Security Meeting (Weekly)

Friday 3 Aug 2007, 11:00 → 12:00 US/Central

08/03/2007 OSG Security Meeting Minutes 1) Security control 2.3.1.3 has been discussed. We performed the interview with Operations Coordinator and discussed the results. -- we decided that OSG must have a clear barring policy. The policy must state how the barring process is intiated, executed and audited. We will look into existing policies from EGEE project. Escalation process must also be covered in the above policy. -- we will communicate the above document to OSG Executive Team -- we will develop awareness materials for Sites, VOs and users to communicate their accountability and and responsibilities towards OSG. -- should a barred user's certificate be revoked. The VO membership must clearly be revoked as the user violates the AUP. the DOE cert may not be specific to the OSG. The violation of OSG policies does not automatically equate to the violation of DOE policies ??? are we in agreement on this 2) We discussed JSPG Approval of Certificate Authorities Policy. We have no objection to the policy, albeit we proposed minor changes to the document -- who in OSG is responsible for the announcement of the new installation VDT currently has RPMs and client-side script that can automatically download the CA package. The script checks the CA packages every hour and updates the site. GOC also sends email to the Sites to announce changes in the CA package -- Do sites *have* to install the packages? This must be discussed in Site operational policies. Sites must install the updates to the existing CAs (such as CRLs) immediately. Not doing so endangers the site and leaves grid users utilizing the site vulnerable to attacks. However, punitive measures over a non-compliant site is yet to be determined. -- When a site removes a trusted CA from the CA package This is a rare case, but JSPG requires the Site to inform operations centers in such cases. We decided GOC would be informed in OSG. This situation would cause end users with valid credentials to be denied access to some site resources. Since sites have the final decision over the access of grid users, this is not againts OSG Policies. Should OSG collect this information??? -- Temporarily approved CAs by appropriate grid management body appropriate grid body --> Executive Team (Ruth, Miron, who else) Annual review of temporary CAs. No specific deadline, with the expectation that the CAs eventually become IGTF approved. This can be added as a Security control. 3) Site operations Policy - to be considered by OSG EB Aug 10, refers to specific OSG practices -these OSG practices need to be defined or identified 4) Converging IGTF repository with VDT ???