Choose timezone
Your profile timezone:
Token Trust & Traceability WG
→
Europe/Zurich
513/R-068 (CERN)
Description
Fortnightly for the risk assessment season.
Token Tracebility and Traceability WG
https://codimd.web.cern.ch/yL7uzX6VTSm5f7h2CpAO9w
# TTT 28th November 2025
Attending: Matt, Marcus, DaveK, Anders, Donald, Luna, Jens.
Apologies:
## Misc. items
* CHEP - Tom D kindly offered to present any TTT CHEP submission, so we will work on that offline - Matt will start on an overleaf document (using our previous submission as a template) and share the link. Deadline is the 19th of December (3 weeks from today) https://indico.cern.ch/event/1471803/page/39488-key-dates
* In feedback after presenting this risk assessment work to the EGI CSIRT it was suggested we try to align with an existing R/A framework - Matt will look at if this could be "back-ported" to our processes over Christmas.
## Last meeting
Tackled TR-5 (Misuse of resources from a single identity with no revocation channel) for the first 3 workflows. Hopefully finish today.
On aligning to an existing standard would leave until "version 1.1" next year, not delaying the first release for the work.
## This meeting
Recap for Anders, Marcus, Jens.
Some discussion of CHEP paper, how much we want to be in public reports.
Some notes that we need to revisit 4e, and 4f.
Will likely need to sub0divide these lines between general users and power users.
Marcus notes that TR-4 and TR-5 are similar. Luna is in agreement, how is misuse of resources and stolen tokens similar?
Asset is the difference between the two (Digital Identities/Resources)
4 is a token theft, 5 is a misuse of resources.
Difference in mitigation strategies.
Luna - Could be a case that this is the same and we merge.
Likelohood will be greater.
Some discussion on differences in 4 and 5, 4 involves theft or similar, 5 someone has a "foot in the door".
Marcus - okay to keep seperate if mitigations and assets are different.
ML - we need to check that copy pasting hasn't inserted statement that don't make sense.
Goal is prevention of abuse of resources.
In favour of looking from perspective of high level assets.
Reminder that we don't typically consider the nation-state level attacker.
Discussion of Likelihood, and that Likelihood of it happening at a level of significance. Note that likelihood levels of 3 and 4 are a bit too ambiguous.
Ml - we will want to look at the resource misuse perspective.
DC notes user onboarding is robust so that should help reduce changes. Noted that we haven't included training or on-boarding as a mitigation for the many cases
DC notes that people can be creative when breaking a system.
DK starts some discussion about non-round figures and our method of vote-discuss-decide.
Advice on high impact should always be mitigated.
Discussion if 5c and 5d are the same in terms of Likelihood and Impact. Token length doesn't matter if the user is "legitimate"
Discussion of use case. Tokens with storage modify scope a factor - may need to seperate out if we have with our without mitigations. But note that users are confined.
Production manager could a lot more damage, but greater controls(?)
Some more discussion of the CMS case, Matt is soothed by the fact that the storage.modify scope is tightly controlled.
reminder that we will be "observing" token usage to prevent slippage of standards.
## AOB, Next Meeting
Next (and last of 2025) meeting is Wednesday 17th of December at 13.00 CET.
Luna notes that this meeting is quite late, but it should be okay.
Discussion of comparing this work to Token TF work.
Next time look at 5e, 5f, and the power-users vs ordinary users (circling back to look again at threats 4e and 4f)
There are minutes attached to this event.
Show them.
