collier - STFC UKRI] 14:43:49
Yeah.

[IT 513/1-024] 14:43:49
But does Iris as a whole? Want to impose on all of the research communities represented the same semantics, lifecycle data, protection, and or is it down to ska versus, I would at least all of these of definers all the definitions.

[Ian Collier - STFC UKRI] 14:44:02
Well, perhaps we different. But how we define a default and say, you know, And here are areas where you can document where you can select and document changes

[IT 513/1-024] 14:44:08
no.

[IT 513/1-024] 14:44:22
Is it? No, I mean that definitely think that definition of community someone conflicts with what we have in the Irs top-level policy.

[Ian Collier - STFC UKRI] 14:44:28
Oh, okay. Well.

[IT 513/1-024] 14:44:30
Definition. Yeah, So the definition is one or more groups

[Derek Simmel] 14:44:35
is this more like relying parties? They these, these are conditions.

[Derek Simmel] 14:44:41
You're going to set on anybody who uses this, that you agree that this is these are the definitions of the lifecycle, data, protection, etc.

[IT 513/1-024] 14:44:58
No one evening, probably not so much so very. I mean, it's more it is.

[IT 513/1-024] 14:45:03
This is user registration. This is the but when seen in combination with a M. R.

[IT 513/1-024] 14:45:09
2. They're the aa operator is required to implement the community definitions, so it has to know what the community definitions are in order.

[IT 513/1-024] 14:45:22
For the a operator, for an infrastructure like Iris.

[Derek Simmel] 14:45:23
so

[IT 513/1-024] 14:45:25
It would be simpler in all research communities using Irs have the same, set of definition, but like, imagine the mighty reasons why one research community does something slightly different.

[Derek Simmel] 14:45:31
Alright.

[Derek Simmel] 14:45:35
So getting back to what David was saying. I think it sounds like this is a requirement that the community is gonna define these things so that the attribute authority can implement them consistently.

[Derek Simmel] 14:45:52
As required by the community

[IT 513/1-024] 14:45:55
I think, in practice at the moment, for the I am. This is a service that, Virus Island provides for its communities.

[IT 513/1-024] 14:45:55
I think

[IT 513/1-024] 14:46:04
So no the way to look at it. Top

[Thomas Dack - STFC UKRI] 14:46:09
yeah, I think so.

[Thomas Dack - STFC UKRI] 14:46:14
I think

[IT 513/1-024] 14:46:17
You are managing. You are managing the likes

[Thomas Dack - STFC UKRI] 14:46:18
Having this hmm

[Thomas Dack - STFC UKRI] 14:46:24
Based on policy defined by Iris

[IT 513/1-024] 14:46:28
Yeah.

[IT 513/1-024] 14:46:37
I mean in some ways that's better. Geo. 70.

[IT 513/1-024] 14:46:40
One is aimed at the Aa. Operators Yeah, all of a sudden, we're writing down policy statements.

[IT 513/1-024] 14:46:45
The community's got to do this right. Do they read this guideline?

[IT 513/1-024] 14:46:52
How do they know? I mean, Is it Is it the aa operators responsibility to make sure they know?

[IT 513/1-024] 14:46:57
I don't know. Police is federated with the Irish layer

[IT 513/1-024] 14:47:03
no community, separate community running their own identity, management system separate from Irish.

[IT 513/1-024] 14:47:11
The I am at the moment. Over the does clarify the relationship between community and Iris, and that's now the community has to be aware of the choice cycle management. Website.

[IT 513/1-024] 14:47:25
If Iris doesn't define any of this, the community doesn't define any of it.

[IT 513/1-024] 14:47:33
Yeah, So in order working on the community, but it's cool.

[Derek Simmel] 14:47:40
So then, what happens in the smaller? You know the 1 point, 2, 1 point, 3 is you can't just say yes no.

[Derek Simmel] 14:47:48
You have to say, identify a document where these things are defined

[IT 513/1-024] 14:47:56
You know. Maybe

[IT 513/1-024] 14:47:56
you know. Maybe

[IT 513/1-024] 14:48:02
Now that at the moment is not there is there any of implicit requirement This is where we get a a maturity of Okay, right?

[IT 513/1-024] 14:48:16
Which is like sei. Well, yes, it's kind of defined, but we haven't written it down It's fully written down that everybody's familiar with.

[IT 513/1-024] 14:48:23
Yeah. So this is is it, In that maturity flavor is AD hoc or reproducible.

[IT 513/1-024] 14:48:30
Okay.

[IT 513/1-024] 14:48:36
of AD hoc reproducible, documented, and verified those not the words we use in sci, for example, so exists.

[IT 513/1-024] 14:48:49
Existing.

[IT 513/1-024] 14:48:50
to and audited. So exists. Yeah.

[IT 513/1-024] 14:49:04
So it may be that the aml one wording is better, that the Aaa

[IT 513/1-024] 14:49:10
Operator must define in agreements with the communities that semantic

[IT 513/1-024] 14:49:21
Because in reality I mean it's Tom. Look for Iris.

[IT 513/1-024] 14:49:23
He's he's got just like we could find this.

[IT 513/1-024] 14:49:25
Maybe the according to season, If you, if you got the ska, I shall see that they should probably be fine.

[IT 513/1-024] 14:49:36
There lifetime call data protection and release policy, in which case you, grey Irish, would have to implement it

[Ian Collier - STFC UKRI] 14:49:46
well, probably we do That's on the separate problem. Probably that happens on a set on dedicating instances.

[IT 513/1-024] 14:49:47
our balance.

[Ian Collier - STFC UKRI] 14:49:54
But yeah.

[IT 513/1-024] 14:50:01
But it could. Those are the 2 extremes, the communities, they are saying.

[IT 513/1-024] 14:50:05
This should be, and then we implement it, or we're kind of saying, this is what we're gonna do for everybody.

[IT 513/1-024] 14:50:11
The community agrees that we, those complex spaces.

[IT 513/1-024] 14:50:26
So hmm.

[IT 513/1-024] 14:50:32
In and just throw the input. I mean how the Wcg.

[IT 513/1-024] 14:50:36
But it's again all of the sort of community lifecycle semantics, that kind of.

[IT 513/1-024] 14:50:44
So I did provide you as the operator, the service, or it's the Wcg.

[IT 513/1-024] 14:50:48
Authorization, working group. Or it's is one experiment going to be different from another.

[IT 513/1-024] 14:50:54
I wasn't thinking of, we'd actually change anything but I know.

[IT 513/1-024] 14:51:00
But may we have to I don't think anybody is come up with any documents for this.

[IT 513/1-024] 14:51:06
I naively thought that we could just based on the existing policies, and that nothing would have to change that.

[IT 513/1-024] 14:51:15
Okay, the life cycle doesn't change, I think, I think it's one of these things where everybody's doing something reasonable.

[IT 513/1-024] 14:51:24
But we're not quite sure what it is. We're doing all, hey?

[Ian Collier - STFC UKRI] 14:51:28
But is, it But isn't this highlighting that I mean when you say nothing's changed?

[Ian Collier - STFC UKRI] 14:51:33
I mean effectively you'll set the same as using bombs and earlier.

[Ian Collier - STFC UKRI] 14:51:41
There was a comment along the lines of you know there was always an intention to regularize and document what was being done, and if you ever got round to it, well, this is not perhaps an opportunity to get round to it

[IT 513/1-024] 14:51:58
And it does say, most define appointment. So yes, so to meet fully meet the requirements here.

[IT 513/1-024] 14:52:06
Exactly what you it says. We do need to now start documenting this

[IT 513/1-024] 14:52:12
But I'm not sure what

[Ian Collier - STFC UKRI] 14:52:14
Oh, but I guess I I suppose choosing, not choosing, not to meet the requirements is an option, I suppose

[Ian Collier - STFC UKRI] 14:52:24
But it doesn't sound very good example, you know.

[IT 513/1-024] 14:52:24
Yeah.

[IT 513/1-024] 14:52:30
Never do you end up in the press listed yet

[Ian Collier - STFC UKRI] 14:52:33
Oh, wow!

[IT 513/1-024] 14:52:34
Exactly. What's the pass bar for? The trussies?

[IT 513/1-024] 14:52:40
100%, 85. Let's do better. Were the intention to bear 200%.

[IT 513/1-024] 14:52:48
I think this is another classic case where we should all be jointly deciding.

[IT 513/1-024] 14:52:52
Now what is actually useful for I have a feeling that, documenting some of this might even if it's just a few sentences that may also protect the aa operator against the community, It says that communities can kind of complain if you throw away the data after or say historic registrations after a

[IT 513/1-024] 14:53:11
year But yes, but now just user has come back after 2 years of what has happened to all the attributes.

[IT 513/1-024] 14:53:18
So we're almost going back to where we were with the community membership management policy.

[IT 513/1-024] 14:53:23
The one that was detailed that said all about, you know, registration and the new rule and suspension, and and all of the lifecycle things that we've kind of now it moved away from them because was too complex too long

[IT 513/1-024] 14:53:38
By the way, to be really clear. You know how suspension works. What does it mean?

[IT 513/1-024] 14:53:42
Help I was removal. What is renewable? Yes, yeah, that's a lot of work.

[IT 513/1-024] 14:53:51
But as some point you will be better by the community, saying, Oh, can you restore this usual from 2 years ago, because now he's not a Postdoc somewhere else?

[IT 513/1-024] 14:53:59
And how the users come back. And now she's lost all attributes.

[IT 513/1-024] 14:54:04
Can we get this back? No, sorry we deleted it So here I can imagine that certain and Iris are quite different in the server's got all the procedures of the certain user office And experiment usually there's a lot of procedure and stuff already defined whereas for iris

[IT 513/1-024] 14:54:22
we're both okay.

[IT 513/1-024] 14:54:33
So the semantics are undefined. I mean, I know what those work means before good.

[IT 513/1-024] 14:54:40
So what would be Define documents.

[IT 513/1-024] 14:54:50
Yeah, I mean, this is what what would be really useful if we could come up with the Irs documents.

[IT 513/1-024] 14:54:54
This and the server document of this to actually show 2 different cases of health things the server can rely.

[IT 513/1-024] 14:55:02
Have me on well, the same user office system, some experiment. Is it?

[IT 513/1-024] 14:55:09
Okay, by them.

[IT 513/1-024] 14:55:28
cause. I kinda I mean the there are uses of Uk iris like the total neutral people that they also have got user offices and registration process topics, which Ska probably has not yet

[IT 513/1-024] 14:55:43
But they will have a defined by size. But it might be different from the different They should define data.

[IT 513/1-024] 14:55:50
For example, Yes, definitely so. The I see I was having to be protected.

[IT 513/1-024] 14:55:57
No, no, you're right.

[IT 513/1-024] 14:56:08
What comment is? And then the attribute, release, policy.

[IT 513/1-024] 14:56:13
Link to today to protect.

[IT 513/1-024] 14:56:18
And does it mean that conformal registration with the the only way you get?

[IT 513/1-024] 14:56:25
So it may fall in some of the exemptions from registration, so you may not need to register it.

[IT 513/1-024] 14:56:33
Yeah, I should probably be happy We have done a determination that yeah, this does not need to be registered.

[IT 513/1-024] 14:56:38
Yes.

[IT 513/1-024] 14:56:56
yeah.

[IT 513/1-024] 14:56:59
Except when we approve the document. This moment a life cycle is undefined, and semantics is

[IT 513/1-024] 14:57:18
Well, I guess we know what the I mean isn't the life cycle that sets of actions like, you know, registration, modification.

[IT 513/1-024] 14:57:29
they do with it. Yeah.

[Ian Collier - STFC UKRI] 14:57:32
Hi! I I think it may be implicitly defined, but not documented.

[Ian Collier - STFC UKRI] 14:57:38
Tom.

[Thomas Dack - STFC UKRI] 14:57:44
awesome mouse. Yes, I'd agree with that.

[Ian Collier - STFC UKRI] 14:57:49
I mean, implicitly. There is a light life cycle embodied in what you do.

[Thomas Dack - STFC UKRI] 14:57:53
Yeah, yeah, yeah.

[Ian Collier - STFC UKRI] 14:57:53
Isn't there

[Thomas Dack - STFC UKRI] 14:57:59
Yeah. But there's no

[IT 513/1-024] 14:57:59
But to the commuted

[Thomas Dack - STFC UKRI] 14:58:06
I don't know. There's a defined one.

[Thomas Dack - STFC UKRI] 14:58:08
The

[IT 513/1-024] 14:58:12
Right.

[Thomas Dack - STFC UKRI] 14:58:13
It should be released. Policy is there? Whenever you go to access.

[Thomas Dack - STFC UKRI] 14:58:20
A so for the first time it pops up with the you're about to release this information To this endpoint.

[Thomas Dack - STFC UKRI] 14:58:27
Are you happy? And you get the standard option of, except ask me next time, except to remember or but

[John Kewley - STFC UKRI] 14:58:34
the wex Huh!

[IT 513/1-024] 14:58:38
that's right. User information is a

[Thomas Dack - STFC UKRI] 14:58:40
Sorry. Jake. Jk: just said something. I'm not sure what

[IT 513/1-024] 14:58:45
Okay, Cool Sorry Jenkins

[Thomas Dack - STFC UKRI] 14:58:47
I think he might just be on me bye. Okay, Okay, let me just see if I can find it in softball

[John Kewley - STFC UKRI] 14:58:49
Sorry I didn't realize I was off mute with my app

[IT 513/1-024] 14:59:07
Maybe we should try to make it through the entire document and not try to solve all the issues here Yeah, we'll have a feeling as to which ones need to go back and do more Yeah, Yeah, A M.

