CHEP Paper - Matt shared overleaf link to list.
https://codimd.web.cern.ch/s/r9XGDDUot#
# TTT February 2025
Attending: Matt, DaveK, Marcus, Linda, Mischa, TomD
Apologies: DavidC, Maarten
### CHEP Paper
Some progress made, foundations are down. Thanks to DavidC for taking a pass at it.
todo:
* references
* cleaner axes diagram
* better define a conclusion
* worry about being too WLCGy. Explicit statement to that effect? Change first sentence (turn it round). And beginning of chapter 2.
https://www.iana.org/assignments/jwt/jwt.xml
Target Thursday lunchtime for a final draft.
### General Discussion
Outcomes/Actions from EUGridPMA/OTF?
EUGridPMA was a good meeting, Petr was there. Good discussion about models. The "why" of decisions.
DaveK was scared. Not convinced that the trust is there yet.
Token Lifetime discussion progress.
DaveK - Desire for Formal security assessment,
MD- DavidC volunteer to lead some risk assessment work.
Voms had a formal Code review.
What would we formally code review?
Supposed to use
MS - archetrcture review rather then a code review?
DK - sounds like a good start, then a code review
MS - apptainer had a code review in the US, but that was expensive.
Indigo IAM could do with a review, but moving target at the moment.
No funding for this sort of work these days?
voms was small compared to indigo iam/keycloak.
Agreed that archetecture review/documentation is a good start.
Notes the FTS model.
(unintentional) DOS on IAM is a risk. Particularly with a single, central issuer.
A malicious user could do the same.
Good to find this sooner rather then later.
(discussion that the optimal time to do the risk assessment was over 3 years ago...)
Note the WLCG Token Technical Group (not sure of official name, or if has one).
Traceability?
Depends on the endpoint middleware?
Trusted Issuer list.
-provided by VOs, but can they then be trusted?
Need to define criteria for what makes a Issuer trustworthy.
Guidelines for them.
* good thing to discuss next meeting
* ARC AAops doc good place to start
* jens good person to ask, online CA guidelines could definitely apply to Issuer.
MS - being discussed in security groups
Also Token Banning mechanisms. In scope for Traceability. But scale brings issues.
Another reason why flooding with tokens is a risk, makes traceability harder.
MS- Reconsider archetecture hints. Who to poke and ask for this.
MD - could approach an archetecutre and ask if they can describe
DK - could assess each other
MS - AAOps filled in for indigo IAM by Hannah and Tom.
Could ask to describe using a framework.
DK - but a moving target at the moment.
Could look at framework -
MS - AARC document on token flows was a good review.
Work we could do as a group. looking at token movement, and auth at each step.
Readvertise offline discussion: https://github.com/TTT-WG/TTT-WG/issues
### AOB
Next meeting in the cycle would be the 25th of March
Next scheduled meeting is the 18th of March, however Matt is unavailable.
The next meeting is the 25th of March.
