> ... Interesting. I wasn't aware of those minutes; but then, they were
> before I was in EGEE.
>
> I had thought it was intented for EGI to rubber stamp all the various EGEE
> policies as a grandfathering mechanism - to ensure that there was a clear
> statement on all such policies. In particular, there's no longer an
> Operational Security Coordination Team, and such details were planned to
> be clarified (e.g. to whom should a VO send notice as per that notice?) .
> Is there a reason that this operational policy wasn't included?
You are right about the grandfathering, this includes all the policies,
procedures etc.
> I note that I can't get to that page starting from:
> https://wiki.egi.eu/wiki/EGI_CSIRT:Policies [0] or
> https://wiki.egi.eu/wiki/SPG
> which makes it rather difficult to expect people to be aware of and follow
> a 'policy' that's not kept with the other policies.
>
> [0] (Ok: you _can_: go to the 'EGI-CSIRT wiki', then click on 'Training
> and Dissemination Group', then just below the title bar is a link to
> 'operational notices'. But I submit that is outside the normal way one
> looks for policy information).
>
> > The
> > voms server is rightly to enforce it. A proxy certificate is
> **designed** to
> > be short live and one can not revoke a proxy certificate. The way to
> stop a
> > compromised proxy certificate is either ban the DN cross the Grid for
> the
> > lifetime of the proxy or to revoke the associated classical EE
> certificate,
> > or do both. Neither is cheap in term of operation.
>
> Out of curiosity, how many times has there been a proxy compromised, when
> the user certificate hasn't been?
>
> (Rather: where are such statistics held?)
In the past we had security incident where a host was rooted, therefore all
credentials on the host including password, ssh keys, proxy certificates,
end user certificates were considered to be exposed. In this case, we
normally informed CA to revoke the certificates, and sometime also ask sites
to ban the DNs. It (ask sites to ban the DN) does not happen very often, but
it did happen quite a few times.
You probably still remembered that a few weeks ago we informed sites to ban
a DN as the user sent his ops voms proxy certificate (and private key) to
lcg-rollout mailing list.
Cheers,
Mingchao
|