[IT 513/1-024] 14:59:16
2, a operator must implement the community definitions as defined and documented.

[IT 513/1-024] 14:59:26
But that's probably okay by definition. If you don't know what the

[Thomas Dack - STFC UKRI] 14:59:38
Yeah, I think so.

[IT 513/1-024] 14:59:43
Telephone is perfectly okay. Hey? Marfree recommended that the aa operator provided capability for community to publish documents to define the attribute set and Semantics for the benefit of revolving parties is there any page you can go to to find out what is going to be released

[Thomas Dack - STFC UKRI] 15:00:06
Hmm.

[Thomas Dack - STFC UKRI] 15:00:09
I don't think so, because it depends like

[Thomas Dack - STFC UKRI] 15:00:16
Not every

[Thomas Dack - STFC UKRI] 15:00:21
Like you'll get the standard set of Obviously, everyone. Everything will release the subjects, but it's up to an individual service endpoint whether it wants to request further information, like, if they just need to subject an email for example, and that's all they request I think in the

[Thomas Dack - STFC UKRI] 15:00:50
We just check what's in our privacy policy for

[Thomas Dack - STFC UKRI] 15:00:56
I mean the privacy policy has a list of what maybe

[Thomas Dack - STFC UKRI] 15:01:04
Associated with your account, and that this may be used by services, but it doesn't list for a specific service apart from your first access time Where asks, do you want to release this information?

[Ian Collier - STFC UKRI] 15:01:29
hold on, but it would there? Would it theoretically be possible?

[Ian Collier - STFC UKRI] 15:01:35
It may be, require some development. Good: he 8 it it.

[Thomas Dack - STFC UKRI] 15:01:37
I think it would

[Ian Collier - STFC UKRI] 15:01:43
It sounds pretty plausible that one could provide for users and communities information about the attributes about the attribute set, and how those might be used

[Thomas Dack - STFC UKRI] 15:02:05
Yeah.

[Ian Collier - STFC UKRI] 15:02:06
Other than other than just you know, showing stuff that other than showing the release policy, you know, when it's first

[Thomas Dack - STFC UKRI] 15:02:15
Yeah, And I think that you should be. I don't think it's something like you'd need to put something together. For, as you say, with a little bit to that, and after that have something that's not just a manually updated static page.

[Ian Collier - STFC UKRI] 15:02:31
That we should discuss it next. We should discuss it next week.

[Thomas Dack - STFC UKRI] 15:02:34
Yes, yes.

[IT 513/1-024] 15:02:36
Hmm.

[Ian Collier - STFC UKRI] 15:02:38
This is this is very timely

[Thomas Dack - STFC UKRI] 15:02:42
For those out of the loop. There is need to go.

[Thomas Dack - STFC UKRI] 15:02:44
I am workshop as part of the preaching next week, so something from the indigo level to provide an endpoint to see what alright attributes are released to a specific client.

[Thomas Dack - STFC UKRI] 15:02:56
It's something we can discuss there

[IT 513/1-024] 15:02:58
Yeah. That's a bit like what Google play store does.

[IT 513/1-024] 15:03:05
This app will meet these kind of permissions, as you know it beforehand.

[Thomas Dack - STFC UKRI] 15:03:07
Yeah, and it does that when if I go to access a new service for the first time, it will pop up, saying you are being redirected to this site.

[Thomas Dack - STFC UKRI] 15:03:16
This is the information they've given. I am so if they've given the logo a privacy policy, who the administrators contact information, all of that we presented to the user.

[Thomas Dack - STFC UKRI] 15:03:25
And it will tell the user what information they're asking for by default, and then cause the options are.

[Thomas Dack - STFC UKRI] 15:03:33
Ask me every time I access this. Ask me only once, or do not release the information So it's not revisitable, unless you always tell it.

[Thomas Dack - STFC UKRI] 15:03:46
Ask me every time

[IT 513/1-024] 15:03:50
That's a free set. The permissions when the set of attribute changes

[Thomas Dack - STFC UKRI] 15:03:50
But it is that

[Thomas Dack - STFC UKRI] 15:03:56
Should do. I have actually tested that

[Thomas Dack - STFC UKRI] 15:04:00
Because then that permission ground has changed you'd you'd expect it would.

[Thomas Dack - STFC UKRI] 15:04:05
But I have never tested that. That's a good point

[IT 513/1-024] 15:04:14
I was actually wondering what the purpose is. This is Look at the paragraph under M. R.

[IT 513/1-024] 15:04:20
3. This is supposed to gain insight into the community policies and practices, and evaluate the level of reliance

[IT 513/1-024] 15:04:33
That's defining attribute set and semantics.

[IT 513/1-024] 15:04:35
Give that

[IT 513/1-024] 15:04:38
There's so much extent. Yes, if you get an attribute, you should know what to do with it.

[IT 513/1-024] 15:04:47
if this was A doesn't tell you what reliance you could place on that attribute.

[IT 513/1-024] 15:04:53
You got the value but it's only looking at the as it were, the practice statement of the attribute.

[IT 513/1-024] 15:05:03
So you can place any real lines

[IT 513/1-024] 15:05:09
No, yeah.

[IT 513/1-024] 15:05:16
Had he been a bit on the definition of freely answer If you've got a an attribute with a value, right?

[IT 513/1-024] 15:05:25
Is that actually giving you the say, right permission or storage?

[IT 513/1-024] 15:05:29
Is that what's intended by the community, or is it right to something else?

[IT 513/1-024] 15:05:36
Or okay, see that

[IT 513/1-024] 15:05:45
Let's try to move on to Amr. 4, hey?

[IT 513/1-024] 15:05:49
Most. Only if your social will release attributes in accordance with policies that are applicable to the community.

[IT 513/1-024] 15:05:55
Okay, So there's no policy. I think this is my definition.

[IT 513/1-024] 15:05:58
Okay, again.

[IT 513/1-024] 15:06:05
Pull me on to my make other comments here.

[Thomas Dack - STFC UKRI] 15:06:07
I I don't think so. I think anything we release is in line with the privacy policy as well, anyway, because it does know the information that is collected by the Irs.

[Thomas Dack - STFC UKRI] 15:06:17
I am that is, then can be used when accessing Irish services.

[IT 513/1-024] 15:06:25
Yeah.

[Thomas Dack - STFC UKRI] 15:06:26
I'm sorry it should be, will find there

[IT 513/1-024] 15:06:29
Okay, Amr: 5. I think it's not applicable here, because you all the communities your host, are only hosted on Iris

[IT 513/1-024] 15:06:48
Community should ensure that within one assertion issue attributes are consistent

[Thomas Dack - STFC UKRI] 15:06:55
I'm not sure

[Thomas Dack - STFC UKRI] 15:06:55
I'm not sure why that's the responsibility of the community.

[IT 513/1-024] 15:07:03
Probably should not put people in a group, both in the group.

[Thomas Dack - STFC UKRI] 15:07:07
Hmm.

[IT 513/1-024] 15:07:08
Grant access to everything, and the permanent bandwidth.

[IT 513/1-024] 15:07:13
So at the same time. So there are often cases where a given research community uses multiple use iris, but it will so use Yeah, something else, you know.

[Thomas Dack - STFC UKRI] 15:07:13
That would make sense

[IT 513/1-024] 15:07:24
But osg egi, or

[IT 513/1-024] 15:07:33
And you pretty much in the they may have different aae

[IT 513/1-024] 15:07:42
Instances on each of those

[IT 513/1-024] 15:07:46
So I'm just on the thing. Where, in a way, where did you know?

[IT 513/1-024] 15:07:50
Trying to make sure that things are consistent, as they get.

[IT 513/1-024] 15:07:55
So is that what we're trying to say is the community should okay.

[IT 513/1-024] 15:08:01
An individual user should get the same attribute, so that should be values But it's a requirement on communities.

[IT 513/1-024] 15:08:09
So any evaluating an a operate which of can be evaluated

[IT 513/1-024] 15:08:16
It might require the A operators to work together so they should be aware.

[IT 513/1-024] 15:08:21
You know, this particular research community is using multiple A is, by the way, make sure that's a whole pack of woods.

[Thomas Dack - STFC UKRI] 15:08:26
Hmm.

[IT 513/1-024] 15:08:30
And then we had that for phones at some point it will synchronize between Cern and formula.

[IT 513/1-024] 15:08:38
Yeah. And you do things like defining, which is the most like, Who's or is it multiple masters?

[IT 513/1-024] 15:08:47
So I didn't

[IT 513/1-024] 15:08:50
I mean it could be the simple case where you're running multiple instances within your infrastructure, which is that for it's feasible to require that those are synchronized and consistent thanks You don't think't engage multiple aa or no it says engages. Multiple AI operators. Or operates multiple aa so maybe one operator, with

[IT 513/1-024] 15:09:16
multiple

[IT 513/1-024] 15:09:20
It should then still be considered

[IT 513/1-024] 15:09:29
That's then the technical requirements of how do you actually do the the fault, tolerance, and the the fact?

[IT 513/1-024] 15:09:32
You've got multiple instances.

[IT 513/1-024] 15:09:38
Can someone give me an example of what would be and inconsistent set of attributes in one assertion

[IT 513/1-024] 15:09:52
Okay, Oh, the trivial tumor giving somebody writing rights to storage, and at the same time asserting that issue should not have access to storage negative permissions are really scary.

[IT 513/1-024] 15:10:07
Are they allowed? Hmm! Oh, you could That would just be in the definition of semantics.

[IT 513/1-024] 15:10:12
but it's up to the community to do that.

[IT 513/1-024] 15:10:18
The community should ensure. So I think that we don't were not able to actually assess it.

[IT 513/1-024] 15:10:24
Well, unless it's one operator operating multiple instances, and then the operator needs to make sure that No, it's A. Mr.

[IT 513/1-024] 15:10:33
6 we're discussing I'm not 6 now.

[IT 513/1-024] 15:10:42
Within one of those. Now. Okay, sorry.

[IT 513/1-024] 15:10:47
This is basically saying the community must have a same set of interviews.

[IT 513/1-024] 15:10:51
Yeah, I was thinking, I didn't realize that. Because assume the the assertion comes from either. Of the instances.

[IT 513/1-024] 15:11:01
But not or you building in a session from bugs instances No, don't.

[IT 513/1-024] 15:11:07
It's just wounding suicide, hey, Amr Sixers independent from Amr.

[IT 513/1-024] 15:11:11
5,

[IT 513/1-024] 15:11:16
So this is nothing to do with multiple instance services

[IT 513/1-024] 15:11:22
That's it's visual. So yeah, I I could see them with, but

[IT 513/1-024] 15:11:28
It means sort of logically consistent. You don't have 2 components of the a session that that makes sense with each other.

[IT 513/1-024] 15:11:39
Yeah.

[IT 513/1-024] 15:11:45
Give me an example. Again, of where it might not be consistent, who spit out one.

[IT 513/1-024] 15:11:49
His assertion with a set of capabilities of one source, you can write to storage.

[IT 513/1-024] 15:11:56
Another one says you shall. Okay, So capabilities are logically in justice.

[IT 513/1-024] 15:12:04
Well, hope's a relying party supposed to do.

[IT 513/1-024] 15:12:06
In that case I didn't realize you. We had negative K capabilities something that we never defined.

[IT 513/1-024] 15:12:16
All the capabilities.

[IT 513/1-024] 15:12:27
this is only to be used for compute, for Wcg.

[IT 513/1-024] 15:12:32
At least, that there was only positive. Yeah denials at all.

[IT 513/1-024] 15:12:36
Okay, the Irish has to say what it says.

[IT 513/1-024] 15:12:41
The question is, do which will do you Well, then, you process I don't know. The implicit in that is that you have reverse is a blanket acceptance

[IT 513/1-024] 15:12:57
You have to know.

[IT 513/1-024] 15:13:02
Alarm. Let's do this

[IT 513/1-024] 15:13:09
I mean, it sounds like it could

[IT 513/1-024] 15:13:14
Say it's the community who needs to do that

[IT 513/1-024] 15:13:17
Yeah, again. You can't free that. You value it.

[IT 513/1-024] 15:13:26
again. In this document. How are we putting requirements on the community community?

[IT 513/1-024] 15:13:30
Even aware of this? Are we saying that the it's the operators responsibility to ensure that the community is aware that they must do this

[IT 513/1-024] 15:13:48
A as one

[IT 513/1-024] 15:13:52
Associates provided by an A must be decorative, protected, and they must be signed by the identified aa, or be transmitted over integrity.

[IT 513/1-024] 15:14:01
Protective channel that is, server has been authenticated

[IT 513/1-024] 15:14:07
And preferably both

[IT 513/1-024] 15:14:15
Home.

[IT 513/1-024] 15:14:15
cool.

[Thomas Dack - STFC UKRI] 15:14:16
Everything is definitely signed.

[Thomas Dack - STFC UKRI] 15:14:28
to take place to share with the server has been authenticated. Briefly, both.

[IT 513/1-024] 15:14:30
Yeah.

[Thomas Dack - STFC UKRI] 15:14:30
I think that's also that's fine. It sounds like a very diverse way of saying secure communication.

[Thomas Dack - STFC UKRI] 15:14:35
Yeah.

[Thomas Dack - STFC UKRI] 15:14:38
Yes, there is Tls Channel.

[IT 513/1-024] 15:14:43
The requirement is that it's one or the other as well.

