Focus on:  Hide Contributions
Login

Token Trust & Traceability WG March 2025 Call

Europe/Zurich
Token Tracebility and Traceability WG
Zoom Meeting ID
64974356171
Host
Matthew Steven Doidge
Useful links
Join via phone
Zoom URL
Hide

https://codimd.web.cern.ch/OWqHHjWtRVW5zvaNQrevqQ

 

TTT March 2025
===
Attending: Matt, Maarten, DaveD, Dimitrios, DaveK, Marcus, Linda
Apologies:


## Actions, since last meeting
* Feedback from the CHEP reviewer, all minor changes, quoting the feedback: 
-- Remove period from title.
-- The abstract should probably be one paragraph instead of two.
-- Acronyms that may be unfamiliar to the reader should be defined. For example SKA and NFDI, perhaps AAI.
-- The example template document includes only the email address of the corresponding offer, not of everyone as is the case in this paper.
-- References need to be renumbered to be in the order they appear in the paper.
-- In section 2.1, the first sentence of the third paragraph is run-on. Suggest putting a period after "profile" instead of comma.
-- In the last sentence of the same paragraph replace "OAuth2 bearer tokens" with "an Oauth2 bearer token".
-- In section 3.2, second paragraph, the "Although" at the beginning of the last sentence is not proper usage. Suggest dropping it and using perhaps "However" either there or after the comma.
* I will make these corrections this week and resubmit, if the biggest job being renumbering the references I think we can call it a job well done.


## Discussion Points
Conversation seeds, in no particular order.

* "Trustworthy" Issuers
    * Some discussion last time, originating from DUNE tokens and the Amazon issued certificate of CILogon.
    * What makes an Issuer Trusted?
        * Expectations on the SLA level
        * Simple things like Host certificate expectations - Google certs aligning with IGTF should make things either
    * Registration/Advertisement of Approved Issuers.
        * GOCDB/Operations Portal/BDII... 
    * AARC AA Ops guide was mentioned, Matt still to get round to reading it: https://aarc-community.org/guidelines/aarc-g048/

* For information Mischa shared with the list: **OWASP ASVS 5.0 (Application Security Verification Standard)** 
-- https://github.com/OWASP/ASVS/blob/master/5.0/en/0x51-V51-OAuth2.md

* recent developments
-- DUNE tokens and xrootd "base_path"
-- other issues

* ML reminded the risk analysis revamp, this was done for WLCG last year. Task considered done, but end result not seen.
    * Probably don't want to publicise the risk analysis, but should be available internally.
    * Do our part listing token risks.
    * Token leaking etc...
    * Write this up, and decide what of it can be public (maybe 2 versions)
* Discussion of recent WLCG risk assessment.
    * Not widely seen (maybe a CERN internal thing)
    -- DK notes that GridPP re-assess every year.
    -- Good practice
    -- Last security risk assessment was a long time ago.
    ML - categorisation from last assessment reusable.
    
Work through github issues too https://github.com/TTT-WG/TTT-WG/issues 

DK - notes FIM4R at TIIME next week, where risk assessment needs will be discussed.
Making concious decision if we decide to accept any risks.
ML - in recent analysis there's a theme of some risks we have to sign off on.

ML will check about this risk assessment.
But will need to do something WLCG wide.
DK - and this should be at least exposed to the MB.

Linda's report: https://edms.cern.ch/ui/file/1039446/1/EGEE-III-SCG-TEC-1039446-SecurityRisk-v0_9.pdf
But ML notes this is a summary for a giant spreadsheet, we need that original (found in document folder)
Will look for the WLCG equivalent that Romain created.
DK dug out the report: http://cern.ch/rwartel/security_teg/WLCG%20Risk%20Assessment.pdf


DK - finding risks is easier than doing anything about them.

Risk assessment of IAM software was mentioned in a recent meeting. Could split this into levels. Worth asking Barton Miller about this.
Could split "costs" with other user groups.

ML notes being able to look more at this from mid-May onwards (post-WLCG workshop).
version 2.0 of the profile is coming this year.

## Turning discussion points into "products"
* We have very good, lively and interesting conversations, how to start converting these to advice, documentation... ?
--best practices, policy, inputs. But moving target/chicken and egg situation. Still finding our way.

--set of documents
"output doc" 1


* Try and get a wider audience.
    * invite Jens to a future meeting.
* With the evolution/maturing of the WLCG AuthZ group, do we have new bases to cover?

 

## AOB, Next Meeting

-- Next regular slot would be Tuesday 22nd April, but this is right after the Easter weekend. Would the 29th be a better alternative?

Decided on next meeting on the 29th.

There are minutes attached to this event. Show them.
    • 15:00 15:05
      Actions, Since Last Meeting 5m

      Resuming usual program.

    • 15:05 15:30
      Discussion 25m
      • "Trustworthy" Issuers

      • OWASP ASVS 5.0 (Application Security Verification Standard)
        -- https://github.com/OWASP/ASVS/blob/master/5.0/en/0x51-V51-OAuth2.md

      • Recent developments with xrootd token support requests and base_path

    • 15:30 15:55
      Discussion 25m
      • Planning the focus of the next few months
    • 15:55 16:00
      AOB, next meeting 5m

      Next scheduled meeting is the 22d of April, but this is right after Easter. Tuesday 29th is available as an alternative.

Powered by Indico v3.3.7-pre