Difference between revisions of "06.11.2013 Editorial Access/Management/Maintenance of the suspension list content."
Line 7: | Line 7: | ||
= Agenda/Minutes = | = Agenda/Minutes = | ||
The following topics have been discussed | The following topics have been discussed taking into account the [https://documents.egi.eu/secure/ShowDocument?docid=1018 EGI CSIRT Operational Procedure for Compromised Certificates and Central Security Emergency suspension] | ||
Revision as of 13:54, 11 June 2013
Attendees
- Romain Wartel (CERN/WLCG)
- David Kelsey (STFC/EGI-CSIRT)
- Leif Nixon (SNIC/EGI-CSIRT)
- David Groep (FOM/EGI_CSIRT)
- Sven Gabriel (FOM/EGI-CSIRT)
Agenda/Minutes
The following topics have been discussed taking into account the EGI CSIRT Operational Procedure for Compromised Certificates and Central Security Emergency suspension
1. Service Maintenance/Availability:
=> CERN runs an ARGUS production server used by some EGI grid sites since 3 years => CERN provides this Service on best effort basis, support is provided via the CERN-Helpdesk / CERN-Security-Contact / CERN-Security-Experts. Usual reaction time is is less then an hour, though.
2. Who uses the Emergency Suspension Framework?
=> The Emergency Suspension Information hosted by a service at CERN will be used by the following infrastructures:
- EGI
- WLCG
- OSG
3. Who has write access to the suspension list?
=> Write access will be strictly limited to a small number of trusted named individuals from the participating infrastructures. By now these individuals would be:
- For EGI-CSIRT: Leif Nixon and Sven Gabriel
- For WLCG: Romain Wartel
4. Communication/who gets notified about possible changes of the suspension list content?
=> Each participating infrastructure decides how/who to inform their constituency about changes of the content of the emergency suspension list. The guidelines on how the communication is done is subject of the respective Incident-Response-Procedures.
5. Content of the emergency suspension list
=> The emergency suspension framework only operates on clients and entities, i.e. user or host/service DNs
6. GOC-DBs role in that framework => Services should be registered in GOC that will be allowed to contact the central suspension service for downloading the suspension information. Based on this GOC-DB information ACLs on central instance could be configured. Here a similar mechanism as for the access to APEL should be possible.
7. Next steps/open issues => The following technical issues will be discussed via the Emergency suspension mail list: central-suspension-mp@mailman.egi.eu
- Format of the suspension list
- Interface the clients connect to, to pull the suspension list
- Development of a recommended Argus server deployment scenario in the NGIs, RCs