[Thomas Dack - STFC UKRI] 15:14:46
Yeah, exactly, preferably both. I mean, we definitely all tokens have the I am signing.

[IT 513/1-024] 15:14:46
So, even if it's not

[Thomas Dack - STFC UKRI] 15:14:53
Key used to sign them, so that one's definitely satisfied, which means we're good

[IT 513/1-024] 15:15:01
So showing my ignorance against the Tls.

[IT 513/1-024] 15:15:07
Are you authenticated with server as well those doing the integrity, education.

[Thomas Dack - STFC UKRI] 15:15:15
The client authenticates to the I didn't see the AI

[IT 513/1-024] 15:15:21
Yeah.

[IT 513/1-024] 15:15:25
And the server you have, because you connect to the server and conjecture away.

[IT 513/1-024] 15:15:30
Name that's just expected Getting past validation and everything that works right.

[Thomas Dack - STFC UKRI] 15:15:30
Yeah.

[IT 513/1-024] 15:15:36
Certificate.

[David Crooks - STFC UKRI] 15:15:38
yeah. So for Tls: it's verification, but no authentication.

[IT 513/1-024] 15:15:50
Yeah, I guess the's what I was trying to to to ask the question is, what does authentication mean in this sense?

[IT 513/1-024] 15:15:57
Authentic case. It is just the certificate, and the will be validated to the server.

[Ian Collier - STFC UKRI] 15:16:02
cool.

[IT 513/1-024] 15:16:07
In this case is the attribute of

[IT 513/1-024] 15:16:13
yeah.

[IT 513/1-024] 15:16:21
Seems to me. Oh, you can see all the server

[IT 513/1-024] 15:16:38
So the you, all the server you are doing, the transmission and yet it's your server that's been often assemblage.

[IT 513/1-024] 15:16:48
No, I don't think it does a strict sense to me, so you're not saying the client must do

[IT 513/1-024] 15:17:01
Understand the terminology, or maybe the discomfort is wrong.

[IT 513/1-024] 15:17:13
You're not saying that the server must authenticate the clients right here.

[IT 513/1-024] 15:17:22
I don't think that's the requirement.

[IT 513/1-024] 15:17:25
You can encrypt the assertion through a particular client.

[IT 513/1-024] 15:17:31
But I'm not sure that's actually done anywhere, or a good idea. A. A. S. Someone can do it that you can encrypt your assertions to a particular sure was provided that's not what we meant.

[IT 513/1-024] 15:17:44
To

[IT 513/1-024] 15:17:52
No.

[IT 513/1-024] 15:18:01
Okay, So the action is is initiated by the client It's a Paul, is it?

[IT 513/1-024] 15:18:07
All, all the Ts connections are initiated by client to server by the time.

[IT 513/1-024] 15:18:15
Then the chart may be then pushed over that

[Thomas Dack - STFC UKRI] 15:18:23
Just because I was quickly Oh, sorry! I thought. We've got people just so.

[IT 513/1-024] 15:18:24
But this is

[Thomas Dack - STFC UKRI] 15:18:30
I was quickly checking something, and 1.3 up a bit is not as no, I think it should be partial.

[Thomas Dack - STFC UKRI] 15:18:37
So 1 point a a a, A, a N, The user identifier does follow.

[Thomas Dack - STFC UKRI] 15:18:46
Geo. 26. I did just double check back and check, and it it is communicated as an opaque identifier at the urn of the service.

[Thomas Dack - STFC UKRI] 15:18:54
If the issuer, as that is defined in the attributes in the group side

[Thomas Dack - STFC UKRI] 15:19:06
Requires bit more review. I think

[Thomas Dack - STFC UKRI] 15:19:10
More than I can do. Lost, following over everything else, at least

[IT 513/1-024] 15:19:12
Yes, okay.

[Ian Collier - STFC UKRI] 15:19:14
So, but but presentably the groups good. They, you know we could.

[Ian Collier - STFC UKRI] 15:19:24
It could be a guideline. That may you know that we could set it up in a way where it's required that the groups meet those guidelines

[Thomas Dack - STFC UKRI] 15:19:43
basically we we need to review it and check how we've got it set up and see what the guidelines are for.

[Thomas Dack - STFC UKRI] 15:19:47
It.

[Ian Collier - STFC UKRI] 15:19:47
right, there, and there's certainly nothing inherent that says we can't do this.

[Ian Collier - STFC UKRI] 15:19:53
It's just

[Thomas Dack - STFC UKRI] 15:19:54
No, no, I don't think so.

[Ian Collier - STFC UKRI] 15:20:03
I think, say rather than consider, say, review.

[IT 513/1-024] 15:20:14
yeah.

[Thomas Dack - STFC UKRI] 15:20:18
Hi I cause I did note that we use the Geo style of subjects at issue a scope.

[Thomas Dack - STFC UKRI] 15:20:27
I think it got lost a bit in the review comments, but it is

[IT 513/1-024] 15:20:40
Right Aas, 2,

[IT 513/1-024] 15:20:46
So one final comes in a S. One does, it need to say, who was done? The authentication that says the server, has been authenticated

[IT 513/1-024] 15:20:58
It makes sense to say, authenticated by the people

[IT 513/1-024] 15:21:04
sophistication works. Server has been authenticated.

[IT 513/1-024] 15:21:11
People is set up because the client is yeah created a collection.

[IT 513/1-024] 15:21:21
the client is happy that it's the correct. Yeah.

[IT 513/1-024] 15:21:24
So

[IT 513/1-024] 15:21:27
So easy. Yeah, What we mean by has been authenticated, maybe, is Kevin.

[David Crooks - STFC UKRI] 15:21:27
is, that

[David Crooks - STFC UKRI] 15:21:32
Just the is, it is the sorry Is the Is there no authentication here because of the exchange secrets which are determined in advance

[IT 513/1-024] 15:21:33
You'll have to be

[IT 513/1-024] 15:21:48
I mean nothing to do with Tls. Something above that, but something else

[David Crooks - STFC UKRI] 15:21:50
Well so, but by, but as part of the Idc. Flow, there's a client secret

[David Crooks - STFC UKRI] 15:21:58
I'm I'm I'm forgetting all the exactly what secrets are.

[David Crooks - STFC UKRI] 15:22:02
But that's you know, you know that it's the you know that the client.

[David Crooks - STFC UKRI] 15:22:08
So you know that the client knows that it's the right. Add to be authority because of the predefined secrets

[IT 513/1-024] 15:22:16
No! The typically the client id client secret are held by the service.

[IT 513/1-024] 15:22:23
Are that the server can check the identity of client

[IT 513/1-024] 15:22:28
That's filthy. The client should also be talking to the professor, and since it uses the Dns to find the endpoint, and then, indeed The server sets over a certificate with a proper domain name in it the transport channel is also in some way authenticated

[David Crooks - STFC UKRI] 15:22:30
Yup

[David Crooks - STFC UKRI] 15:22:48
Yeah.

[IT 513/1-024] 15:22:55
You can use thems. I think that's a technical detail.

[IT 513/1-024] 15:23:05
I think this is actually just fun. Good lucky

[David Crooks - STFC UKRI] 15:23:08
Yeah, yeah, I think I yeah.

[IT 513/1-024] 15:23:13
Hmm.

[David Crooks - STFC UKRI] 15:23:14
I think there's an element of getting authentication and authorization mixed up here a little bit in our conversation, because we're just saying authentication.

[David Crooks - STFC UKRI] 15:23:23
This is, you know, the server is who it says it is because we've looked at the we've looked at the Dns, and it's supplied in appropriate certificate

[IT 513/1-024] 15:23:49
so the integrity protected. Channel. Tls: My implication is authenticated. That's how Tls work

[IT 513/1-024] 15:24:00
It doesn't say to you, yeah, No, we're not requiring client on it.

[IT 513/1-024] 15:24:09
Occasion. This document is written as a lesson standpoint of the attribute authority, and yet that statement, where the server has been off indicated, is putting a requirement on the client

[IT 513/1-024] 15:24:27
To me the way I read it. Think it means that you've done the proper tls handshake and set up, and everything's okay.

[IT 513/1-024] 15:24:37
And that is integrity protected and authenticated.

[IT 513/1-024] 15:24:40
Because that's what

[IT 513/1-024] 15:24:44
But you don't want to explicitly say T.

[IT 513/1-024] 15:24:47
Unless you're allowing other forms of integrity protection. That.

[IT 513/1-024] 15:24:50
Okay? Signed pictures.

[IT 513/1-024] 15:24:56
I think I think this is fine. Actually.

[Christos Kanellopoulos] 15:24:59
Can I make a comment? I'm bucket so.

[IT 513/1-024] 15:25:02
Yeah, come back.

[Christos Kanellopoulos] 15:25:06
So I think the last part which is kind of the client secret.

[Christos Kanellopoulos] 15:25:09
I think this cannot be always the case. Most probably you have to support those public clients.

[IT 513/1-024] 15:25:19
Yeah. But then the user is involved, I think.

[Christos Kanellopoulos] 15:25:22
No, no.

[Christos Kanellopoulos] 15:25:23
no, not necessarily. Yeah. The users involved somehow. But yes, I mean, it.

[IT 513/1-024] 15:25:29
But

[Christos Kanellopoulos] 15:25:31
It is a different flow, I think we need to mention that.

[Christos Kanellopoulos] 15:25:34
Yeah, the clients. It's not always to be there.

[Christos Kanellopoulos] 15:25:40
the the area class is based on on the on Dns and Tls on the Yeah.

[IT 513/1-024] 15:25:48
with with public clients that actually fails, because then the server cannot know that it's actually releasing attributes to a proper client.

[Christos Kanellopoulos] 15:25:58
the

[IT 513/1-024] 15:25:59
But that would be a Gdp

[Christos Kanellopoulos] 15:26:03
This is an interesting discussion. To be honest, yes, but but it has to know the client.

[Christos Kanellopoulos] 15:26:12
If it was, let's say, a bogus client, it has to be able to give the client id, I think, which is something that that is should not be also publicly visible.

[IT 513/1-024] 15:26:18
Okay.

[Christos Kanellopoulos] 15:26:23
but yes, this is this is indeed the case, and also it has to know what what is also client that is used so.

[IT 513/1-024] 15:26:27
Yeah.

[Christos Kanellopoulos] 15:26:35
Yes, but by the public land side are out of the parameter. The moment you start using things like command, line, authentication you will have to to deal with public plan yeah.

[IT 513/1-024] 15:26:41
Cool.

[IT 513/1-024] 15:26:56
Although Monk is even more scary if you defend the client.

[IT 513/1-024] 15:27:00
Ideas left in history. It's essentially a hey. Poverty point to all data is that

[Christos Kanellopoulos] 15:27:07
So so so it it it it it. It depends whether this is, for example, on on the terminal, whether this is a genetic service that can be used by all users or would be whether it's, something that they use a configuration, just by themselves in the not the case you can help that they declined

[Christos Kanellopoulos] 15:27:25
secret in the formal case. If it is a dinner application that they're usually putting on, it doesn't need to have. So so gossiping yeah.

[IT 513/1-024] 15:27:34
Yeah.

[Christos Kanellopoulos] 15:27:38
But anyway, I'm saying this, because this is a fact. I mean, we already seen this, and also, if you have applications that are spas we typically have a javascript client in front of one of the back end.

[Christos Kanellopoulos] 15:27:53
Service, you have so public clients. Again, there is a point to have.

[Christos Kanellopoulos] 15:27:57
I see I's cool to equipment clients.

[IT 513/1-024] 15:28:03
Yeah.

[Christos Kanellopoulos] 15:28:04
Yeah.

[IT 513/1-024] 15:28:09
at that point you'll probably have a how the use of flow.

[IT 513/1-024] 15:28:11
But so, that user can actually consent to the release of the interviews

[Christos Kanellopoulos] 15:28:16
Correct, correct. Me, and this is why you use have to use the association flow in in addition with Pixie these are details that we are not mentioning.

[IT 513/1-024] 15:28:22
Yep.

[Christos Kanellopoulos] 15:28:23
There, yeah, I think so.

[IT 513/1-024] 15:28:26
No? I think here that's going far beyond a as one actually

[Christos Kanellopoulos] 15:28:31
Yes, yes, and I'm making this what we are accurate.

[Christos Kanellopoulos] 15:28:35
But I think this applies to all the areas that are using open at the comic basic to everyone

[IT 513/1-024] 15:28:55
Okay, I'll notice here if you don't like it.

[IT 513/1-024] 15:28:59
Edit it

[IT 513/1-024] 15:29:03
Or place the link into the here Chatwind Oga: Okay. A. S.

[IT 513/1-024] 15:29:09
2,

[IT 513/1-024] 15:29:13
Do you respect data protection requires from the community. It's recommended although this is actually 2 requirements.

[IT 513/1-024] 15:29:21
Again.

[IT 513/1-024] 15:29:26
It is

[IT 513/1-024] 15:29:41
here.

[IT 513/1-024] 15:29:51
Do respect the data protection requirements of the community

[IT 513/1-024] 15:29:58
Okay, No?

[Thomas Dack - STFC UKRI] 15:30:02
I think so. The data protection requirements, The community is the Irs privacy policy which was produced with the Rs.

[Thomas Dack - STFC UKRI] 15:30:12
I am in might. Would you say? That's fair, Hey, David?

[David Crooks - STFC UKRI] 15:30:18
I think

[Thomas Dack - STFC UKRI] 15:30:19
Okay.

