Security|TaskMatrix

Security Task Matrix

Authentication

Gateway

Type	Requirement	Status	Notes
Implementation	OpenID whitelisting at Gateways	?	To restrict valid OpenIDs to those trusted within the federation either the OpenID URL or the IdP's SSL certificate distinguishing name should be pattern matched by against a whitelist. Whitelisting should occur on all security services, including Attribute Service and Authorisation Service.
Implementation	Gateway produces wget scripts that send SSL client credentials	?
Deployment	Consistent CA trust roots across the federation	The principle of successfully updating trustroots is established. The procedure is not automated or documented.	We need an automated way of distributing a consistent set of trust roots across the federation and this should be updated regularly. MyProxy can apparently do this ( MyProxy provisioning). Although in a Gateway section, this also needs to work on nodes.
Deployment	MyProxy Java WebStart application linked from Gateways	?
Milestone	Functioning cross-federation OpenID authentication at Gateways	Some recent bug-fixes to the Gateway code have yet to propergate to PCMDI.

Node

Type	Requirement	Status	Notes
Implementation	OpenID whitelisting implemented in OpenidRelyingParty .war	Not implemented?
Implementation	OpenID Attribute Exchange working in ORP.war to allow Node Manager to associate downloads with email addresses	?
Deployment	OpenidRelyingParty .war deployed on all nodes	successfully deployed on a test server at BADC and demonstrated OpenID and SSL client authenticated TDS requests.
Deployment	MyProxy servers deployed at all IdPs listening on port 7512	PCMDI MyProxy stilllistening on non-standard port. NCAR MyProxy status unknown. BADC MyProxy listening on standard port.	PCMDI's myproxy server is still listening on 2119. esg.prototype.ucar.edu doesn't appear to be running. If users will have to open up their firewalls to a certain port it should be the standard one
Milestone	Functioning OpenID authentication at deployed nodes	NO
Milestone	Functioning SSL client authentication at deployed nodes	NO

Authorization

Gateway

Type	Requirement	Status	Notes
Implementation	Gateway Attribute Service implemented	?
Implementation	Gateway Authorisation Service implemented	?
Implementation	Gateway Authorisation Services can pull attributes from an external Attribute Service	?
Deployment	Attribute Service deployed at PCMDI	?	At least 1 attribute service is required to serve CMIP5 access roles. This will be at PCMDI.
Deployment	Authorisation Service deployed at all Gateways	NO
Milestone	Functioning cross-federation authorisation at Gateways	NO

###Node

Type	Requirement	Status	Notes
Implementation	Node can delegate authorisation decisions to an external Authorisation Service	?	All nodes will need to either delegate to the publishing Gateway's Authorisation Service or an independent Authorisation Service
Deployment	Authorisation filter deployed at all nodes	NO
Milestone	Functioning cross-federation authorisation at nodes	NO

Security|TaskMatrix

Security Task Matrix

Authentication

Gateway

Node

Authorization

Gateway

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!