Discussions on CRL update, robustness and coherency issues. Especially in the light of the "denial of service" on the ESNET CA due to CRLs installed on all worker nodesof a cluster.

Action Items:

• Immediate: Update CE install documentation - FKW to contact RobQ?/Alain provisioning chairs.
• Immediate: Package CRL checker into VDT with associated documentation. RobQ?
• Medium: Ensure that sites are running with CRLs - GridScan? - RobQ?
• Medium: Consider pushing logging information to syslog as a principle.
• Medium: Next Blueprint meeting to be with Fermilab/FermiGrid security folk to go through logs and support for audits that exist, are needed etc.

Exposed Principles of Security opperation:
No excuse for not operating it at the highest levels of diligence.
Unhappy about cleaning out CRL files to maintain service.
Audit Requirements;
Avoid exhaustion of repeated data requests to sites when there is an incident.

Time Frames Qualitatively: *Speed of thinking: 20 mins or an hour

• If implementing Active Protections 1 minute.

Information for Auditing:

• Any augthz transaction wants to get a copy of the DN. Gram; find out what GLobus actually does do.
• IP address of everyone who has attempted and the attempt has failed on any service including GUMS with a protocol of the proper form. At Fermilab is done at the firewall/border router of the site.
• Information to allow joins of the information and queries.
• Move the information into syslog.
• Sit down with the logs and the layers of the software for FermiGrid? including glexec at the WN.
• See how something has spread on a grid incident.

Thinking:

a) Document what to do with CRL updates for sites without a shared file system ? short term. Plus alert.

b) tool for CRL management: Management of the fetching of the CRLs in a flexible way to address expiration times Auditing Capabilitiy on the health and status of the CRLs on the site. Existing tools to do this.

b) rcync tool for use on the sites.

c) Under what circumstances does one need CRLs installed.

d) what about fixing the insecurity when there are no CRLs installed.

e) management and diagnostic information for CRL expiry.

f) Sites are responsible for Security. Can we convince the sites that GUMS is sufficient and require that they install it?

g) Is OSG say they have an infrastructure for managing and monitoring CRLs.

h) We have a script for monitoring this from Doug.

i) deploy a system of cron jobs with a scheduler and manager to look after it.

j) Include running of the operations by a trigger.

k) Assess the configurations. Have a framework where this can be done?

-- RuthPordes - 05 Feb 2007

• Logging Information on a Site: