Choose timezone
Your profile timezone:
Token Trust & Traceability WG
→
Europe/Zurich
Description
Fortnightly for the risk assessment season.
Token Tracebility and Traceability WG
https://codimd.web.cern.ch/uujoR_iRRMmAQ50pG5Kg9w#
# TTT 10th March 2026
Attending: Matt, Maarten, DaveK, Mischa, Linda, Luna, TomD
Apologies:
## Actions, Previous Meeting
* Maarten has worked on the document.
* CHEP submission accepted as a talk
## Document
ML transcribed much of the spreadsheet into the document.
We probably don't need to justify all our scores.
One point is to just use the "meta-table", with added examples.
Note removal of reputation row.
Move executive summary closer to the start.
The main areas of concern haven't really changed.
MD - will need to add scoring to the executive summary.
ML - should look at high impact cases even if low likelihood, to match previous risk assessments.
Should we also cover the high likelihood cases? Will likely keep security people busy sorting this out.
Luna suggests https://indico.cern.ch/event/394780/contributions/1832624/attachments/1239210/1821442/WLCG_Risk_Assessment.pdf for inspiration.
DK - No impact/likelihood 1s or 5s, is there really no impact 5s?
ML - more about "typical impact". Not the wild west, we do have controls.
DK - ended medium, high or low.
TD - is this part due to poker voting averaging things out.
Luna agrees that it is strange, do we need to change the values for the levels?
DK - maybe removing the point values muddied the waters.
Luna - are these unused numbers useful
ML - conclusion for next version of the assessment.
ML - also notes we aimed high on split votes.
Linda - agrees, need to record this
MS - 5s don't happen with token jobs, sites will ban users.
Low impact is more or less out of scope. Parallel with SVG.
Zero-day exploit scenario tempered by low liklihood.
No hard numbers on these.
Agreed to go for the meta-table, with a bit more narrative.
TomB - flesh out, mention 1s and 5s raised and averaged out - "Methodology" section.
MS - Also looked at typical scenarios, averaging out further
ML - propose document published by WG on zenodo.
TD notes possible issues with CHEP paper
ML - not an issue with zenodo (not peer reviewed)
TD suggests focussing chep paper on process
All agree.
Story to tell of why no 1s and 5s.
Matt has a goal for ~1.1 that we can get the process down to 1 sitting.
ML - 1.1 might be warranted by new information, like mitigation options or things in production.
Notes so far
- meta table becomes table
- move executive summary up, give scoring information to it
- add in a "Methodolgy section"
- dump template page
ML:
- add in conclusions
- flesh out threats
Should not aim for page breaks, just edit for aethetics to remove "ugly" breaks.
Discussion of DDOS in impact table? Others or similar?
Luna suggests its the other party's risk.
Keep rows as is, but note on affects on third parties in table narrative.
Luna notes shouldn't overly focus on DDOS
## Other News?
Not checked as out of time.
## Actions
Add to document, email group if making any significant changes.
TomD will make a start on the CHEP talk, now we have a refreshed focus for it.
## AOB, next meeting
This time on the 31st? Seems to work.
There are minutes attached to this event.
Show them.