61st EUGridPMA+ and AARC Policy meeting (in conjunction with IGTF, GN5-1 EnCo)

28 May 2024, 20:00 → 30 May 2024, 17:30 Europe/London

Garden Room (Coseners House)

David Groep (Nikhef)

To connect remotely to the Garden Room: with a web browser and Zoom client, go over to https://eugridpma.org/z/61 or connect via H.323 (e.g. on the Zoom AMS endpoint at 213.19.144.110). The meeting ID is 938 1494 9602. The passcode is known to IGTF members and participants.

Tuesday, 28 May

20:00 → 22:00 Trust building dinner

(no-host)

Wednesday, 29 May

09:30 → 09:45 EUGridPMA+: Welcome, agenda, minutes last meeting, note taker, introductions

And: candidates for the annual chair election are always welcome!

Speakers: David Groep (Nikhef), Dr David Kelsey (UKRI-STFC)

09:45 → 10:05 IGTF fabric updates: status of authorities, fabric news, RHEL9/OSSL issues

Review of IGTF Trust Fabric (PKIX rendering) issues and changes: updates from transitioning CAs, TCS, and continuing challanges explaining the RHEL9/OSSL breakage of self-signed roots.

Speaker: David Groep (Nikhef)

10:05 → 10:20 Self-assessment peer reviews and audits

Speaker: Cosmin Nistor

10:20 → 10:40 CA Update I: (open slot)

10:40 → 11:00 Introduction to T&I in GEANT 5-2

The GEANT Project (5-2) is taking shape now, but of course also GN5-1 is still under way. Maarten and Casper will review the progress in GN5-2, and draft the venn diagram on the EnCo vs AARC TREE main activities

Speakers: Casper Dreef (GÉANT Association), Maarten Kremers (SURF)

11:00 → 11:30 Coffee

11:30 → 12:00 AARC Policy Coordination and AARC-TREE: introduction to AARC TREE

The AARC TREE project provides for enhanced effectiveness of the AARC community, including the Policy Area. We will putthe AARC TREE Policy Activity into the community context, and highlight where the new EC AARC TREE project and "WP2 - Policy and Good Practice" may help us!

Speakers: David Groep (Nikhef), Dr David Kelsey (UKRI-STFC)

12:00 → 12:30 AARC PDK: feedback from adopters

Opportunity for input and feed-back from our Australian colleagues. Do we need to revise and 'template' terminology? What should the new PDK structure look like, and what is the role of the 'top-level' policy document?
And are all things actually policies, where some are more like procedures, and some information guidance or a glossary?

Dave Kelsey et al. will summarize the feedback from the Australian Access Federation as they reviewed adoption of the AARC PDK and the challenges and new ideas they encountered.

Speaker: Dr David Kelsey (UKRI-STFC)

12:30 → 14:00 Lunch

14:00 → 15:30 AARC Community Survey: input for questions and context

The AARC TREE project provides for effort for an in-depth survey of Research Infrastructure requirements (supported by the Use Cases activity WP3: "This work will use as the starting point the FIM4Rv2 paper together with requirements that AARC TREE partners may have collected via other activities. In addition, it will engage with relevant forums and stakeholders (such as FIM4R, AEGIS, EOSC AAI Task Force, National RIs and European initiatives such as the EU dataspaces) to gather the initial set of requirements and use cases. Based on this, an initial set of the requirements and use cases will be captured, to drive further work."
* https://wiki.geant.org/display/AARC/Survey+development+area

Speakers: David Groep (Nikhef), Dr David Kelsey (UKRI-STFC)

15:30 → 16:00 Tea

16:00 → 16:30 FIM4R - collecting communnity and research infrastructure requirements

AARC TREE and others have a dedicated action line to support FIM4R and the requirements collection process. Discuss planning of FIM4R meetings and how to ensure global engagement, specifically also beyond Europe.

Speaker: Dr David Kelsey (UKRI-STFC)

16:30 → 17:00 WISE Information Security for E-infrastructures

Review the relationshiop between AARC (TREE) and WISE, and how we can both leverage and re-invigorate the policy aspects in WISE.

