Report from SCG, 30/10/2009
Romain reported on the EGEE plans to integrate the Gilda training resources into the production infrastructure. There have been several e-mail threads on this. The issues were discussed earlier this week at the SA1 operations meeting. Romain reported that many concerns were raised about this and not just security-related ones.
The security concerns include the fact that the Gilda CA does not have robust enough identity vetting procedures to be accredited by IGTF.
Gilda has a separate VO which has been registered with EGEE and one suggested approach has been to leave Sites to decide to support the Gilda VO and to also trust the Gilda CA. The sites would then have to agree to take on any risks.
SCG discussed the security issues at some length and concluded that:
a. The risks are more complex than individual sites agreeing to take on the associated risks. Any risks associated with Gilda work running at EGEE production sites potentially threatens the whole infrastructure.
b. SCG is very concerned that EGEE procedures have allowed the Gilda VO (which violates currently adopted security policies) to be officially registered. SCG recommends that the Gilda VO should not be registered with EGEE. Several NGIs handle training at the national level and already have a local training CA. Perhaps this would be the best model to follow?
c. SCG strongly recommends that Gilda certificates should not be issued online without appropriate identity vetting of the applicant.
d. The Gilda Portal should meet the requirements of the recently adopted VO Portal Policy.