[David Crooks - STFC UKRI] 15:30:28
sorry. I'm just so. I'm not aware of any community of any community having expressed data protection requirements within Iris

[IT 513/1-024] 15:30:45
So simple. This answer is, they're on down, right? So we definitely other than implicit laws. Explicitly, this is a

[David Crooks - STFC UKRI] 15:30:47
Yeah.

[David Crooks - STFC UKRI] 15:30:51
Yeah.

[Christos Kanellopoulos] 15:30:54
you can. Okay, Can I ask, awesome

[IT 513/1-024] 15:30:58
So go ahead.

[Christos Kanellopoulos] 15:30:59
No. Okay. Can I ask you question a bit differently in the case of of Uk: Iris, who is the data controller?

[Christos Kanellopoulos] 15:31:07
Is it the community, or Uk Iris

[IT 513/1-024] 15:31:15
Hmm. Good question. It depends on what the data is, doesn't it?

[IT 513/1-024] 15:31:21
I mean, if it's there within their research data, it's not operational, but it's operational that it's ours.

[IT 513/1-024] 15:31:29
If it's within the research data, then they are the control.

[IT 513/1-024] 15:31:30
Okay.

[IT 513/1-024] 15:31:35
The Irish is done.

[IT 513/1-024] 15:31:42
Yes, yeah, people to legal entity

[Christos Kanellopoulos] 15:31:47
So So I think this day this is about the actual data that Uk Iris uses right.

[Christos Kanellopoulos] 15:31:53
The the personal data of the users that are registered in in the yeah instance of Uk: Iris.

[Christos Kanellopoulos] 15:31:59
So so I think I mean in this case the data protection requirements have to be defined by the data Controller.

[Christos Kanellopoulos] 15:32:08
And I'm saying I'm asking these questions, because actually in in the last year, we've seen separate different models happening right?

[Christos Kanellopoulos] 15:32:14
I mean, you have the model where they actually is the controller, and just provide them the service to others, being it data controller and probabilities.

[Christos Kanellopoulos] 15:32:24
Here, we have seen also the case where a the Aa is a processor, and the communities that are coming, and say, I want to use your a are the data controllers of the data which is different.

[IT 513/1-024] 15:32:34
Okay.

[Christos Kanellopoulos] 15:32:37
This is the RAM model. The data, in the Netherlands.

[Christos Kanellopoulos] 15:32:43
So this is a bit important thing to to clarify that, and I think the th that this point, perhaps a S.

[Christos Kanellopoulos] 15:32:54
2, should be somehow regretted, because it all depends.

[Christos Kanellopoulos] 15:32:58
Who is the data controller. This is the one who defines the data protection requirements

[IT 513/1-024] 15:33:04
Yeah. Very good. Point. Crystal. So 43, the customer, most of the communities is many of them are not legal entities, so it ends up.

[Ian Collier - STFC UKRI] 15:33:07
so

[IT 513/1-024] 15:33:13
It has to be Ukraine. Ian sorry

[Ian Collier - STFC UKRI] 15:33:16
Yeah, So I was gonna say that it's so sort of a, you know, we met.

[Ian Collier - STFC UKRI] 15:33:22
We mentioned the Slc's, where, in practice we're probably gonna run a separate instance for them.

[Ian Collier - STFC UKRI] 15:33:30
But clearly there we're going to be running. We're going to be a processor full, presumably for us.

[Ian Collier - STFC UKRI] 15:33:37
Tio, or somebody will somehow.

[IT 513/1-024] 15:33:38
So

[IT 513/1-024] 15:33:41
So they would be the legal entity being the controller

[Ian Collier - STFC UKRI] 15:33:46
It so, then it may be that there has to be, even for the Irish.

[Ian Collier - STFC UKRI] 15:33:52
I am, There has to be a Do you want approach to this?

[IT 513/1-024] 15:33:56
Okay.

[Ian Collier - STFC UKRI] 15:33:58
Because Iris will, you know, will provide services to any broadly anybody.

[Ian Collier - STFC UKRI] 15:34:10
The Stfc. Any science, the Sdfc supports to first order, and lots of that.

[Ian Collier - STFC UKRI] 15:34:18
These communities that don't have legal entities, but some of it is communities that do have legal entities.

[Ian Collier - STFC UKRI] 15:34:24
So we kind of have to be able to do both. But a starting point is that you know we have our own data protection policies for Iris, and perhaps it's that we you know it's then incumbent upon communities to understand what relation, what understand, you know, to assert if they had

[Ian Collier - STFC UKRI] 15:34:48
requirements that are different from the ones that are

[Ian Collier - STFC UKRI] 15:34:52
You can't get away with not having our own policies, but we may also have to

[IT 513/1-024] 15:34:57
So are you saying it? Then control over what is it, or

[Ian Collier - STFC UKRI] 15:35:02
Well, we're hey? Cool. The default position is that we're a controller.

[Ian Collier - STFC UKRI] 15:35:10
But then may be community

[IT 513/1-024] 15:35:11
Really, it goes back to the previous documentation about, you know, documenting the semantics and life cycle and all that.

[Ian Collier - STFC UKRI] 15:35:20
Well, hmm, yeah.

[IT 513/1-024] 15:35:20
Is so that all the data protection winding who is the controller who is the who is the processor, All the various roles, And And if you go a separate control and a processor that you need a a contract or agreement between I was gonna ask christos in the case where the community?

[IT 513/1-024] 15:35:37
Is the controller? Do you have a a model controller processor agreement?

[Christos Kanellopoulos] 15:35:42
yes, yes, I mean I mean so so so I can say what what we do with editing.

[IT 513/1-024] 15:35:43
That would be applicable

[Christos Kanellopoulos] 15:35:49
The most common scenarios that we are processors. But look, this is interesting here, because we have separate deployments.

[IT 513/1-024] 15:35:51
Yeah.

[Christos Kanellopoulos] 15:35:56
Right? So it is a completely separate instance for comfort. Panel, for example, or for for life sciences or for whatever other community it's at separate distance where we run it on behalf of them.

[Christos Kanellopoulos] 15:36:09
They have contracted us. We have a Dpa. Where we are.

[Christos Kanellopoulos] 15:36:12
The processions and things are very clear where things can become very messy is, if you say we have one service.

[Christos Kanellopoulos] 15:36:22
The Uk. I. Service, and V service at the same time.

[Christos Kanellopoulos] 15:36:27
Part of it is controller for for for some communities is a processor for others.

[Christos Kanellopoulos] 15:36:32
There you will problems if he. If this is what you want to do, you have problems with how 2 2 separate the data.

[Christos Kanellopoulos] 15:36:42
Who has this? This becomes very complex. So that's why we have done this separation and on distance level.

[Ian Collier - STFC UKRI] 15:36:44
I

[Ian Collier - STFC UKRI] 15:36:44
I

[Christos Kanellopoulos] 15:36:47
So there is no one

[Ian Collier - STFC UKRI] 15:36:54
So we already run more than one instance, And actually this is useful, because this gives us a guide.

[Ian Collier - STFC UKRI] 15:37:04
You know, This, perhaps gives us a a good role of some for one of the situations where we choose to establish a separate instance

[Christos Kanellopoulos] 15:37:14
Yes; but in that case the watch. What is that that we are going over right now? Is it?

[Christos Kanellopoulos] 15:37:22
One instance, serving specific user communities or all the postal licenses.

[Ian Collier - STFC UKRI] 15:37:25
I

[Christos Kanellopoulos] 15:37:28
Get that you will. But I'm not what in the future

[Ian Collier - STFC UKRI] 15:37:33
For the moment. We're talking about the one instance. I'm not aware of any of the communities at the moment.

[Ian Collier - STFC UKRI] 15:37:42
I don't know. Actually Tell me, might have to think about this

[IT 513/1-024] 15:37:46
But I think what crystals say within one instance we are either a processor or a controller.

[Christos Kanellopoulos] 15:37:46
So

[IT 513/1-024] 15:37:52
Not but in diamond racism. So we have to think it through.

[Ian Collier - STFC UKRI] 15:37:52
Yeah.

[IT 513/1-024] 15:37:58
And if it's a different thanks, protection agreement that we need a separate instance, services

[Christos Kanellopoulos] 15:38:03
you need to think it how you can have this separation also, technically, because that has to be mapped from the tech infrastructure, and if you have one, this in any case, this is the these days you were separate and and what I would expect to happen is to go through the accreditation well, edit

[IT 513/1-024] 15:38:10
That's that's how you do it Then your teams right.

[IT 513/1-024] 15:38:13
You have separate instances where it's

[Christos Kanellopoulos] 15:38:22
teams of partners of life, sciences, or phoenix, of of whatever is separately, and even though is the operator, we do it in different contexts, and we do not have The same.

[Christos Kanellopoulos] 15:38:36
Configuration We have the same policies, so I consider them completely different licenses even if we are the same operator, what

[Ian Collier - STFC UKRI] 15:38:42
Yeah.

[IT 513/1-024] 15:38:50
Some sensible.

[IT 513/1-024] 15:39:04
Yes.

[IT 513/1-024] 15:39:10
2,

[IT 513/1-024] 15:39:16
Okay, contract. Thanks. Shall we try to do the rest of A as before?

[IT 513/1-024] 15:39:26
Team, T, Some point of probabilities I think it's probably already outside.

[IT 513/1-024] 15:39:34
We could get one to come back. Let's try to finish at least as to when it Okay, it's recommended that the aas require client authentication in addition to encryption, of messages and the communication channel

[IT 513/1-024] 15:39:49
Does this mean no public clients so it's essentially client for I would see client or deployment secret, because this is problem.

[Thomas Dack - STFC UKRI] 15:39:51
This is clarity yeah.

[Thomas Dack - STFC UKRI] 15:39:57
Yeah folks. I DC it's say, or at least it's saying it's recommended that you encourage registered clients.

[IT 513/1-024] 15:39:59
okay.

[Thomas Dack - STFC UKRI] 15:40:07
No void public clients, although Yeah, that would then

[Thomas Dack - STFC UKRI] 15:40:16
I mean service level. That's fine. But restricting public clients completely could be problematic.

[IT 513/1-024] 15:40:26
Yeah, du public lines have compensatory controls somewhere like this: usual interaction or so.

[IT 513/1-024] 15:40:36
Normally, you can set up a public cloud, and you can have specific redirect your eyes that are allowed.

[IT 513/1-024] 15:40:42
It's always possible to just mock up that are easy calls over call, and then nothing is checked anyways.

[IT 513/1-024] 15:40:49
So you've got to, hey? If you have blind Id, you can that everything you want out of Yeah, without any one ever know

[IT 513/1-024] 15:41:01
But we absolutely need to have a way for public lives to exist, because otherwise a lot of things work, by the way, there would be no authentication for single-page applications.

[IT 513/1-024] 15:41:13
Is it cost store, client secret? We have to say we can't have any client side website that are going to be protected by I am, which is a really big constraint for The community but on those also have a part of user release.

[Thomas Dack - STFC UKRI] 15:41:24
Hmm.

[IT 513/1-024] 15:41:34
Page.

[IT 513/1-024] 15:41:35
if you do that with, say Google, does public clients, if you go there with public clients, Google will show you a screen where you log in and ask me this is going to be a release to this public client on your paper, and then if you give consent, it will you. Will get a Cookie and

[IT 513/1-024] 15:42:00
next time, you'll just do it. I'm not sure that nobody has anything to do with public versus non-public. I mean, that's what the district Texas in the Yeah, as in the public plan to media so

[Thomas Dack - STFC UKRI] 15:42:06
I didn't think That's

[Thomas Dack - STFC UKRI] 15:42:16
You also get that page on private clients for the first time you visit them as well

[IT 513/1-024] 15:42:21
that was just for the data. Ready? Oh.

[Thomas Dack - STFC UKRI] 15:42:22
Yeah, that's what I thought as well.

[Christos Kanellopoulos] 15:42:27
so folks, I I I put in the chat a link of of a page that we created because we are dealing with this craziness.

[Christos Kanellopoulos] 15:42:35
Also, or to sell us with the requirements for Pixie.

[Christos Kanellopoulos] 15:42:39
How do we authorized incentive users? And after going through all the virus Rfcs, basically we came up with them table that you see here and effectively, this tells you that for example, if it is a public client and the client needs to be able to do for example, through the zoom code and the first talk in the

[Christos Kanellopoulos] 15:42:59
talking, then it needs to use also Pixie, for example, and it comes from from from the axis.

[Christos Kanellopoulos] 15:43:08
So it is not directly announced that they discuss.

[Christos Kanellopoulos] 15:43:12
We have right now, but it tries to source basically what they put the the possible configurations, and how we can use the public line, in which cases in which case you cannot, in which case you need a client secret

[Christos Kanellopoulos] 15:43:36
But also, let me say that public lines are also registered right, and can I make a more general comment regarding the the the point of encryption of messages

[IT 513/1-024] 15:43:53
Yeah.

[IT 513/1-024] 15:43:53
yeah.

[Christos Kanellopoulos] 15:43:56
are we talking about encryption of the transport level or the old, or the message level?

[Christos Kanellopoulos] 15:44:00
Probably the message level. Right?

[IT 513/1-024] 15:44:02
Yeah.

[Christos Kanellopoulos] 15:44:04
So here have a problem, because basically this this would would not allow the the most.

[Christos Kanellopoulos] 15:44:12
Basic, orage, flow which is the authorization code flow.

[Christos Kanellopoulos] 15:44:14
Where you get the date of the user from the user different point, and and there the data is not encrypted.

[Christos Kanellopoulos] 15:44:22
So the encryption of of the messages make sense in jot tokens, which is usually what you get from the token endpoint.