Speaker: Dr David Kelsey (UKRI-STFC)

17:00 → 17:20 Planning for policy outreach

Discuss plans for
* TNC24 and the AARC Policy talk
* TechEx24 workshops (there is already a submission for a Sirtfi/federation TTX workshop)

Speaker: David Groep (Nikhef)

17:20 → 17:30 Planning next EUGridPMA+ meeting (September/October 2024)

Speaker: David Groep (Nikhef)

18:30 → 21:30 Dinner

Location to be confirmed

Thursday, 30 May

09:00 → 10:00 Policy frameworks for PII 'as a result of Infrastructure use'

The EGI policy on data protection (for personal data collected as a result of users operatin gin the infrastructure, rather than personal information contained in research data) is rather antiquited and needs an update. While we recognise that a 'fully legally robust' option is not feasible, how can be update the model of 'pretty binding not-quite-corporate rules' and get that in a new (EGI) policy document?

This work stalled in the WISE SCI-WG because of formal compliance reasons, but the Infrastructures need it anyway.

Speaker: Dr David Kelsey (UKRI-STFC)

10:00 → 10:30 Recap and evolution of "G040" AUP and Privacy Notice model

AARC-G040 "preliminary recommendations for the LS AAI" presented initial ideas on how to show terms-and-conditions and privacy notices for dynamic proxies. What does the current proxy landscape look like, and what are the current practices, e.g. in SURF SRAM on triggering notice presentation?
What should we keep, and what should we question in G040? Whom to ask for requirements, and how?

This is to be a working session with updates to the (presentation of) the Common AUP and Privacy notices

Speaker: David Groep (Nikhef)

10:30 → 11:00 Coffee

11:00 → 11:30 AAOPS Guidelines

Review of G071 and how to kick-start the peer review and learning process

Speakers: David Groep (Nikhef), Dr David Kelsey (UKRI-STFC)

11:30 → 12:30 Operational trust and Baseline

Does G071 give us enough info to trace users through the mesh of proxies, where you have multiple proxies in the mix, and you might need to trust all the proxies that are somehow connected. You will need to know who issues the statement, but also that it was not altered somewhere inbetween.
You usually follow upstream, but does that work operationally?
* do we need exercises/ Sirtfiv1 exercise showed some may be accidentally left out, like SURF then
* in a perfect world, all data is available and people react fast, but do they?

This was also discussed in the architecture meeting… but there is also good practice?
If you want any entity in the chain downstream to use these, the traceability to a community is lost?
If all entities in the chair record correctly (and share), the communication will work in case of an incident, but does that work?
* c.f. work in tracability of 3820 that Akos Frohner did
* RFC 6962 CT logging of these translations in an (external) registry. Would proxies want to do that? Encrypted?

And we need to run some ‘fake’ exercises to check if any proposed policy is possible. This does not need a real proxy or software, just a TTX with a few people thinking they are a proxy … inspired by the eduGAIN TTX from March '24.
This also implicitly validates (or not) elements of G071 …

Speakers: David Groep (Nikhef), Dr David Kelsey (UKRI-STFC), Maarten Kremers (SURF)

12:30 → 14:00 Lunch

14:00 → 14:30 Authorization and Tokens: updates from the GUT and the WLCG TTT

The Unified Token Profile and the WLCG Tansition To Tokens (TTT) working group are progressing. Matt Doige gives updates on https://twiki.cern.ch/twiki/bin/view/LCG/WLCGTokensGlobusWG and (potentially) Mischa Salle on the Grand Unified Token profile.

Speaker: Matt Doidge (Lancaster University)

14:30 → 15:30 AARC Policy: token life time and revocation guidance

What do we need as input from the communities (via the questionnaire or otherwise) in order to provide token lifetime guidance? This should likely be based on a risk assessment, but there are several use cases, both set by the CIA classification of the data (services) involved, but also on the interaction model and the presence of mitigating controls (like revocation, or relying-party suspension lists, or ...)

Follow-up from the AARC Policy Call "initiate trust and tracability working parties (CT-like append-only logging by proxies: Jens; TTX exercise models: DavidG & Maarten)"

15:30 → 16:00 Tea

16:00 → 16:25 Draft guidelines editing

• Trust Baseline and traceability (G071++)
• Privacy Policy update
• G040 revision
• ...

16:25 → 16:35 Closure