Date: Fri, 29 Mar 2024 14:30:33 +0000 (UTC) Message-ID: <1289204527.6166.1711722633232@fra-prod-wiki01.geant.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6165_866768728.1711722633226" ------=_Part_6165_866768728.1711722633226 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Attendees: Terry Smith, Davide Vaghetti, Bj=C3=B6rn Mattsson, Wolfgang P= empe, Sven Gabriel, Attila Laszlo, Russell Ianniello, Nicole Harris, Marina= Adomeit, Casper Dreef, P=C3=A5l Axelsson, Daniel Kouril, Chris Phillips, S= hannon Roddy, Romain Wartel, Daniel Muscat
Co-chairs: Sven Gabriel (representing Security Team) & Shannon Roddy= (representing eSG)
Both co-chairs were accepted. The charter was accepted.
The Working Group moved from planning to actual state
Davide explained the eduGAIN leadership sent an official letter to Sheer=
ID. A list of federated entities have been shared by SheerID and the Securi=
ty Team.
This list might not be complete and accurate. Non-federated entities are mi=
ssing.
The Working Group expressed its surprise about the incompleteness and in=
accuracy of the list. One of the problems is that entities don't keep logs =
longer than a certain amount of weeks and therefor are not able to check if=
they were affected.
eduGAIN doesn't have the ability to filter out a single entity. UKfed could=
be asked to filter SheerID. Terry asked if there is an alternitive for edu=
GAIN, e.g. InAcademia.
Which options are available to filter out entities in case of an emergen=
cy? Important to keep 'trust' in mind.
"Why can't I log in" vs "Why must i audit my logs for a compromise after th=
e fact".
At the moment there is one option: completely drop a federation's feed.
Work on a 'measured response' in the policy. Chris pointed out this coul= d be an opportunity for SIRTFI adoption. Romain noticed that by design some= main elements are missing in the current policy. Sanctions and emergency m= easures are different things. Both are missing at the moment.
Policy needs to be revisioned. A call for working group will be addresse= d at the Drop-in Session at 18th May.
Chris proposed the topic of best security practices in eduGAIN. What do =
recommendations mean in practise.
The group supported the idea.
Davide proposed to identify the missing bits and raise this to the Policy R=
evision Working Group as well. The Security Team will make its wiki space a=
vailable of a Best Practise section. eduGAIN Security