JSPG meeting (http://indico.cern.ch/conferenceDisplay.py?confId=56981)
May 14-15 2009
Attending: Dave Kelsey, Denise Heagerty, David Myers, Steven Newhouse,
Jim Basney, David Groep, Reimer Karlsen-Masur, Eric Yen,
Oxana Smirnova, Romain Wartel, Frederic Schaer (by phone),
Jinny Chien (by phone), Ruediger Berlich (by phone)
Executive Summary:
* Virtual Organization Registration Security Policy goes to last call.
* Virtual Organization Membership Management Policy goes to last call.
* Security Incident Response Policy is ready for wider consultation.
* Grid Policy on the Handling of User-Level Job Accounting Data is
ready for wider consultation.
* VO Portal Policy is ready for wider consultation.
Minutes:
Welcome by Dave.
May 1 begins the final year of EGEE-III.
Looking forward to EGI.
Plan: review policies, simplify, apply to NGIs.
Reimer joins us representing German grid activities.
We also look for collaboration outside Europe.
Jim Basney joins us from OSG (USA).
Eric Yen joins us from Taiwan. Also Jinny.
Mingchao was unable to attend (representing UK NGS) for personal reasons.
Frederic joins us from France.
David Groep joins us from Dutch Grid.
Oxana Smirnova joins us from Nordic grid activities.
Today we discuss pending policies.
Tomorrow we look to future policy plans.
Denise can't join us tomorrow.
Ruediger joins us from Karlsruhe.
Dave led a discussion of news and introduction of and for newcomers.
Review of <https://edms.cern.ch/document/931980/3>:
This document was input to Infrastructure Policy Group.
Sec 2.2 lays out relation to local security policies:
"JSPG policy augments local policies by setting out additional
Grid-specific requirements."
Aim to set policies that can apply universally.
Avoid requirement for every user to register at every site.
Even every VO can't register at every site.
User accepts AUP when registering with VO.
VO accepts policies when registering with a grid.
Fredrik: The policies are difficult to find.
JSPG policies on JSPG web sites. Grid policies on grid's web sites.
Each grid adopts the JSPG policies by modifying the document or
creating a cover page.
Use Creative Commons license on policies? Want policies to be widely
used but also acknowledged with changes fed back in.
EGEE Security Policies: http://osct.web.cern.ch/osct/policies.html
OSG Security Policies:
https://twiki.grid.iu.edu/bin/view/Security/PoliciesProcedures
Proposed goal for next year:
* Single JSPG web site with policies clearly laid out using Creative
Commons license.
EGI Design Study has created a list of security contacts for NGIs.
Good to involve them in discussions going forward.
EGEE ROCs need to coordinate with NGI security contacts.
Should JSPG have representative from both current TeraGrid and
follow-on TeraGrid (two competing proposals)?
Would it be possible to get letters of intent from participants?
Each grid decides its own policies and relationships with users, VOs,
and sites.
Does EGI MOU include adoption of common policies?
Does JSPG have metrics on policy adoption?
JSPG is only advisory. We don't formally represent projects.
Participation in JSPG doesn't imply adoption of JSPG policies by
participating grids.
JSPG is a "working group" for producing policies to address concerns
of stakeholders.
VOMS Admin still does not have the capability to require users to
accept Grid AUP.
JSPG doesn't impose anything on anybody.
Dave led a discussion of the VO policies.
https://www.jspg.org/wiki/Virtual_Organisation_Membership_Management_Policy
https://www.jspg.org/wiki/Virtual_Organisation_Registration_Security_Policy
See wiki discussion page for notes.
These policies are near complete.
Next step to deliver to EGEE/LCG MBs.
Future discussion: Does a VO register with each grid?
Romain led a discussion of a new Grid Incident Response Policy:
https://www.jspg.org/wiki/Grid_Incident_Response_Policy
EGEE OSCT has a new incident response procedure.
Romain pointed the group to <http://cern.ch/grid-sec> which is a new
group for coordinating response to cross-grid security incidents.
Dave led a discussion of:
https://www.jspg.org/wiki/Grid_Policy_on_the_Handling_of_User-Level_Job_Accounting_Data
See the wiki discussion page for notes.
Reviewed feedback received.
Steven discussed the EGI security coordination architecture.
Large number of groups. Unclear relationships.
Steven proposed an arrangement of Software Security Group, Software
Vulnerability Group, and Operational Security Coordination Team in
EGI.
There will be different middleware contributors to EGI.
Each contributor should take care of its security.
Current MWSG is a forum, not an operational group.
Where does IPG fit?
David Groep led a discussion of:
http://www.jspg.org/wiki/VO_Portal_Policy
See the wiki discussion page for notes.
Dave presented the Policy for Global Banning.
OSCT has commented on it.
Christoph has requested review/approval by JSPG.
New wiki page created at:
http://www.jspg.org/wiki/Statement_on_Global_Banning_of_Users
Notes on wiki discussion tab.
Dave led a discussion of CA Policies.
WLCG requirements on IGTF:
See slides 19-21 of Kelsey8apr09.ppt attached to agenda.
How to get input from VOs?
* EGEE VO manager's group
* OSG VO Forum
The JSPG Policy doesn't say anything about Root CAs.
Currently IGTF lists them as accredited Classic CAs.
When IGTF adds a new profile for Root CAs, the JSPG policy should be
updated.
Dave led a discussion on JSPG future plans.
Review top-level Security Policy?
Look at what we've got and how it should change?
EGEE-III deliverable to review all policies.
We're aware that the top-level security policy has overlaps and
inconsistencies.
We've recently created new policies on stakeholder demand.
Do we need a roadmap?
Should we spend the rest of the year updating existing policies?
Jim: We need a clean break. Not another round of updates.
Will EGI carry-on in the same vein as EGEE-III?
We want to make things simple, common to hand over to EGI.
It's still difficult to predict what EGI will do at this point.
We should work on a better policy structure. Simplify.
How much of the policies have been implemented?
What are our success metrics?
Very little experience policing or sanctioning based on policies.
Policies give pressure on people to do the right thing.
A large number of infrastructure grids have adopted JSPG policies.
The Grid AUP is widely adopted.
What other policies are widely adopted?
VOMS Admin still doesn't have the functionality to meet the VO
Registration Policy.
Question of how we publish the policies and get feedback.
It's difficult to disseminate the policies.
Should JSPG continue serving both cross-grid policies and EGEE/EGI
policies?
What are we trying to achieve?
Security policies are a risk management control.
This is a trust building exercise for cross-grid interoperability.
Need to include context (footnotes) about why the policy says what it
says.
Should we write a whitepaper about our experience?
Is registration a first-class policy issue?
Do we have a document that sets out what the problem is?
We need to define our policy framework.
What are the generic / essential policy elements?
* AUP
* Site Security Policy
* VO Security Policy
* Grid Security Policy
* Service Provider Security Policy (replaces Site Security Policy?)
Proposal is to write a document that gives an overview of where we are
and how we should proceed in the future.
Describe the trust models and policy framework.
Plans for next meeting.
Co-locate with next EUGridPMA meeting (Sep 14-16 in Berlin)?
Co-locate with EGEE'09 (Sep 21-25 in Barcelona)?
September is too full? Last week of August?
Decided (tentatively):
* Small team to meet at end of August.
* Meet Sep 16-17 in Berlin.
There are minutes attached to this event.
Show them.
