David GroepNikhefAmsterdamPDP & Grid

Some Comments on“Problem description for non-proliferation issues in Grids”

Joint Security Policy Group7 December 2009

Following from an EGI Council Input Document

David GroepNikhefAmsterdamPDP & Grid

IPM and the CMS collaborationLCG-CatchAll eventFounding a national CAIGTF Distribution Release v1.22On Those Who Must Not Be NamedDifferentiating Authentication &

Authorization ◦ ... again (June 2009)

History

David GroepNikhefAmsterdamPDP & Grid

New document (27 Nov 2009)Problem description for non-proliferation issues in Grids

W. Juling (KIT and DFN), K. Schauerhammer (DFN), M. Spiro (CNRS and IN2P3), K. Ullmann (DFN), D. Vandromme (Renater)

Sent to EGI Council

Describing the Issue

David GroepNikhefAmsterdamPDP & Grid

I. Local distribution (i.e. in one legal organisation for example in a university),

II. National distribution (i.e. in several legal organisations but all these organisations in one national legal area (i.e. country) or

III. International distribution (same as national but the machines are distributed over several national legal areas (i.e. countries).

Scenarios consideredfrom the document

David GroepNikhefAmsterdamPDP & Grid

1. What does in legal terms define a VO in scenario II and III? What is the liability of a VO?

2. What is the minimum necessary for the formulation of a common (to that Grid) legal framework for the contractual relation between a VO and the consortium of resource providers covering UN Security Council resolutions for scenario II (national Grid)?

3. What is the minimum necessary for the formulation of a common (to that Grid) legal framework for the contractual relation between a VO and the consortium of resource providers covering UN embargo decisions for scenario III (international Grid)?

4. What is the liability of a “responsible person” as defined in II and III?

Problems identified in II and III

from the document

David GroepNikhefAmsterdamPDP & Grid

A possible track for an implementation of these ideas could be the following model:

a) An individual charter of good conduct1 signed by the user (as a person) and its employer: this would allow the employer to take measures in case of misconduct of the user of the GRID. Often such issues may be covered already in the employment contracts.

b) A charter of good conduct between a VO and its users

c) A MoU signed by each VO and the resource providers / resource provider consortium where the VO manager through national VO representatives commits to monitor the use of resources for the application the VO is responsible of, and where the resource providers commit for the site non vulnerability and security.

Finally the NGI could monitor the functioning of this machinery in each country.

Possible implementationfrom the document

David GroepNikhefAmsterdamPDP & Grid

Responsibilities Arisingfrom the document

David GroepNikhefAmsterdamPDP & Grid

AuthN and AuthZ got their proper place!Responsibilities roughly resemble current

policyGood inventory of issues, likely supported by

CouncilWe can’t suppress the issue anymore, it

seemsProposed “MoU” for the VOs

◦ Potential to be extremely heavy and scare user communities away

◦ Do all VOs have ‘national VO representatives’?◦ Compulsory monitoring by VO managers?◦ Proposed ‘commitment’ by sites unachievable◦ NGI gets a role, but can it take this responsibility?

High potential for ‘back-pollution’ NGIs and Sites

Special role for NPT in Statutes is rather ‘weird’

The Good and the Improvable

David GroepNikhefAmsterdamPDP & Grid

Anticipate responsibility scheme?Disseminate JSPG policy set?Encourage a realistic approach to VO

responsibilities? Introduce ‘home grid’ for VOs to ease VO

registration?

Come up with a more generic statement regarding permitted use of EGI ◦ Keeping in mind differences between National Legal

Areas◦ Scoping it to EGI and cross-national VOs◦ Make the Statutes clause less ‘obviously targeted’

Continue to be vigilant: is banning ‘dual use codes’ next?

What to do?