[Christos Kanellopoulos] 15:44:30
And this is the Id talking the access, token. But in many cases these these topics do not have actual data in them, So they use that info, though there is no specification that that says, But it's not.

[Christos Kanellopoulos] 15:44:43
It's not. It's just this simulation

[Christos Kanellopoulos] 15:44:46
So so that could not work. Then, if it is, if encryption is required.

[IT 513/1-024] 15:44:53
I recommend that so

[Christos Kanellopoulos] 15:44:54
Yeah.

[Christos Kanellopoulos] 15:44:59
Or if it is a content, then then I think this is fine

[IT 513/1-024] 15:45:02
Yeah. And this is actually also true, for I am cool.

[Thomas Dack - STFC UKRI] 15:45:12
I think so.

[Christos Kanellopoulos] 15:45:13
What I said is easy is for everyone. This is this is by the from the protocol.

[Thomas Dack - STFC UKRI] 15:45:15
It should be yeah, yeah, yeah.

[IT 513/1-024] 15:45:17
Got it.

[Christos Kanellopoulos] 15:45:18
But I think I am by default doesn't also.

[Christos Kanellopoulos] 15:45:26
so to be on something. I have not seen any any aa to use encrypted dw tokens

[Christos Kanellopoulos] 15:45:35
It might be that that Ukraine already does this, but but I haven't seen anything doing, doing doing encryption on the signing

[Thomas Dack - STFC UKRI] 15:45:40
Hmm me too check. I need to check. I think we just signed us

[Christos Kanellopoulos] 15:45:46
Yeah, yeah, I I I think sorry.

[IT 513/1-024] 15:45:48
So What do you think, Chris? Is? What is it encrypted with?

[IT 513/1-024] 15:45:53
The client has to provide some certificate that's used for the encryption, or

[Christos Kanellopoulos] 15:45:58
exactly this is this is this is the challenge. In order to include it, you have to have a pre agreed, and Mecca is with the client, and they are various options.

[IT 513/1-024] 15:46:04
So, that's

[Christos Kanellopoulos] 15:46:06
They are You can have a sal secret, but if it requires to be client configuration.

[Christos Kanellopoulos] 15:46:11
There, so I'm not. I'm not aware of anyone doing that here

[IT 513/1-024] 15:46:12
Yeah, good. I am taffy. Yeah.

[IT 513/1-024] 15:46:36
Okay, Yeah, A should not send more data than required varying line party

[IT 513/1-024] 15:46:44
Those I am some gratuitous output

[Thomas Dack - STFC UKRI] 15:46:48
Yeah. Sends the scopes that have been requested.

[IT 513/1-024] 15:46:53
Yes.

[IT 513/1-024] 15:47:03
Michael: Okay.

[IT 513/1-024] 15:47:12
Okay.

[IT 513/1-024] 15:47:16
Privacy, periods we're gonna a operator, issues, sessions containing a lifetime this might farmers be combined with community policies, a short, as reasonably possible.

[IT 513/1-024] 15:47:28
And the assertion must not be followed beyond the flooding period of the attributes.

[IT 513/1-024] 15:47:31
Thanks.

[IT 513/1-024] 15:47:35
Community management is responsible for it. Content of the users during its entire lifetime.

[Thomas Dack - STFC UKRI] 15:47:42
That's just token lifetimes right? In which case, yeah, we I think there will half an hour token.

[Thomas Dack - STFC UKRI] 15:47:42
that's just

[Thomas Dack - STFC UKRI] 15:47:47
So in Irs at the moment

[Christos Kanellopoulos] 15:47:56
But but do you support the reference tokens

[Thomas Dack - STFC UKRI] 15:48:01
We we we can. We haven't implemented them, anyway.

[Thomas Dack - STFC UKRI] 15:48:05
Yeah, they are Re: refresh tokens. But then, yeah, I mean, there's a lot of conversations I know, within the scope of Wcg.

[Christos Kanellopoulos] 15:48:06
Oh, okay, Because this is

[Thomas Dack - STFC UKRI] 15:48:14
Around refresh tokens as well. Indigo I am, supports them.

[Thomas Dack - STFC UKRI] 15:48:18
We haven't

[Thomas Dack - STFC UKRI] 15:48:21
Enabled them anywhere, yet

[IT 513/1-024] 15:48:36
And then reassurance must be asked on the information held in PA at a time of reassurance.

[IT 513/1-024] 15:48:43
That is essentially, if you have a real refreshed open, it should probably check whether it's still okay.

[Thomas Dack - STFC UKRI] 15:48:49
Yeah, I mean that that's sensible, although, as above, we issuing them at the moment.

[IT 513/1-024] 15:48:50
But I'm not a Yoshire

[Thomas Dack - STFC UKRI] 15:48:59
So

[Christos Kanellopoulos] 15:49:05
there is one very interesting discussion we have been having in Arc, but we didn't conclude regarding this point.

[Christos Kanellopoulos] 15:49:12
Yeah, exactly. So let's say that that you have good in a Max talk.

[Christos Kanellopoulos] 15:49:21
and that's looking for that stuff you have requested to get the profile information.

[Christos Kanellopoulos] 15:49:26
So using. That is stocking. You can create a usually from the point I can get and get the user information that about the user.

[Christos Kanellopoulos] 15:49:33
So the question is was, if that user information changes on the Aa side, should the access token release the different information, when should the next time you call the user environment point, get the first input or not, And this might sound easy to answer but actually it's very complex

[IT 513/1-024] 15:49:54
Hmm.

[IT 513/1-024] 15:49:59
Hmm, yeah.

[Christos Kanellopoulos] 15:50:00
Because because the user has has agreed to provide access to specific type of data and and the values.

[Christos Kanellopoulos] 15:50:10
And they have the same thing. Then perhaps it's volume might change something that is more sensitive.

[Christos Kanellopoulos] 15:50:15
So it's not an easy answer, but we have. We have touched this in in in in

[Thomas Dack - STFC UKRI] 15:50:23
hmm.

[IT 513/1-024] 15:50:43
it's an interest I want you to. Probably we want to go back to the user at that point and thought

[Christos Kanellopoulos] 15:50:49
exactly, yes, so

[IT 513/1-024] 15:50:51
Yeah, Thank you. Give the Old information. That's certainly wrong.

[IT 513/1-024] 15:50:57
If you give the new information, you may have the data

[IT 513/1-024] 15:51:04
You should probably just not answer at all.

[Thomas Dack - STFC UKRI] 15:51:07
hmm.

[IT 513/1-024] 15:51:11
There's no right answer to this. But for a moment at not used.

[IT 513/1-024] 15:51:17
Here But it's in when that discussion completes, it's worth a specific guideline

[Christos Kanellopoulos] 15:51:23
absolutely. Yes.

[IT 513/1-024] 15:51:38
okay.

[IT 513/1-024] 15:51:41
We are at the end of the A. A. S. Section; The next is operational environment.

[IT 513/1-024] 15:51:50
It's now done to 4, we should certainly have it break otherwise.

[IT 513/1-024] 15:51:59
People are going to die somewhere. After that we can either continue with this one or have a discussion on the format in which we want to release, if we still have to, or we can just come, try to continue say until for 30, or so with just refuse for irish, or do you want to contrast this

[IT 513/1-024] 15:52:25
one with the

[IT 513/1-024] 15:52:29
Refute too many choices, I don't think I'm Ltd.

[IT 513/1-024] 15:52:34
Would be that different? Maybe some of the policy stuff is a bit clearer because we have the Wlg.

[IT 513/1-024] 15:52:39
Jwt. Dot profile, but pretty, starting from this is relevant.

[IT 513/1-024] 15:52:47
Going by announcing all the same questions. Yeah, the we'll see if we can highlight any issues here.

[IT 513/1-024] 15:52:56
Okay, because I think that has been is what we have. That's a lot

[Christos Kanellopoulos] 15:52:58
the

[Christos Kanellopoulos] 15:53:02
Oh, David, can I? Can I have something just before we break There was this slot.

[Christos Kanellopoulos] 15:53:10
this happened, discussing the the the list for open addicon providers and I don't know what the discussion is happening, because this is very interesting, and and this is under that we are also moving forward in use Ki and and I really like to be part of the discussion.

[IT 513/1-024] 15:53:23
Yeah.

[Christos Kanellopoulos] 15:53:28
So. Do you know

[IT 513/1-024] 15:53:30
Yeah, we could do that immediately after the discussion we had. We touched briefly on it this morning, and then we have a trying to find back to notes.

[IT 513/1-024] 15:53:45
y'all do was to have a list of trusted token issuers given the fact that Oh, I do see Federation isn't maturing quickly enough, and people are now manually collecting issuer lists.

[Christos Kanellopoulos] 15:54:02
Okay, Let's

[IT 513/1-024] 15:54:03
Maybe we should have yeah.

[Christos Kanellopoulos] 15:54:06
Let's discuss this after after. I don't want to go to keep you figured out.

[Christos Kanellopoulos] 15:54:13
If this is exactly what we would be doing in Uski also to see how we can not replicate efforts.

[IT 513/1-024] 15:54:18
Yeah, So shall we have a 10 min tea break? Can you slip?

[Christos Kanellopoulos] 15:54:18
See? Okay, Thank you.

[IT 513/1-024] 15:54:23
Stay on for

[Thomas Dack - STFC UKRI] 15:54:25
yeah.

[Christos Kanellopoulos] 15:54:26
I I can't. I would help us with you, but

[Thomas Dack - STFC UKRI] 15:54:30
Yep: No problem.

[Licia Florio] 15:54:30
me too. Well, we don't have the nice stuff, probably to it, Chris

[IT 513/1-024] 15:54:33
Okay.

[David Crooks - STFC UKRI] 15:54:36
you said

[Thomas Dack - STFC UKRI] 15:54:37
Thanks, cool

[IT 513/1-024] 15:54:38
for 10 min

[IT 513/1-024] 15:54:48
Oh!

[IT 513/1-024] 15:54:56
this morning

[IT 513/1-024] 15:55:15
key, Right

[IT 513/1-024] 15:55:21
That's how we now have to. The review shapes sheep also for, I'm not a sheep I made a typo in the beginning.

[IT 513/1-024] 15:55:34
Now we have a review shift. You see.

[IT 513/1-024] 15:56:03
discuss this with you. With what happened. You know this arms on the chest?

[IT 513/1-024] 15:56:10
Yeah, maybe because I was, I'm sure.

[IT 513/1-024] 15:56:22
dumb, deliberately, because

[IT 513/1-024] 15:56:30
yeah. So for sure, you can, just which you could all change I I remember seeing this 3 years ago before the print.

[IT 513/1-024] 15:56:43
These are

[IT 513/1-024] 15:57:05
that's okay. Maybe. When do you know? And so, And we've been through a large Okay?

[IT 513/1-024] 15:57:17
Yeah, well, so. Fingers, when is your flag? That when is your flag bed when I am flying back?

[IT 513/1-024] 15:57:24
Yes, yeah, when when in auto. Friday? Yeah, well, for sure.

[IT 513/1-024] 15:59:15
Okay.

[IT 513/1-024] 16:12:54
Oh, that's nice!

[IT 513/1-024] 16:13:02
Oh, that was actually 20 min

[IT 513/1-024] 16:13:26
okay.

[IT 513/1-024] 16:13:55
okay.

[IT 513/1-024] 16:14:15
Google kindly reminded me that the last added was 21 min ago. So we had a 21 min. T.

[IT 513/1-024] 16:14:22
Bright.

[IT 513/1-024] 16:14:30
And a transcription is interesting. We have a 21 min tea dog, bright

[IT 513/1-024] 16:14:40
Now it says we have a teaspoon tea, talk, tea, dog, or tea.

[IT 513/1-024] 16:14:44
Oh, God!

[IT 513/1-024] 16:15:13
Okay, Are we up for a lost push for

[IT 513/1-024] 16:15:20
At most, 45 min

[IT 513/1-024] 16:15:27
Then we close. Go and feed, so we which are you doing things you want to do?

[IT 513/1-024] 16:15:32
The format team Yeah, I think it should do the formatting on the list.

[IT 513/1-024] 16:15:37
also because now crystals is online, you can see it.

[IT 513/1-024] 16:15:43
Lots of nice jay-on backgrounds. We have several discussions yesterday, and 2 weeks ago, at a token workshop and hacker phone at niche with Anna, who was there, and several others.

[IT 513/1-024] 16:16:01
we're actually transpired, we currently manually configure many of the trusted token issuers in a list, and then unroll them either in the config file for Hc.

[IT 513/1-024] 16:16:15
Condo, or put them in a list of trusted issuers, or put them somewhere else, and that's all done manually for now.

[IT 513/1-024] 16:16:22
Oh, good! That we are going through the Ge. O. 71 review, one of the noise outputs would be for those token issuers, and that's good authorities that make it frugally Few which would be extremely lightweight there is a good reason.

[IT 513/1-024] 16:16:41
To actually get them kind of a a bonus in trust status.

[IT 513/1-024] 16:16:45
One of the others. Was that on the Igtf website like, we currently produce, a this distribution of trust, and we also have a this distribution of trusted coken issuers that meet or exceed the appropriate confidence.

[IT 513/1-024] 16:17:04
So there are several questions that's done pop to mind.

[IT 513/1-024] 16:17:07
First of all, is this useful; Secondly, if we do it, should it be a single list, or localists, maybe taking into account of assurance, information or target audiences.

