Many thanks to Mingchao for providing the link to the operational notice. This is an old EGEE OSCT notice. Has EGI CSIRT also adopted this?
In answer to some of Stephen's other statements....
> However the general trend of security policy revisions seems to be to make them more vague, so maybe there is no definite statement any more.
It is true that we try to make security policy documents more general (vague if you like!) in the sense that specific operational time limits are indeed operational issues and as such should be procedures rather than policy and therefore are easier to change.
> If credentials with long lifetimes are forbidden by policy at the
> resources or a grid level then this should be defined and enforced at
> the resource(s)'s gateways not at the Attribute Authority.
The statement right at the end of the operational notice (taken from the minutes of a JSPG meeting) "JSPG agrees that sites SHOULD enforce these policy upper limits. Grid middleware MUST provide the ability to do this." is addressing exactly the comment above from Stephen.
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: [log in to unmask]
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Mingchao Ma
> Sent: 10 August 2011 17:45
> To: [log in to unmask]
> Subject: Re: myproxy/VOMS and FTS
>
> > > I cannot find any suggestion that a VOMS credential should or must
> > > be a maximum of 24 hours long.
> >
> > One for Dave or Mingchao ... it certainly used to be the case that
> the
> > limit was 24 hours and a VO had to ask for a specific exception and
> > justify it. However the general trend of security policy revisions
> > seems
>
> http://osct.web.cern.ch/osct/op-notices/proxy-lifetime-02-11-2007.txt
>
> And I would like to collect information of VO current practice, the
> maximum long of VOMS credential.
>
> Please email me the following information off the list:
>
> The name of the VO you test and the length of VOMS credential, if
> possible the output of voms-proxy-info -all
>
> Thanks,
>
> Mingchao
|