Meeting Minutes 08/10/2007
1) items left from the last week
--the reverse barring policy: discussing how sites can terminate their agreement with OSG.
--we all agree that it is up to the Sites to terminate their provision at will.
--sites can temporarily withdrawn
--possible places to state this: OSG Service Agreement, ..?
--JSPG approval of CA
--included MICS
--we go by the profile
--we reserve the right to exclude any IGTF profile
--we can follow up on MICS profile next week.
--question on barring a user: what if the user has multiple certificates?
A violation can be traced back to a specific certificate. Let's assume the certificate has VOMS attributes
(assume the VO issued the group and roles names into the cert), OSG can ask that specific VO to
revoke the membership. If the user has a different certificate, the question becomes does the second certificate
has VOMS attributes. Therefore, does user have two different VO membership? If it does not, (assume all Sites expects VOMS roles), then no problem,
because it won't get access to any Sites.
Let's say the second cert has VOMS attributes.
when the user is barred from OSG, this is a problem. Because OSG is not aware of the second cert
and cannot ask the second VO to revoke membership. Even when we ask each and every VO in OSG to check for
the user , the OSG will send the identity info generated from the first cert.
Unless the second VO can see a relation between one of their members, registered with the second cert and
the barred user, the barred user will keep his membership in the second VO and continue to be a member of OSG.
Let's assume that the Sites do not use VOMS and only uses gridmapfiles. We have a
similar problem: the sites can remove the mapping for the detected DN of the user (from the first cert).
If the user has another mapping via his second DN, then that Site very likely not to remove
this mapping because the Site is not aware of any problems related to the second DN. If the Site is smart
enough to know that the second cert belongs to the same barred user with the first cert , of course it
would work.
The solution that I can see right now is that OSG has a package of CAs that Sites and services trust.
We can submit the violating cert to each CA, ask them whether they issued another cert to the entity
who owns the violating cert. If the answer comes positive, we can distribute to VOs all other certificates issued to the barred user
so that they can revoke their membership issued to the second certificate. (Or distribute DN names to the Sites so they can remove them from grid-mapfiles.)
I am aware that there is a lot of privacy issues tangled here, asking CAs about the other certs issued to the
violating member and so on.
I think this is a good scenario and we should re-visit this. Especially when we are working on the VO membership and registration
policies. Right now OSG recognizes a few CAs and it is very possible a user has multiple certs from each.
2) 2.3.3 Trust relationships
--define "trust" (I will include this in the current write up)
--Rob is going to provide the excel sheet for VO and Resource contacts
--we have only two documents to build trust OSG AUP and Service Agreement
--we have no written agreements for Support Centers
--is current AUP and service Agreement sufficient?
--continue next week.
--intellectual property rights, should they be in the service agreement? possible disputes between VO
and sites regarding data. We agree OSG must leave it to the agreement between the site and VO. we
can state this in the service agreement upfront.
--trust relationship with CAs.
--agreed needed to be defined
--can work on this more, OSG membership and registration issues.
There are minutes attached to this event.
Show them.