-
Notifications
You must be signed in to change notification settings - Fork 0
Security|SecurityPriorities
- Webstart status: Added to latest Gateway release candidate, web start jar signed with self signed certificate.
- Central trust root as single store status: Done.
- Download across multiple gateways status: ?
- Data download across multiple Gateways: 1. https://vets.development.ucar.edu/jira/browse/SGF-2029 2. http://esgf.org/bugzilla/show_bug.cgi?id=12
- Plan top 5 priorities for next release, Feb end.
- Central trustroot and whitelisting, documentation and deployment outreach (Item 7) 1. Automated PKI deployment (Related to above)
- Webstart for MyProxy Logon: availability, certificate correctness and automate parameter presentation (Item 2)
- Whitelisting at authorization services (Item 6)
- Whitelisting at atrribute services (Item 5)
- Publisher does not validate server certificate (Item 11)
- SAML Assertion in MyProxy (Item 8)
- DOEGrids CA for Gateway (Item 13)
- Namespace Attributes (Item 4)
- Assertion validity (Item 3)
- BDM Attribute update (Item 10)
This is a list of security issues identified at the security meeting held at Argonne in September. Action Item No.|Milestone|Gateway Node|Data Node|Release Target|Status 1|Use of YADIS for attribute information| | | |This can be lower priority since metrics is collected and stored for now, and can be pulled together with attribute discovery later in the process. 1.1|Change OpenID YADIS service to include additional endpoints|Eric| |1.2|Done 1.2|Attribute service endpoint used by Data Node Manager for notifications|Gavin| |1.0.3 1.3| MyProxy Webstart webpage displays user's Attribute service endpoint for copying and pasting|Eric| |1.2 1.4|Investigate configuring webstart applications with dynamic parameters from portal|Neill 1.5| MyProxy Webstart incorporates the MyProxy endpoint from YADIS document|Eric| |1.3 1.6|DML Webstart incorporates MyProxy from YADIS document|Alex 1.7|Incorporate the changes in YADIS document in ICD|Phil/Rachana| |1.2|Done 2|Web start applications 2.1|Jars required signed using certificates from PCMDI| |Gavin|1.0.3 2.2|Links to DML and MyProxy webstart added to Gateway|Eric| | 1.2|Done 3|ORP - Authentication assertion translated should be limited to original assertion. X.509 certificate to cookie 3.1|Cookie should be session limited| |Luca 3.2|"SAML AuthN assertion in cookie should have lifetime of X.509 credentials and if not present 12 hours"| | Luca 3.3|TDS (or any other consumer) must check the lifetime of the validity of the SAML assertion| |Luca 3.4|Update ICD with details|Phil/Rachana| | |Done 4|Namespace Attributes 4.1|Document agreed namespace in ICD|Phil/Rachana| | |Done 4.2|Policy on data set should use the attribute name (with namespace) and value|Eric 4.3|Attribute service interface should allow configuration of the attribute name (with namespace)|Luca 4.4|Document disabling of VO attributes with OpenID AX|Phil/Rachana| | |Done 4.5|Disable VO Attribute exchange with OpenID IdPs|Eric| |1.3 4.6|Update central repository with policy on Attribute Authority and Attribute Namespace|Neill 4.7|"Attribute consumer that is Authorization services should look at whitelist of allowed Attribute Authority"|Eric 4.8|"Attribute consumer that is Authorization services should look at AA to attribute name whitelist"|Eric| |1.3 5|Attribute Query Interface 5.1|Support whitelist of clients allowed to query the attribute service|?? 5.2|Validation of SAML Attribute assertion|Luca/Phil 6|Authorization Query Interface 6.1|Support whitelist of clients allowed to query the authorization service|?? 6.2|Validation of SAML Authorization assertion|Luca/Phil 7|Central Repository of whitelist 7.1|"Trusted IdPs , CAs, CRLs, Signing Policy"|Neill| | |1.2 7.2|Schema to represent the data|Neill 7.3|Gateways|Data Nodes|Attribute Services and Authorization Services|Neill 7.4| Consumers - Attribute and Authorization service whitelist. Gateway has similar requirements|Luca/Eric 7.5|"Document in ICD agreed locations of these (not an interface as a recommendation only)"|Neill 7.6|Update Gateway installations to pull down central repository|Eric| |1.2 7.7|Update Data node installations to pull down central repository| |Gavin|1.0.2|DONE 8|SAML Assertions in MyProxy issued credential| | | |Code provided, needs to be added to Gateway 8.1|Script to generate SAML assertions that can be used with MyProxy server|Neill| | |DONE 8.2|Update Gateway installation to use the SAML script|Eric|1.2| MyProxy module 9|Cross publishing use case 9.1|Gateway certificate Authorization to use cert openid instead of DN|Eric| | |1.2 9.2|Improved workflow for requesting publishing role 10|BDM attribute rework 10.1|ICD update to incorporate namespace attribute name|Rachana/Phil| | | Done 10.2|"Update GridFTP security layer to use the new attribute name as policy, and make it configurable"|Neill 11|Publisher does not validate server identity|Update client code to authenticate the server| |Bob 12|Bug tracking for data node software, Bug tracking s/w that allows data node s/w level tracking| |Gavin| |DONE 13|Data node version number and document on compatibility with Gateway| |Gavin| |DONE 14|DOEGrids CA for sites 14.1|Document process 14.2|Deploy on gateways 15|A standalone Identity Provider 16|A standalone Group Management Service