[IT 513/1-024] 16:17:18
And if you have multiple lists should the list be just a plain text file of urls, or should it be more inspired by Our Idc Federation the adjacent file, where you have both the endpoint would also some associated Metadata, like a policy or out of contact or into security

[IT 513/1-024] 16:17:40
operational security, contact, etc. So that was the question that was discussed yesterday.

[IT 513/1-024] 16:17:51
this morning, as well with it's no longer online.

[IT 513/1-024] 16:17:56
Matlab, and for a moment I think we got positive feedback.

[IT 513/1-024] 16:18:05
Not yes, a list would be useful. The other input we got for now is good for that.

[IT 513/1-024] 16:18:11
One token issue, or can issue assertions at multiple assurance levels.

[IT 513/1-024] 16:18:17
It doesn't make sense to separate it by assurance level.

[IT 513/1-024] 16:18:21
So have I. So because one type initial and do Cappuccino and espresso, and Brockwood.

[IT 513/1-024] 16:18:28
So just having different buildings with a different Amr or Acs, you should have a single list, and that it's probably worthwhile using A.

[IT 513/1-024] 16:18:42
Json format for that inspired by Oh, I see fat

[IT 513/1-024] 16:18:49
But there's a new community on one. So what is your immediate reaction?

[IT 513/1-024] 16:18:54
Traditional.

[Christos Kanellopoulos] 16:18:55
so actually, this is very, I think I will. I would be very positive because it is very much in line with what we do right now.

[Christos Kanellopoulos] 16:19:04
we have identified the exactly the same need for a list of tested issues, and effectively.

[Christos Kanellopoulos] 16:19:14
I don't know if how many of you are aware of the Usk Life Federation.

[Christos Kanellopoulos] 16:19:18
I I guess most of you. But not only so. So.

[Christos Kanellopoulos] 16:19:23
Probably I will not spend time to explain what it is, because you can go and ask David what what it is But if you're going to need to save you guys Now let me know.

[Christos Kanellopoulos] 16:19:32
but they're basically. And then what you say is, you have fully embraced the the arc There are blueprint and their guidelines.

[Christos Kanellopoulos] 16:19:42
This is the base of the use case, Federation, and the initial implementation is based on Samuel, of course, because this is this is what everybody's supports. At least, how we do for The residual day But There was this need for for open LED connected for open LED connect provider

[Christos Kanellopoulos] 16:19:58
trust, because right now we are working on the use case of cross infrastructure, access and in particular, how to be able to have workloads running across different infrastructures, and for that we have right Now, we're developing a new archive document which is almost finalized, actually which is

[Christos Kanellopoulos] 16:20:23
the remote talking inspection where effectively, one open at the client and the looking rooted for auction.

[Christos Kanellopoulos] 16:20:40
And if that does not, has not issued this token, then it can go and verify the token to the actual issue of of course, there's a number of prerequisites for this to happen tokers have to be total Spargo these are described.

[Christos Kanellopoulos] 16:20:53
In the document. So what we have done we are doing inaccurate now.

[Christos Kanellopoulos] 16:20:56
We are finalizing specification for the mechanism, The technical mechanism of how this can work and there's going to be a separate document that is going to describe the trust aspects so oh, the first one we'll just describe with the how how the flow will work with tokens and the second, one we

[Christos Kanellopoulos] 16:21:16
say, okay, how does Roxy A. Knows that it is trusting proxy?

[Christos Kanellopoulos] 16:21:21
B. To verify your talking, or how can proxy automatically register itself to procure B as A client and be identified as a as a a trust identity?

[Christos Kanellopoulos] 16:21:34
So this is why we came up with the same requirement, basically that that we need in addition to the sample federation to the sample metadata of the Federation.

[Christos Kanellopoulos] 16:21:45
we need One day cafe duration, also to publish the lead of the open LED connect providers that are members of the Federation, and this you will include only the proxies, not the clients And we have basically we're working towards direction, of of implementing addition schema that will

[Christos Kanellopoulos] 16:22:04
basically at the beginning would be very simple, and in the future we can decide how this will evolve.

[Christos Kanellopoulos] 16:22:11
Possibly we will drop it at some point in the future, because open at the Confederation will provide all of this needs for us.

[Christos Kanellopoulos] 16:22:17
But for the time being, we just need this, this, this simple, mechanism to basically boot software cost.

[Christos Kanellopoulos] 16:22:27
So the idea there is at the very beginning to have only a dation issues, and perhaps also Jason Webkins.

[Christos Kanellopoulos] 16:22:35
But this is under discussion right now and and effectively. It's proxy.

[Christos Kanellopoulos] 16:22:42
It's a compliant proxy. We have to be able to fetch this list both, and to be able to configure itself so that it can do things that are actually not inspection and at the same time it's a it's prox should be able to receive the same

[Christos Kanellopoulos] 16:22:57
list and to be able to allow connections from from from from these issues as clients.

[Christos Kanellopoulos] 16:23:03
In this case to be able to get the information about users.

[Christos Kanellopoulos] 16:23:07
So this is the need that they, the the needle cup right now, and that should be very pressing because we've got a lot of use cases about this, and the idea is that the Federation is the natural place for these 2 to lead there this is the main concept I mean The federation that already.

[Christos Kanellopoulos] 16:23:22
Registered the various entities within the Federation.

[Christos Kanellopoulos] 16:23:27
It will provide this list. Now, what do you discuss here, David? For me?

[Christos Kanellopoulos] 16:23:33
It comes talk to this, to to the discussion. I've been having several years now regarding trust marks, and and and I think this relates very much, very nicely with with another very recent development in art which will be presented in legis for formal approval, but I think on Monday and this is the work that we do

[Christos Kanellopoulos] 16:23:54
with the arc energy categories. So for various reasons, I don't want to go to bother you here week with all the details, but you can read about it if you want.

[Christos Kanellopoulos] 16:24:04
We have defined some AR identity categories that basically say this entity is is an art proxy, acting as a service.

[Christos Kanellopoulos] 16:24:12
It is an art proxy, acting as an event provided; but we could have also into the category, saying that this meets this is a thought that just came to me.

[Christos Kanellopoulos] 16:24:25
Anyway, these are things that that we should be discussing, and but it helps.

[Christos Kanellopoulos] 16:24:30
I was thinking that idf could be the place to aggregate all these lists.

[IT 513/1-024] 16:24:32
One

[IT 513/1-024] 16:24:32
one

[Christos Kanellopoulos] 16:24:37
I think global level, because within Eos, we have discussing about the European open sense cloud. Right?

[Christos Kanellopoulos] 16:24:43
It has a A, context. It is it is Europe. But I if it's global and and I think perhaps he is.

[Christos Kanellopoulos] 16:24:51
He's one of the right places to to gather this list and distribute it, of course, in the future, and if open at economic federation, because our successfully add gain fully supports, open id connect and things will change again, But I think in the meantime, I think this some scenery, like this would make

[Christos Kanellopoulos] 16:25:06
sense.

[IT 513/1-024] 16:25:12
So crystals that took to be clear, so that would be aggregating the list from Ios without further filtering or filtering, on say, G o 71 compatibility

[Christos Kanellopoulos] 16:25:29
the I. This is this is basically we need to discuss this.

[Christos Kanellopoulos] 16:25:33
Yeah, I think this depends on what are the needs of the of the Commune of the users.

[Christos Kanellopoulos] 16:25:37
Right. So I imagine that now that we are in transition phase, not all.

[Christos Kanellopoulos] 16:25:48
AI will be accredited. It will take some time until everybody gets accredited, and also I would like to discuss.

[Christos Kanellopoulos] 16:25:54
I mean, there's another point in just my Uk.

[Christos Kanellopoulos] 16:25:57
I had on. Now how can we work together on this?

[Christos Kanellopoulos] 16:26:02
I mean, we igf be the body for all the communication

[Christos Kanellopoulos] 16:26:10
Will do. We have to do some of the accreditations within the context of fields, and there is a trust somehow between us. And I'm not sure how this will work.

[Christos Kanellopoulos] 16:26:18
So we need. We need to to see how can operationalize this.

[Christos Kanellopoulos] 16:26:23
And of course try to avoid as much as possible duplicate work.

[Christos Kanellopoulos] 16:26:26
So so I wouldn't like to have Do you care to do work?

[Christos Kanellopoulos] 16:26:30
That perhaps it does also, but also vice versa. So this is this is 1 point that we need to think about, and and and actually just 1 one last thing with David, the idea of the draft match of the entity.

[Christos Kanellopoulos] 16:26:45
Categories. You can simulate this. It's a very nice way of allowing.

[Christos Kanellopoulos] 16:26:49
Actually they they users. They've got to stress in this this list to be able to get what they need right and and and pick the the stuff that they actually won't need and require for their security requirements of the infrastructure

[IT 513/1-024] 16:27:18
option set on. Now, thinking about this, If you have a Json format to distribute the list also already see fed included kind of policy oil, House as part of the metadata, and these entity categories or labels or even geo compliance could be policy urls in that

[IT 513/1-024] 16:27:40
list so you could filter based on Eos. And C.

[IT 513/1-024] 16:27:46
OS have to be one of trust Ios, or only Australians, or based on those honesty urls

[Christos Kanellopoulos] 16:27:54
the what is an idea, I guess could make sense up to now.

[Christos Kanellopoulos] 16:28:01
We discussed at all about adding policy urls in that file, because it was main driven by the technical requirements.

[Christos Kanellopoulos] 16:28:06
But I think we see this is a nice addition, and of course it would be nice to come to you to to come to a format together.

[Christos Kanellopoulos] 16:28:13
That makes sense for all right. This in for months

[IT 513/1-024] 16:28:16
No, yeah, actually the Oh I see. Fat working group spent a long time on defining metadata, for oh, I do see endpoints And the idea was to reuse as much of that work.

[IT 513/1-024] 16:28:16
no.

[IT 513/1-024] 16:28:31
As possible. So if there's a similar semantics needed, we would pick the same tag.

[IT 513/1-024] 16:28:39
That's also our DC. Fat users

[Christos Kanellopoulos] 16:28:40
I fully agree with this, but but all for the same time, I think we should use a subset

[IT 513/1-024] 16:28:46
Oh, yeah, but that and allows you to do things like security contacts.

[Christos Kanellopoulos] 16:28:51
Yeah.

[IT 513/1-024] 16:28:52
And hello, cause I could see That's a nice attraction to have for security contact recorded in the metadata for the distribution.

[IT 513/1-024] 16:29:05
But actually I have a Crystal's idea of saying that you don't demand Geo.

[IT 513/1-024] 16:29:10
compliance to get into the list. It's just a trust marker of the something that says it's 709 parties to decide.

[IT 513/1-024] 16:29:18
Do they want to. So. But you're having a list of known done entities.

[IT 513/1-024] 16:29:25
The trusted in some way. I don't know exactly what it.

[IT 513/1-024] 16:29:28
What does it mean to be some policy requirement to get into this district But that's something we can define as kind of a governance of the list.

[IT 513/1-024] 16:29:38
Is it is almost smells like a the Github Repo where people can put in all requests to have their endpoint, added Hi!

[IT 513/1-024] 16:29:48
You define a review process on the pull requests to get it into the masterless

[IT 513/1-024] 16:29:55
Yeah, it also makes it a completely open and transparent process.

[Christos Kanellopoulos] 16:30:03
Yes, it it It would be like that, I think. I think

[IT 513/1-024] 16:30:04
And that's where you download the phone download it from the guitar

[Christos Kanellopoulos] 16:30:22
one of the problems that that will have to also understand is that we shouldn't make this very complex for the for the various researchive production communities.

[IT 513/1-024] 16:30:36
what.

[Christos Kanellopoulos] 16:30:36
Why I'm seeing this. This will make sense to talking about kinetic connect.

[Christos Kanellopoulos] 16:30:42
But really, this is just one of the technical sites.

[Christos Kanellopoulos] 16:30:45
Right We think the use case Federation. We try to be as agnostic as possible on the protocol, and then come and talk about the actual specifics the kind of specifics when it is really required so the idea there is that the recipe for taxes are will be connecting

[Christos Kanellopoulos] 16:31:04
with the the ais. If you have to follow a number of requirements, including to be on a social G 0 71 as a requirement.

[Christos Kanellopoulos] 16:31:15
But they will have to connect there, and the you have to provide some interfaces open at different interfaces.

[Christos Kanellopoulos] 16:31:24
So it. It does not make sense up to go and say, You know what you have to go and add your They some metadata specific to Pennsylvania. Connect there.

[Christos Kanellopoulos] 16:31:34
So the nose, the idea, at least, that that that we have right now is that they applicant, provides all the information about the AI, including Samuel End, points open the connecting points.

[Christos Kanellopoulos] 16:31:48
The policy requirements. And then the salmon metadata feeds open Edcon.

[Christos Kanellopoulos] 16:31:54
They they open up the connectization function. Whatever we decide are generated out of that That doesn't make sense.

[Christos Kanellopoulos] 16:32:03
But I'm saying so. So I'm trying to to to take

[IT 513/1-024] 16:32:04
No.

[Christos Kanellopoulos] 16:32:10
Because okay, yeah, because I can very well see the same thing applying also for some Olympics right? Even though I know that it is not cool anymore.

[Christos Kanellopoulos] 16:32:19
Talk about summing, but it is there, and we have to accept it, and that is being used.

[IT 513/1-024] 16:32:21
Oh!

[Christos Kanellopoulos] 16:32:24
So I I I I would really like to see this being uploading also to all the AI's, regardless of what technology or which technologies they're using

[IT 513/1-024] 16:32:35
Yeah, Is there A And there were several systems that allowed metadata to be generated in the performance of thinking of, or peer or bill.

