https://codimd.web.cern.ch/s/r9XGDDUot#

# TTT February 2025

Attending: Matt, DaveK, Marcus, Linda, Mischa, TomD

Apologies: DavidC, Maarten

### CHEP Paper
Some progress made, foundations are down. Thanks to DavidC for taking a pass at it.  

todo:  
* references
* cleaner axes diagram
* better define a conclusion
* worry about being too WLCGy. Explicit statement to that effect? Change first sentence (turn it round). And beginning of chapter 2.

https://www.iana.org/assignments/jwt/jwt.xml

Target Thursday lunchtime for a final draft.  

### General Discussion

Outcomes/Actions from EUGridPMA/OTF?  

EUGridPMA was a good meeting, Petr was there. Good discussion about models. The "why" of decisions.
DaveK was scared. Not convinced that the trust is there yet.
Token Lifetime discussion progress.

DaveK - Desire for Formal security assessment, 
MD- DavidC volunteer to lead some risk assessment work.
Voms had a formal Code review.
What would we formally code review?
Supposed to use 
MS - archetrcture review rather then a code review?
DK - sounds like a good start, then a code review
MS - apptainer had a code review in the US, but that was expensive.
Indigo IAM could do with a review, but moving target at the moment.

No funding for this sort of work these days?
voms was small compared to indigo iam/keycloak.

Agreed that archetecture review/documentation is a good start.
Notes the FTS model.

(unintentional) DOS on IAM is a risk. Particularly with a single, central issuer. 
A malicious user could do the same.

Good to find this sooner rather then later.

(discussion that the optimal time to do the risk assessment was over 3 years ago...)

Note the WLCG Token Technical Group (not sure of official name, or if has one).

Traceability? 
Depends on the endpoint middleware?

Trusted Issuer list.
-provided by VOs, but can they then be trusted?

Need to define criteria for what makes a Issuer trustworthy.
Guidelines for them.

* good thing to discuss next meeting
* ARC AAops doc good place to start
* jens good person to ask, online CA guidelines could definitely apply to Issuer.
MS - being discussed in security groups

Also Token Banning mechanisms. In scope for Traceability. But scale brings issues.
Another reason why flooding with tokens is a risk, makes traceability harder.

MS- Reconsider archetecture hints. Who to poke and ask for this.

MD - could approach an archetecutre and ask if they can describe
DK - could assess each other

MS - AAOps filled in for indigo IAM by Hannah and Tom.

Could ask to describe using a framework.
DK - but a moving target at the moment.

Could look at framework - 
MS - AARC document on token flows was a good review.
Work we could do as a group. looking at token movement, and auth at each step.

Readvertise offline discussion: https://github.com/TTT-WG/TTT-WG/issues

### AOB

Next meeting in the cycle would be the 25th of March