Some Comments on “Problem description for non-proliferation issues in Grids”

1. Some Comments on“Problem description for non-proliferation issues in Grids” Joint Security Policy Group7 December 2009 Following from an EGI Council Input Document

2. History • IPM and the CMS collaboration • LCG-CatchAll event • Founding a national CA • IGTF Distribution Release v1.22 • On Those Who Must Not Be Named • Differentiating Authentication & Authorization • ... again (June 2009)

3. Describing the Issue • New document (27 Nov 2009)Problem description for non-proliferation issues in Grids • W. Juling (KIT and DFN), K. Schauerhammer (DFN), M. Spiro (CNRS and IN2P3), K. Ullmann (DFN), D. Vandromme (Renater) • Sent to EGI Council

4. from the document Scenarios considered • Local distribution (i.e. in one legal organisation for example in a university), • National distribution (i.e. in several legal organisations but all these organisations in one national legal area (i.e. country) or • International distribution (same as national but the machines are distributed over several national legal areas (i.e. countries).

5. from the document Problems identified in II and III • What does in legal terms define a VO in scenario II and III? What is the liability of a VO? • What is the minimum necessary for the formulation of a common (to that Grid) legal framework for the contractual relation between a VO and the consortium of resource providers covering UN Security Council resolutions for scenario II (national Grid)? • What is the minimum necessary for the formulation of a common (to that Grid) legal framework for the contractual relation between a VO and the consortium of resource providers covering UN embargo decisions for scenario III (international Grid)? • What is the liability of a “responsible person” as defined in II and III?

6. from the document Possible implementation A possible track for an implementation of these ideas could be the following model: • An individual charter of good conduct1 signed by the user (as a person) and its employer: this would allow the employer to take measures in case of misconduct of the user of the GRID. Often such issues may be covered already in the employment contracts. • A charter of good conduct between a VO and its users • A MoU signed by each VO and the resource providers / resource provider consortium where the VO manager through national VO representatives commits to monitor the use of resources for the application the VO is responsible of, and where the resource providers commit for the site non vulnerability and security. Finally the NGI could monitor the functioning of this machinery in each country.

7. from the document Responsibilities Arising

8. The Good and the Improvable • AuthN and AuthZ got their proper place! • Responsibilities roughly resemble current policy • Good inventory of issues, likely supported by Council • We can’t suppress the issue anymore, it seems • Proposed “MoU” for the VOs • Potential to be extremely heavy and scare user communities away • Do all VOs have ‘national VO representatives’? • Compulsory monitoring by VO managers? • Proposed ‘commitment’ by sites unachievable • NGI gets a role, but can it take this responsibility? • High potential for ‘back-pollution’ NGIs and Sites • Special role for NPT in Statutes is rather ‘weird’

9. What to do? • Anticipate responsibility scheme? • Disseminate JSPG policy set? • Encourage a realistic approach to VO responsibilities? • Introduce ‘home grid’ for VOs to ease VO registration? • Come up with a more generic statement regarding permitted use of EGI • Keeping in mind differences between National Legal Areas • Scoping it to EGI and cross-national VOs • Make the Statutes clause less ‘obviously targeted’ • Continue to be vigilant: is banning ‘dual use codes’ next?