Login

WLCG AuthZ Call

Europe/Zurich
513/R-068 (CERN)

513/R-068

CERN

19
Show room on map
Description

Notes:

Previous Actions:

  • Action: Maarten to tidy up and review open issues and pull requests for the token profile, and then circulate a potential 2.0 draft
  • Action: Maarten to look at reviving the RTE Task Force


Proposed agenda:

  • CHEP 2026 talk?

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

  • Nov 13
WLCG AuthZ Call
Zoom Meeting ID
61554826915
Description
Zoom room for WLCG AuthZ Call
Host
Tom Dack
Alternative hosts
Maarten Litmaath, Hannah Short
Useful links
Join via phone
Zoom URL
Hide

Present: Maarten L, Tom D (Notes), David K, Matt Doidge, Federica A, Roberta M, Patrick, John SDSJr, Dave D, Berk B

Apologies: Mischa S, Enrico V

Notes:

Action: Maarten to look at reviving the RTE Task Force

  • Usage of SHA1, which should be phased out for a while now
  • https://twiki.cern.ch/twiki/bin/view/LCG/EL9vsSHA1CAs
  • SHA1 not supported on EL10 - cannot just enable SHA1, but you must enable legacy settings, which comes with several other things
    • It is not unanticipated that this would be blocked by policy levels
  • Therefore, should look to move away from SHA1 where possible
  • Maarten & Brian have discussed
    • Most middleware shouldn't worry about SHA1 in root certs, as they exist in the Trust store. 
    • Currently verifying whether this works - looking at dCache (would also cover StoRM, as both use CaNL-Java). Brian has also done other checks, so HTCondor has likely also been checked, but XRootD by default will also check the root certificates - Maarten has asked Brian for details about what sites would need to check or configure.
  • Dave K contributes from IGTF (EuGridPMA & TAGPMA)
    • IGTF is sympathetic, but has not set a deadline
    • Pointed out that if the CA root certificate is the only having SHA1, then it doesn't matter because it's in the store
      • DigiCert to be suspended from TAGPMA due to not engaging
      • Australian Site in Melbourne having issues with their host and user certificates, formerly issued by DigiCert
        • after the meeting, Maarten has updated the relevant GGUS ticket with a pointer to the ASGC catch-all CA for Asia-Pacific
    • No Catch-all CA for US & EU
      • Dave K expresses that EU doesn't need one due to other routes
      • eMudhra CA would also be an option - commercial CA in India
      • Look to work toward no longer depending on our own set of CAs, which these days are still needed because of our user (not host) certificates
    • Need to, as a community, review what is required of CAs to ensure trustworthiness
      • We might need to be concerned about "whims" of the CA/Browser Forum impacting us badly
      • But then again, if those CAs work for the rest of the internet, why should we remain an exception?
    • Google Trust Service CAs are nearly now approved by TAGPMA 
    • Let's Encrypt is also expected to get there next year
  • WLCG may need to set deadlines in order to see movement with this
    • Had been suggested already in WLCG Ops
    • End of 2026 has been suggested, which would then need to be announced soon
    • At the very least, the few SHA-1 CRLs should be changed to SHA-2
  • Separate issues around CRLs which for many CAs are not available via IPV6
    • there is a workaround, with an IVP6 mirror
  • Various "Dark Clouds" around Certs, means token work must keep progressing steadily

 

Job Accounting with only Tokens 

  • Complete solutions for ARC-CE and for HTCondor CE with HTCondor batch system
    • Not a solution when other batch systems are used instead
    • HTCondor solution is orthogonal to APEL's own solution, but decoupled from APEL code
      • Look to imitate this within the APEL code, to provide a solution. 
      • Maarten to look to have a direct meeting with Adrian to look and make a plan of action
      • Look so that other batch systems - including Slurm - could hopefully be covered the same way.

 

AOB:

  • Closed Token Task Force progressing with WLCG issues, but still needs AuthZ group to do some of the actual work!
    • Also other groups, such as Token Trust & Traceability, DOMA BDT
    • AuthZ WG is mainly concerned with the token profiles and IAM evolution
  • Tentative timeline with some deadlines over the next year
    • Maarten presented on the timeline recently, and notes that further progress following the new profile should be expected over the course of this year.
      • Updated tentative timeline is shown on page 18 of this talk
        • Mind the 2025 typo in the milestones for 2026
  • TTT Group working on a token risk assessment since the middle of summer, and should report on this by the end of the year.
  • Questions around status of no longer storing tokens
    • Noting concerns around DB handling ever more concurrent tokens (21 M for ATLAS, uncharted territory for IAM).
    • Aim is to do this in v1.14 after required DB changes are done in v1.13, so that roll back would be more manageable, if needed
    • Federica to follow up with Francesco & Enrico on the possibility of a v1.14 pre-release to be used for ATLAS.
  • Token issuer public key cache standardization proposal
    • Dave D notes this is waiting on Brian B, and shares that as Brian has a proposal due, this may be delayed.
There are minutes attached to this event. Show them.
The agenda of this meeting is empty