Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

06.11.2013 Editorial Access/Management/Maintenance of the suspension list content.

From EGIWiki
Jump to navigation Jump to search

Attendees

  • Romain Wartel (CERN/WLCG)
  • David Kelsey (STFC/EGI-CSIRT)
  • Leif Nixon (SNIC/EGI-CSIRT)
  • David Groep (FOM/EGI_CSIRT)
  • Sven Gabriel (FOM/EGI-CSIRT)

Agenda/Minutes

The following topics have been discussed taking into account the EGI CSIRT Operational Procedure for Compromised Certificates and Central Security Emergency suspension


1. Service Maintenance/Availability:

=> CERN runs an ARGUS production server used by some EGI grid sites since 3 years

=> CERN provides this Service on best effort basis, support is provided via the CERN-Helpdesk / CERN-Security-Contact / CERN-Security-Experts. Usual reaction time is is less then an hour, though.

2. Who uses the Emergency Suspension Framework?

=> The Emergency Suspension Information hosted by a service at CERN will be used by the following infrastructures:

  • EGI
  • WLCG
  • OSG

3. Who has write access to the suspension list?

=> Write access will be strictly limited to a small number of trusted named individuals from the participating infrastructures. By now these individuals would be:

  • For EGI-CSIRT: Leif Nixon and Sven Gabriel
  • For WLCG: Romain Wartel

4. Communication/who gets notified about possible changes of the suspension list content?

=> Each participating infrastructure decides how/who to inform their constituency about changes of the content of the emergency suspension list. The guidelines on how the communication is done is subject of the respective Incident-Response-Procedures.

5. Content of the emergency suspension list

=> The emergency suspension framework only operates on clients and entities, i.e. user or host/service DNs

6. GOC-DBs role in that framework => Services should be registered in GOC that will be allowed to contact the central suspension service for downloading the suspension information. Based on this GOC-DB information ACLs on central instance could be configured. Here a similar mechanism as for the access to APEL should be possible.

7. Next steps/open issues => The following technical issues will be discussed via the Emergency suspension mail list: central-suspension-mp@mailman.egi.eu

  • Format of the suspension list
  • Interface the clients connect to, to pull the suspension list
  • Development of a recommended Argus server deployment scenario in the NGIs, RCs
Retrieved from "https://wiki.egi.eu/w/index.php?title=06.11.2013_Editorial_Access/Management/Maintenance_of_the_suspension_list_content.&oldid=56426"