The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "06.11.2013 Editorial Access/Management/Maintenance of the suspension list content."
| Line 7: | Line 7: | ||
= Agenda/Minutes = | = Agenda/Minutes = | ||
The following topics have been discussed: | The following topics have been discussed with regard to the [https://documents.egi.eu/secure/ShowDocument?docid=1018 "EGI CSIRT Operational Procedure for Compromised Certificates and Central Security Emergency suspension] | ||
1. Service Maintenance/Availability: | 1. Service Maintenance/Availability: | ||
=> CERN runs an ARGUS production server used by some EGI grid sites since 3 years | => CERN runs an ARGUS production server used by some EGI grid sites since 3 years | ||
=> CERN provides this Service on best effort basis, support is provided via the CERN-Helpdesk / CERN-Security-Contact / CERN-Security-Experts. Usual reaction time is is less then an hour, though. | => CERN provides this Service on best effort basis, support is provided via the CERN-Helpdesk / CERN-Security-Contact / CERN-Security-Experts. Usual reaction time is is less then an hour, though. | ||
| Line 17: | Line 18: | ||
2. Who uses the Emergency Suspension Framework? | 2. Who uses the Emergency Suspension Framework? | ||
=> The Emergency Suspension Information hosted by a service at CERN will be used by the following infrastructures: | => The Emergency Suspension Information hosted by a service at CERN will be used by the following infrastructures: | ||
* EGI | * EGI | ||
| Line 25: | Line 27: | ||
3. Who has write access to the suspension list? | 3. Who has write access to the suspension list? | ||
=> Write access will be strictly limited to a small number of trusted named individuals from the participating infrastructures. By now these individuals would be: | => Write access will be strictly limited to a small number of trusted named individuals from the participating infrastructures. By now these individuals would be: | ||
*For EGI-CSIRT: Leif Nixon and Sven Gabriel | *For EGI-CSIRT: Leif Nixon and Sven Gabriel | ||
| Line 32: | Line 35: | ||
4. Communication/who gets notified about possible changes of the suspension list content? | 4. Communication/who gets notified about possible changes of the suspension list content? | ||
=> Each participating infrastructure decides how/who to inform their constituency about changes of the content of the emergency suspension list. The guidelines on how the communication is done is subject of the respective Incident-Response-Procedures. | => Each participating infrastructure decides how/who to inform their constituency about changes of the content of the emergency suspension list. The guidelines on how the communication is done is subject of the respective Incident-Response-Procedures. | ||
| Line 37: | Line 41: | ||
5. Content of the emergency suspension list | 5. Content of the emergency suspension list | ||
=> The emergency suspension framework only operates on clients and entities, i.e. user or host/service DNs | => The emergency suspension framework only operates on clients and entities, i.e. user or host/service DNs | ||
Revision as of 13:53, 11 June 2013
Attendees
- Romain Wartel (CERN/WLCG)
- David Kelsey (STFC/EGI-CSIRT)
- Leif Nixon (SNIC/EGI-CSIRT)
- David Groep (FOM/EGI_CSIRT)
- Sven Gabriel (FOM/EGI-CSIRT)
Agenda/Minutes
The following topics have been discussed with regard to the "EGI CSIRT Operational Procedure for Compromised Certificates and Central Security Emergency suspension
1. Service Maintenance/Availability:
=> CERN runs an ARGUS production server used by some EGI grid sites since 3 years => CERN provides this Service on best effort basis, support is provided via the CERN-Helpdesk / CERN-Security-Contact / CERN-Security-Experts. Usual reaction time is is less then an hour, though.
2. Who uses the Emergency Suspension Framework?
=> The Emergency Suspension Information hosted by a service at CERN will be used by the following infrastructures:
- EGI
- WLCG
- OSG
3. Who has write access to the suspension list?
=> Write access will be strictly limited to a small number of trusted named individuals from the participating infrastructures. By now these individuals would be:
- For EGI-CSIRT: Leif Nixon and Sven Gabriel
- For WLCG: Romain Wartel
4. Communication/who gets notified about possible changes of the suspension list content?
=> Each participating infrastructure decides how/who to inform their constituency about changes of the content of the emergency suspension list. The guidelines on how the communication is done is subject of the respective Incident-Response-Procedures.
5. Content of the emergency suspension list
=> The emergency suspension framework only operates on clients and entities, i.e. user or host/service DNs
6. GOC-DBs role in that framework => Services should be registered in GOC that will be allowed to contact the central suspension service for downloading the suspension information. Based on this GOC-DB information ACLs on central instance could be configured. Here a similar mechanism as for the access to APEL should be possible.
7. Next steps/open issues => The following technical issues will be discussed via the Emergency suspension mail list: central-suspension-mp@mailman.egi.eu
- Format of the suspension list
- Interface the clients connect to, to pull the suspension list
- Development of a recommended Argus server deployment scenario in the NGIs, RCs