WLCG AuthZ Call

Thursday 13 Nov 2025, 16:00 → 17:00 Europe/Zurich

513/R-068 (CERN)

Notes:

Previous Actions:

• Action: Maarten to look at reviving the RTE Task Force

Proposed agenda:

• TBC - in email

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• Nov 27

Present: Adrian (APEL), Anders, Dave D, Donald, Enrico, John, Maarten (notes), Patrick, Roberta, Stephan

Apologies: Tom, Linda, others at the EGI CSIRT F2F meeting

Notes:

Maarten describes how he thinks APEL can be fixed for jobs that come only with tokens, no VOMS proxies to determine the VO etc. Petr Vokac implemented a solution in the package that is distributed by HTCondor as part of externally contributed add-ons, which only works if not only the CE, but also the batch system is HTCondor. Given that we expect the APEL client to be replaced more and more by the AUDITOR client, already in production at several sites and being tested by a few others, we should not invest too much effort in improving the APEL parsers. The idea is to imitate what Petr implemented, as it does not look to be a major undertaking, but Maarten will need some quiet time to be able to focus just on that. He will follow up directly with Adrian.

Next, new arrival Anders introduces himself: he has just started working in the CERN IAM Team and is preparing to take over the management of the IAM services, with Berk still remaining available to advise and help out when needed. Welcome to Anders!

Maarten then describes how we have various WGs and TFs dealing with different aspects of the token ecosystem and that these days, the AuthZ WG is concentrating on the evolution of the IAM services and of the WLCG token profiles. Regarding the latter, while v1.1 was published very recently, on Sep 23, we already foresee v1.2 being published still this year: it is needed to adjust a few things related to tape operations, as was proposed in the recent XRootD-FTS workshop and is to be discussed and agreed in the next DOMA BDT meeting expected to take place on Nov 19 and appear in its dedicated Indico category. As none of that is in production today, we can still stay in the v1 series for those changes.

Next, Maarten describes how the RTE (Resource Trust Evolution) TF mentioned on the agenda may need to be revived one day, while in the meantime, related matters are dealt with ad-hoc. For example, the DigiCert CAs will need to be removed from the IGTF distribution in the near future because DigiCert no longer wants to provide an IGTF-compliant service. As this poses problems for Belle II users in Australia and hopefully just one grid site in that country, various parties are looking into ways to mitigate matters sufficiently. In a few years, when users no longer need certificates because tokens also work for them, we foresee that host certificates can be obtained from industry-standard CAs instead.

Finally, another matter related to CAs was presented and discussed in the Ops Coordination meeting on Nov 6: concerns about the continued use of SHA-1 in some CA root certificates and/or CRLs, given that SHA-1 is by default disabled as of EL9.

Stephan reports that, to his knowledge, the IHEP CA in China plans to start the phase-out of its SHA-1 usage by the end of this year and suggests that the other concerned CAs should be asked about their schedules, if any. Maarten agrees and notes he will first present the state of affairs and the proposed deadline for the end of SHA-1 support in WLCG (end of 2026) in the Management Board on Nov 18, to be able to refer to the decision(s) taken there.

The next meeting is planned for Nov 27, by which time we may have a good idea about v1.2 of our token profiles.