...
4. Back to the mandate and scope. Additonal topics (slide 6).
We agree to create a child page on the wiki where issues of what is in and out of scope can be discussed/developed.
AlfM: I would like to compare the SCIV1 framework with one we have in the Netherlands. And what is the overlap with ISO27000?
DaveK: reminds people that we already have one successful development from the SCIV1 document, namely the work on Sirtfi being done by REFEDS and AARC.
https://refeds.org/sirtfi
https://wiki.refeds.org/display/GROUPS/SIRTFI
The Sirtfi version 1 document was developed from SCI V1 using the Creative Commons copyright.
DaveK: EU H2020 AARC NA3 is also now working on another development from SCIV1 to prepare a policy/trust framework for IdP/SP proxy/gateways bridging research
communities research communities to the identity federations.
This was discussed and agreed that it would be very good to avoid all the branching of the SCI document if at all possible.
Can we at some point merge back in with Sirtfi? And the IdP/SP proxy framework?
It may not be possible but we should at least consider that possibility and at the very least make sure we keep in touch
with other activities.
Moving on - RomainW: we need to be aware of what is already going on in (and between) the various operational security groups and trust groups.
And groups and encourage appropriate membership of the WG.
...
We then moved to a somewhat lengthy discussion about the desirability of including in the scope of the working group, information exchange about the
handling of software vulnerabilities
between various infrastructures (a discussion that had previously started between EGI and CTSC). There are lots of different possibilities: sharing
the sharing the work on assessing and handling a new vulnerability when notified (ie. in producing an advisory), sharing advisories after they have been produced,
or or even sharing intelligence about an upcoming vulnerability before announcement. Lots of interesting discussion involving how to
share to share information and what to share, e.g. MischaS: EGI is dependent on Globus software and would be useful to receive advance notice and details of
any new vulnerability.
In the end RomainW convinced us all that this should be OUT of scope of our working group. It is an operational issue that can be best handled by
biby bi-lateral discussions between infrastructures.
4. Timelines (slide 7)
We need to work towards a firm plan for SCIV2 to be presented at the TNC BoF session (mid June) and later at the WISE meeting with XSEDE in July.
Then we should aim for an SCI document version 2 by the end of 2016.
For the next meeting (13th May) we agree to read and study SCI version 1 and have initial ideas as to what needs to be removed, what needs to be
addedbe added, what needs to be expanded, what conflicts there are for some stakeholders.
5. Next meeting.
Friday 13th May 2016. One hour video conference starting at 13:00 UTC.
Agreed that this "afternoon in Europe" timeslot works well, allowing for both participation from the USA (although West coast is a challenge!)
and and Asia (where it is getting late in the evening). It was noted that both Wednesdays and Fridays cause problems for some people. Will need to doodle for the
next the next meeting after 13th May.
People were happy to continue using the Vidyo conferencing system.
...