[IT 513/1-024] 16:32:49
Reap the finger, light bills, so you you enter it into a website and it generates a sample metadata.

[Christos Kanellopoulos] 16:32:50
Please.

[IT 513/1-024] 16:32:54
Is that something you're thinking about or

[Christos Kanellopoulos] 16:32:59
to be honest, and have started working on this right right now.

[Christos Kanellopoulos] 16:33:03
So it is not 100% Clear how how we are going through to do this, And if it's one way of doing this, I mean, we we are already right now, aggregating all the summer Metadata, And we are enriching it through peace.

[Christos Kanellopoulos] 16:33:15
And what we have. We want to do right now to see can generate those Json outputs. I know that you can do it in peace, but we need to see how we can actually do it.

[Christos Kanellopoulos] 16:33:23
In generalization find that we want to generate. So this is a little bit a bit bit trickier, but it it.

[Christos Kanellopoulos] 16:33:33
It is kind of the under development right now. Of course, we should not be as soon as topic for us to define the addition format we need, and everything But what I would say is that that registration aspect and and this trust marks should should be at the entity level.

[IT 513/1-024] 16:33:46
And

[Christos Kanellopoulos] 16:33:47
Not at the technology level

[IT 513/1-024] 16:33:49
Yeah.

[IT 513/1-024] 16:33:58
We've got

[IT 513/1-024] 16:34:15
okay. But that's but that that requires bit of challenging technology to get people who fill in something and then generate everything else.

[IT 513/1-024] 16:34:23
Okay.

[Christos Kanellopoulos] 16:34:24
yes, yes.

[IT 513/1-024] 16:34:27
Just to make sure that it also works. Okay.

[IT 513/1-024] 16:34:33
Alright, wow!

[Christos Kanellopoulos] 16:34:36
Absolutely. But look initially, This This could be done you know, mechanical Turk man where basically you can't craft the the, the, the.

[Christos Kanellopoulos] 16:34:46
but but at least the incidentally point for the for the recent infrastructures, I think, should be generic.

[Christos Kanellopoulos] 16:34:52
One. And then how we generate these lists. It's another story that we have to figure out how to optimize that

[IT 513/1-024] 16:35:07
I'm hoping I a separate endpoint for the Eoski Federation that we can down consume at a global level

[Christos Kanellopoulos] 16:35:17
Yeah, you see, this is what we were thinking. Basically, we have an endpoint to the Federation level has that basically speeds outization file with all the we thought, they trusted issues open at the collective

[IT 513/1-024] 16:35:44
be nicely scalable model. So if you have, say access, exceed, or come in, or whatever eat or or generate similar files.

[IT 513/1-024] 16:35:57
You can easily aggregate and redistribute one of them manual version of Oh, I do see fat

[Christos Kanellopoulos] 16:35:59
exactly. Exactly. Yes.

[Christos Kanellopoulos] 16:36:04
Yeah, I'll tell you. We'll have all all this

[IT 513/1-024] 16:36:11
Bye.

[Christos Kanellopoulos] 16:36:19
Well, I

[IT 513/1-024] 16:36:24
No, no! I was just saying sorry for not being here for the past half

[IT 513/1-024] 16:36:31
But, as you always see Hannah on the other side are John Martin, Ian and Buler and Dave would play for now.

[IT 513/1-024] 16:36:38
Go, but I can't throw the camera, I'm say

[IT 513/1-024] 16:36:46
We are here

[IT 513/1-024] 16:36:53
So

[IT 513/1-024] 16:36:57
Hmm.

[IT 513/1-024] 16:37:01
If you're coming through, define the Jason profile.

[IT 513/1-024] 16:37:06
Is that something you could include the Rtf general list in the discussion? It would be nice to have a

[Christos Kanellopoulos] 16:37:11
I I I think we should do it. We should do it together.

[Christos Kanellopoulos] 16:37:16
First of all this discussion we have been in the in the Architecture working group, so can I would be open, and you cannot also. Other people.

[Christos Kanellopoulos] 16:37:25
There, of course, and include the Eddie. If I think we need to include the Ids list also, because I mean, this is not something that should be done only in the context of of of a close group and Yeah, I think this makes sense, so we are going to start this work in

[Christos Kanellopoulos] 16:37:43
the arc context. I believe. Now in October, because we are finalizing the mechanism document, and we know we need to go to the trust movement where this is going to be basically defined.

[Christos Kanellopoulos] 16:37:54
So this could be open for for all of you to to contribute, and and all together we can come up with something that makes sense for all of us.

[Christos Kanellopoulos] 16:38:04
So so I'm saying it will not be in me or specific development.

[IT 513/1-024] 16:38:04
Right.

[Christos Kanellopoulos] 16:38:09
Us has already, outsource used to work as a program

[IT 513/1-024] 16:38:15
Yeah, and everyone who is not on apple should subscribe to Abbott.

[IT 513/1-024] 16:38:21
Now

[IT 513/1-024] 16:38:24
I see.

[IT 513/1-024] 16:38:30
Maybe I'll just subscribe to our general.

[IT 513/1-024] 16:38:33
Let's do. App

[IT 513/1-024] 16:38:37
We are about up to 20 messages a day at once.

[IT 513/1-024] 16:38:46
So Are there any more comments on this one? I think we got a plan forward, so there will be a list. List.

[IT 513/1-024] 16:38:56
Will be fat. Why different? Constituent infrastructure?

[IT 513/1-024] 16:39:00
So Ios and others, it will be Jason. It will have a subset of the Oh, I DC.

[IT 513/1-024] 16:39:08
Felt as attributes, and it will have all 3 urls in it, one of which can be gio compliance, and we should be fine.

[IT 513/1-024] 16:39:22
A I filter true actually check that at the Rttf level, the asserted trust marks make sense

[IT 513/1-024] 16:39:38
Is there a similar filter mechanism for seeing for the Elsa AI Federation?

[Christos Kanellopoulos] 16:39:41
yes, yes, yes, so so So I think we I mean, we need to make it is available for for the viruses, for not to be able to last.

[IT 513/1-024] 16:39:42
Look, you are going to curate the list

[Christos Kanellopoulos] 16:39:54
And it is not that they need to trust but this again.

[Christos Kanellopoulos] 16:39:56
This required discussion with the community, with the users at which can unlock the level which makes sense right now.

[Christos Kanellopoulos] 16:40:02
One we have in place is we are putting place, and we have people put in place, is really this empty categories that will distinguish and our community proxies from arc infrastructure proxies.

[Christos Kanellopoulos] 16:40:17
From general species and general edps, and this is because the use case Federation will do it again, and we will have somehow to be able to distinguish if it uses coming from home Idp or from from, an arc community proxy or if they see this is an end.

[Christos Kanellopoulos] 16:40:32
Service or this is an arc infrastructure proxy.

[Christos Kanellopoulos] 16:40:36
That isn't that CPU, the on top of other services

[IT 513/1-024] 16:40:42
But there's no curation process defined yet

[Christos Kanellopoulos] 16:40:46
at the Restoration process. Different? No, no, no! And actually this mechanism, this this and the categories will be used mainly by the proxies themselves, to be able to initiate different flows, but regarding the actual curation of the list there is curation I mean on the

[Christos Kanellopoulos] 16:41:06
federation. Side. We're already creating multiple feeds based on the on this categories.

[Christos Kanellopoulos] 16:41:10
Also. So we're doing some automatic curation the categories.

[Christos Kanellopoulos] 16:41:16
But this for the summer. Right? I can imagine that we could do the same also, for for the adjacent list of open at the connect providers.

[Christos Kanellopoulos] 16:41:26
But then, again, I think one important point is to agree what is what makes sense and what doesn't right, because if we end up with 1,000 different lists and permutations I think it would be not be useful

[IT 513/1-024] 16:41:40
Oh, this morning, at the curation of the entity category.

[IT 513/1-024] 16:41:45
So probably in technical contents, context, it doesn't make sense to or falsely find a.

[IT 513/1-024] 16:41:50
They have a community proxy wants to be seen as proxy, not an idp

[Christos Kanellopoulos] 16:41:55
you humiliate you mean in the sense that basically have a process where somebody approves of this.

[Christos Kanellopoulos] 16:42:03
this Mtp. Idea and category got to be assigned to this.

[Christos Kanellopoulos] 16:42:07
To this.

[IT 513/1-024] 16:42:08
The whole assigned them extra entity categories, even if the proxy itself doesn't declare it

[Christos Kanellopoulos] 16:42:13
Yes, so so this is something that for soon we need to to have support for on the Usc Federation.

[Christos Kanellopoulos] 16:42:21
But we have not done any work on that yet. But clearly.

[Christos Kanellopoulos] 16:42:24
All these discussion about trustworks immediately says that we need to be able to curate to, to enrich the the the metadata.

[Christos Kanellopoulos] 16:42:33
Right now we do this enrichment automatically. Bower by by peace with with automatic workflows.

[Christos Kanellopoulos] 16:42:38
But this is. There is no process of a decision making right.

[Christos Kanellopoulos] 16:42:43
While what you describe, I think Morris points towards to have a body accrediting something in then only then to be able to say, Okay, you can be assigned this trust.

[Christos Kanellopoulos] 16:42:51
Not go. What David

[IT 513/1-024] 16:42:53
No, or actually the rehearsal like you, You can.

[IT 513/1-024] 16:42:56
Self-assert it. But if you're known to break it, it can be taken away from you.

[Christos Kanellopoulos] 16:43:02
that part I mean. But we don't have the governance.

[Christos Kanellopoulos] 16:43:08
All this can work, how how this will work, or who could be operationalized

[Christos Kanellopoulos] 16:43:19
But I think in the context of use the nowadays is the discussion we need to be covering between security and and AI. To see how these things can be will be enabled

[IT 513/1-024] 16:43:25
Oh!

[IT 513/1-024] 16:43:34
something to be sad. For having self assertions like certify was also a success, because it was self-asserted to some point

[IT 513/1-024] 16:43:43
And everything that has to be manually added usually doesn't get added at all.

[Christos Kanellopoulos] 16:43:55
So okay, 1, 1, one. Interesting point is that we would like to get involved to involve what sort of a durations in this work a bit more.

[Christos Kanellopoulos] 16:44:05
But this is mostly for end services, I'm talking again.

[Christos Kanellopoulos] 16:44:08
The connections. Fiosk: so W. Somebody would like to see happening.

[Christos Kanellopoulos] 16:44:13
Is is really having also the local national level A lot of this curation happening, and not that they use, level because this kind of scale.

[Christos Kanellopoulos] 16:44:25
So these are the things that we are investigating now.

[Christos Kanellopoulos] 16:44:29
With with some Federation. We're discussing this, but also with with some of the national infrastructure, like, for example, with up again I will say, in the Netherlands how Strand, can become the local hub for for that services So that this whole, thing can be distributed

[Christos Kanellopoulos] 16:45:02
but at the moment all these are just initial ideas. Right?

[Christos Kanellopoulos] 16:45:05
I mean, we have not the next one

[IT 513/1-024] 16:45:10
okay.

[IT 513/1-024] 16:45:17
I'm trying to write down some notes. So that's the That's why I'm writing all the time.

[IT 513/1-024] 16:45:22
Good. Transcript is kind of interesting.

[IT 513/1-024] 16:45:29
Okay, adding more comments on this one. I think we have a good path forward

[IT 513/1-024] 16:45:36
Let me

[IT 513/1-024] 16:45:43
Okay.

[IT 513/1-024] 16:45:50
Then shall we have a brief look at the Geos. 71 for Wscg.

[IT 513/1-024] 16:45:57
I have to leave in 15 min, so we we have 50 min

[IT 513/1-024] 16:46:04
Some definition.

[IT 513/1-024] 16:46:10
we continue where we work. Now look at the operational environment privilege personnel over contactual measures.

[IT 513/1-024] 16:46:19
Da operators should ensure. Appropriate controls are in place over wrote to context security, content

[IT 513/1-024] 16:46:28
And the actual document has so physical controls, virtual separation of sensitive incentive services containers, the risk of cross, cross, compromise, risk assessment, certify sei in line with what the community needs I think that's probably fine

[IT 513/1-024] 16:46:54
I mean there's always a risk good somebody untrained about to get a contract here, and does something ridiculous.

[IT 513/1-024] 16:47:03
But I think that's

[IT 513/1-024] 16:47:07
Yeah, it. It shouldn't really happen. Just run in the same way that everything else has said.

[IT 513/1-024] 16:47:13
His room.

[IT 513/1-024] 16:47:21
Unless I'm talking. But

[IT 513/1-024] 16:47:33
And let's shout with all my other son. Security related. So.

[Ian Collier - STFC UKRI] 16:47:36
I

[IT 513/1-024] 16:47:38
But yeah, yeah.

[Ian Collier - STFC UKRI] 16:47:44
The I mean on untrained persons, the risk of untrained personnel is one thing, but I I mean I read this to be a bit more about the secure configuration you know appropriate configuration.

[IT 513/1-024] 16:47:45
Bye.

[Ian Collier - STFC UKRI] 16:48:03
controls the

[IT 513/1-024] 16:48:09
I read it the other way around. That's interesting. No, I mean

[Ian Collier - STFC UKRI] 16:48:10
I mean, oh, okay, oh, you you you could, you could you could.

[Ian Collier - STFC UKRI] 16:48:17
You can have the best train personnel you'd like. But if you don't apply any controls, it doesn't make it. A You know it doesn't become appropriate, because the stuff for trained it becomes appropriate because appropriate controls are in place does that make sense.

