Token Trust & Traceability WG February 2025 Call

Name: Token Trust & Traceability WG February 2025 Call
Start: 2025-02-25T15:00:00+01:00
End: 2025-02-25T16:00:00+01:00
Location: No location set

Tuesday 25 Feb 2025, 15:00 → 16:00 Europe/Zurich

64974356171

Matthew Steven Doidge

Join via phone

- 1
  
  Actions, Since Last Meeting
  
  CHEP Paper - Matt shared overleaf link to list.
  
  https://codimd.web.cern.ch/s/r9XGDDUot#
  
  # TTT February 2025
  
  Attending: Matt, DaveK, Marcus, Linda, Mischa, TomD
  
  Apologies: DavidC, Maarten
  
  ### CHEP Paper
  Some progress made, foundations are down. Thanks to DavidC for taking a pass at it.
  
  todo:
  * references
  * cleaner axes diagram
  * better define a conclusion
  * worry about being too WLCGy. Explicit statement to that effect? Change first sentence (turn it round). And beginning of chapter 2.
  
  https://www.iana.org/assignments/jwt/jwt.xml
  
  Target Thursday lunchtime for a final draft.
  
  ### General Discussion
  
  Outcomes/Actions from EUGridPMA/OTF?
  
  EUGridPMA was a good meeting, Petr was there. Good discussion about models. The "why" of decisions.
  DaveK was scared. Not convinced that the trust is there yet.
  Token Lifetime discussion progress.
  
  DaveK - Desire for Formal security assessment,
  MD- DavidC volunteer to lead some risk assessment work.
  Voms had a formal Code review.
  What would we formally code review?
  Supposed to use
  MS - archetrcture review rather then a code review?
  DK - sounds like a good start, then a code review
  MS - apptainer had a code review in the US, but that was expensive.
  Indigo IAM could do with a review, but moving target at the moment.
  
  No funding for this sort of work these days?
  voms was small compared to indigo iam/keycloak.
  
  Agreed that archetecture review/documentation is a good start.
  Notes the FTS model.
  
  (unintentional) DOS on IAM is a risk. Particularly with a single, central issuer.
  A malicious user could do the same.
  
  Good to find this sooner rather then later.
  
  (discussion that the optimal time to do the risk assessment was over 3 years ago...)
  
  Note the WLCG Token Technical Group (not sure of official name, or if has one).
  
  Traceability?
  Depends on the endpoint middleware?
  
  Trusted Issuer list.
  -provided by VOs, but can they then be trusted?
  
  Need to define criteria for what makes a Issuer trustworthy.
  Guidelines for them.
  
  * good thing to discuss next meeting
  * ARC AAops doc good place to start
  * jens good person to ask, online CA guidelines could definitely apply to Issuer.
  MS - being discussed in security groups
  
  Also Token Banning mechanisms. In scope for Traceability. But scale brings issues.
  Another reason why flooding with tokens is a risk, makes traceability harder.
  
  MS- Reconsider archetecture hints. Who to poke and ask for this.
  
  MD - could approach an archetecutre and ask if they can describe
  DK - could assess each other
  
  MS - AAOps filled in for indigo IAM by Hannah and Tom.
  
  Could ask to describe using a framework.
  DK - but a moving target at the moment.
  
  Could look at framework -
  MS - AARC document on token flows was a good review.
  Work we could do as a group. looking at token movement, and auth at each step.
  
  Readvertise offline discussion: https://github.com/TTT-WG/TTT-WG/issues
  
  ### AOB
  
  Next meeting in the cycle would be the 25th of March
- 2
  
  CHEP Paper Discussion
- 3
  
  Discussion
- 4
  
  AOB, next meeting
  
  ~~Next scheduled meeting is the 18th of March, however Matt is unavailable.~~
  The next meeting is the 25th of March.