[IT 513/1-024] 16:48:36
Yeah.

[Ian Collier - STFC UKRI] 16:48:37
You know So so it's you know. It's not just a lash.

[Christos Kanellopoulos] 16:48:37
okay.

[Ian Collier - STFC UKRI] 16:48:41
Stop machine on, you know, on openstack. It's you know.

[Ian Collier - STFC UKRI] 16:48:44
It's configuration. That it's you know, controls on.

[Christos Kanellopoulos] 16:48:51
So. W. What I feel a bit confusing is is all we ask up to now for security controls are basically in O, E, 2 and O 3.

[Christos Kanellopoulos] 16:49:01
So I I This first requirement somehow feels to me very vague and and open India.

[Christos Kanellopoulos] 16:49:08
I mean. I cannot understand what to answer, while the next 2 requirements.

[David Crooks - STFC UKRI] 16:49:12
but it, but I think I think I but I think and so I think one thing is so I guess, in all you want.

[Christos Kanellopoulos] 16:49:12
It is very clear

[Ian Collier - STFC UKRI] 16:49:13
Access, and so on.

[Ian Collier - STFC UKRI] 16:49:14
Yeah.

[David Crooks - STFC UKRI] 16:49:21
I was kind of misled, because contractual measures means using contractors.

[David Crooks - STFC UKRI] 16:49:26
Rather than by having something in people's contracts. Maybe that I just misread that

[IT 513/1-024] 16:49:33
that's the mistake high made. So I take it back in

[David Crooks - STFC UKRI] 16:49:38
I I think, because I think it's I think it's interesting.

[David Crooks - STFC UKRI] 16:49:42
The only 2, then, has a very clear statement about physical security.

[David Crooks - STFC UKRI] 16:49:47
But then only 3. Doesn't talk about security controls at all.

[David Crooks - STFC UKRI] 16:49:55
It talks about meeting or exceeding the requirements of the communities, and that, doesn't you know it doesn't specify what or what type, of requirement. It's meaning gear

[David Crooks - STFC UKRI] 16:50:10
So I think I think only 3 is not quite as clear

[IT 513/1-024] 16:50:19
A generic statement between all of these 3 items was the one that's going to be in italics.

[IT 513/1-024] 16:50:24
So considering placement, policies, fiscal virtual separation of containers of sensitive, remote, sensitive services and protections, etc.

[Ian Collier - STFC UKRI] 16:50:24
Yeah.

[Ian Collier - STFC UKRI] 16:50:36
Yeah.

[IT 513/1-024] 16:50:42
But I think I'm sure there's no separation of containers. No, it's running up the general open shift infrastructure, no specific actually for critical things.

[IT 513/1-024] 16:51:03
So in case of container or vm vulnerabilities.

[IT 513/1-024] 16:51:07
Yeah.

[IT 513/1-024] 16:51:27
another concern I have is how the secrets are managed the way it was set up for Richard.

[IT 513/1-024] 16:51:32
We after this. Thank you. Very uncomfortable.

[IT 513/1-024] 16:51:42
But I don't think we have many better options was set up.

[IT 513/1-024] 16:51:48
As for me as a lab or so, it's deployed using customized the kubernetes, which means that everything is in a normal file or in a text file, that would be uploaded into open shift to be a secret or conflict map and all of these files are

[IT 513/1-024] 16:52:05
in. I get that project to anybody who has access to get that database.

[IT 513/1-024] 16:52:13
Has access to those secrets which is only people working here who are authorized to do that, and have been in there not necessarily in their contracts, but at least in there

[IT 513/1-024] 16:52:26
My performance apprentices that they have access to sensitive data, And you should treat it with, Okay, but it's not false as it typically unable, or or should have concept of falls but they are encrypted Yeah.

[Christos Kanellopoulos] 16:52:32
oh!

[IT 513/1-024] 16:52:45
Nope.

[Christos Kanellopoulos] 16:52:45
So I think I think we have 2 aspects of this is where you can keep the secrets in your configuration system, and how you protect your secrets on The running system in both of these are are equally important

[IT 513/1-024] 16:53:12
yeah, I would be less worried about the secrets being in the operational.

[IT 513/1-024] 16:53:19
Okay, yeah, but I would be worried about good love. Instance.

[IT 513/1-024] 16:53:33
the container will go away at some point. What is somebody?

[IT 513/1-024] 16:53:38
Thanks, coffee of to get labs database actually done sinks it back to a laptop, and then the laptop is taken away.

[IT 513/1-024] 16:53:47
Yeah.

[IT 513/1-024] 16:53:58
Well, I'll take it away and have a discussion with.

[IT 513/1-024] 16:54:00
There is some kind of yeah, but I think they also struggling for good solutions.

[IT 513/1-024] 16:54:08
Yeah, typical solution, a faulted one.

[IT 513/1-024] 16:54:16
And you have to secret for the fault only activated when you do an actual deploy.

[IT 513/1-024] 16:54:20
Okay, symmetrically encrypted at rest.

[Christos Kanellopoulos] 16:54:27
So the this is exactly what well, what we do.

[Christos Kanellopoulos] 16:54:35
But there is another issue with that right? Because when you have people in your team working with the with repositories at some point, they have, they have to have the secrets for These voted fights So what do we ask that we're discussing right.

[Christos Kanellopoulos] 16:54:50
Now is, is what do we do when somebody leaves the team?

[Christos Kanellopoulos] 16:54:55
because they potentially can still have access to secrets, even if they have left.

[Christos Kanellopoulos] 16:55:03
So, although, of course, contractually, they they have to delete everything.

[Christos Kanellopoulos] 16:55:06
So what we do right now, for example, is you have an automated process that whenever somebody leaves the team we regenerate, or secrets and reencrypt them with new keys and red deploy them, which is very powerful so and we are looking at a better, solution because this is also not

[IT 513/1-024] 16:55:22
Yeah.

[Christos Kanellopoulos] 16:55:25
very.

[IT 513/1-024] 16:55:26
no. Now you you probably hit that boast of staff leaves in a Yeah, Yeah.

[IT 513/1-024] 16:55:37
Hmm. And you probably want a solution which is friendly to smart, and it Hmm!

[IT 513/1-024] 16:55:47
Especially in places where people could just be using their own laptop to work, be taken away from.

[IT 513/1-024] 16:55:53
It's done or where you're not sure that laptop century equipment got stolen.

[IT 513/1-024] 16:56:00
I do have a that That's the risk of a kid.

[IT 513/1-024] 16:56:02
That sounds good, cool. You have everything

[IT 513/1-024] 16:56:15
So does suggestion to look at faulting. Yeah, I what did I don't want to do anything.

[IT 513/1-024] 16:56:29
The introduces another service. Basically, I would really love to be able to depend on the other.

[IT 513/1-024] 16:56:35
It services. And let me, because I think, adding more to it, and a team that's already running with very few people cool would introduce more risks

[Ian Collier - STFC UKRI] 16:56:46
but is this something that you can raise as a you know, as something that's kind of needed

[IT 513/1-024] 16:56:57
Yeah, yeah, I'm sure with the company. Anyone

[Ian Collier - STFC UKRI] 16:57:00
No, yeah, we did. I did imagine there's quite lots of things running.

[Ian Collier - STFC UKRI] 16:57:05
It's that could do with good solutions in this area.

[IT 513/1-024] 16:57:09
No, yeah.

[Ian Collier - STFC UKRI] 16:57:10
Also be many, many many things.

[IT 513/1-024] 16:57:15
that's probably all the services that have some kind of secrets, database passwords or certificates, or secrets to Talk to the Sierra.

[Ian Collier - STFC UKRI] 16:57:21
Hmm.

[IT 513/1-024] 16:57:28
They all have the same problem. There is probably a solution for sort of stuff out of that potentially. And if not, all the services are yeah.

[David Crooks - STFC UKRI] 16:57:35
so I know that there was so sorry I I I know that there was a So.

[David Crooks - STFC UKRI] 16:57:42
There was a presentation at about work in.

[David Crooks - STFC UKRI] 16:57:48
Well, eg. I call egos cool, which was a distributed, distributed.

[David Crooks - STFC UKRI] 16:57:56
How she got volt, basically that they were, that they were They had deployed for Fair cloud.

[IT 513/1-024] 16:57:59
Bye.

[David Crooks - STFC UKRI] 16:58:05
So, if not using that, then that's that's some work.

[David Crooks - STFC UKRI] 16:58:10
That is being done, but we should also colonize, because that's something that we're looking at for the that the tier one and scientific computing services as Well, so there's for sure shared thanks there

[IT 513/1-024] 16:58:34
It's just very useful discussion to so. But this is a very generic problem.

[IT 513/1-024] 16:58:42
We've visited also once at Nikkarfield.

[IT 513/1-024] 16:58:45
centrally sold, not a system. And okay, where are the secrets Owner All in plain textbook?

[IT 513/1-024] 16:58:52
No, please don't. I think oe 2 we just verified in person.

[IT 513/1-024] 16:59:01
Yeah.

[IT 513/1-024] 16:59:13
trying to open the door with Mikeie I think I was only actually enabled to access for a couple of hours, for today as well.

[IT 513/1-024] 16:59:20
So it's pretty

[IT 513/1-024] 16:59:29
Are we trained personnel? Yeah.

[IT 513/1-024] 16:59:40
Oh, this is the the the last one, The protection on the Aa in the operational environment, including the credential of the ada administrators and operators should meet or exceed the requirements of all of the communities hosted in the aa, does make sense, But

[Ian Collier - STFC UKRI] 16:59:56
good.

[IT 513/1-024] 17:00:04
It's fine.

[IT 513/1-024] 17:00:10
You'll probably all have the same. Yeah, it's at least using it password.

[Christos Kanellopoulos] 17:00:10
okay.

[Christos Kanellopoulos] 17:00:13
But that

[Ian Collier - STFC UKRI] 17:00:13
I

[IT 513/1-024] 17:00:15
But some people also have 2 things. We could

[Ian Collier - STFC UKRI] 17:00:17
Yeah, I was just gonna say that that So yeah, go on.

[Ian Collier - STFC UKRI] 17:00:21
Sorry.

[Christos Kanellopoulos] 17:00:22
Oh, what is it? 6

[IT 513/1-024] 17:00:22
We can require 2 essay, I suppose.

[Christos Kanellopoulos] 17:00:29
I I I find these these requirements a little bit strange, because actually, if if if they, if it did not meet requirements, they will not be using this service.

[IT 513/1-024] 17:00:39
Yeah.

[Christos Kanellopoulos] 17:00:39
So. I mean I I I know that the caps in Wc.

[Christos Kanellopoulos] 17:00:44
Things might be different, but when when we, as unprov service to give it just for statue, and we have the suppliers, we have to commit to the No, we don't.

[Christos Kanellopoulos] 17:00:57
Do this so

[IT 513/1-024] 17:00:58
Yeah, but maybe they never know like if you, if you have a community which insists on Mfa.

[IT 513/1-024] 17:01:06
Everywhere and in-person fading, etc., and then you have a session who come from home, you, Stella, to get in, Bill.

[IT 513/1-024] 17:01:13
Nothing. About Okay.

[Ian Collier - STFC UKRI] 17:01:16
Well, they make point that one day

[IT 513/1-024] 17:01:19
Yeah. But then it's too late.

[IT 513/1-024] 17:01:28
But I think that's that's what oe free is trying to protect the gap.

[IT 513/1-024] 17:01:32
Okay, having admins with a more trivial access method than any of the members.

[IT 513/1-024] 17:01:37
Yeah, yeah.

[Ian Collier - STFC UKRI] 17:01:49
And that kind of thing is honestly not as uncommon as we might wish it were

[IT 513/1-024] 17:02:17
Okay, that's the under Oe free. So that's the operational environment.

[IT 513/1-024] 17:02:24
I think it's 5 block, so we reconcile tomorrow.

[IT 513/1-024] 17:02:32
I think we did a wonderful job. Today We find several errors in Geo.

[IT 513/1-024] 17:02:36
71. We did half of Ukraine, and we got a rough consensus on the list.

[IT 513/1-024] 17:02:50
The trust list of Factor Amphitheater learned a lot about Hbc.

[IT 513/1-024] 17:02:57
On in in the morning with I forget you are already formed about the the fact that we have a perfect Arc Bpa.

[IT 513/1-024] 17:03:07
Proxy lined up for Agus. Yes.

[IT 513/1-024] 17:03:13
So that's good. Here we will reconcile tomorrow morning again at 9, 30.

[IT 513/1-024] 17:03:25
then talking, about enabling communities. And you'll have a mattered show for most of the morning.

[IT 513/1-024] 17:03:39
relying on. I'm I'm very heavily relying on you, for sure you can do assurance And, Dave, you want to say a few words about, and then if 2 will have John oh, yeah, so boxing on behalf of the ends so let's

[IT 513/1-024] 17:03:57
see.

[IT 513/1-024] 17:04:03
I won't join. But there's a table booked at at 7.

[IT 513/1-024] 17:04:09
Oh, yeah, under my name, and to get there you just catch the tram 18 down to 6, which is half an hour or less from see?

[IT 513/1-024] 17:04:19
It. I should be right there, I know I know it's, and it's I'll join if I can, by things to do.

[IT 513/1-024] 17:04:37
Okay, alright, Well, yes, guys.

[Ian Collier - STFC UKRI] 17:04:38
hey! By all.

[Thomas Dack - STFC UKRI] 17:04:42
Hi! Everyone.