# Security Takeaways from Fermilab ###### D. Crooks, D. Kelsey, H. Short --- # Recap * Week of 9th of September spent at Fermilab * 10th September, Pre-GDB * WLCG AuthZ WG F-2-F * AAI exercises with Fermilab and DUNE * 12th September, mini-FIM4R * Fermilab, Argonne, Brookhaven, DUNE, WLCG, IRIS + CiLogon, Indigo IAM, Internet2 --- # Key Outcomes * WLCG Token Schema v1.0 published * Progress made on several challenges at Fermilab/DUNE * Information sharing between physics experiments/labs --- # Topics for Continuation * Combined assurance * Trust fabric of OIDC/OAuth * Guidance on Token Flows * OAuth Challenges * Additional attribute collection --- # Combined Assurance * Although combining low assurance certificates with high assurance VOs works technically, policy level is more complicated * Assessment of identity proofing being addressed by **IGTF** and **JSPG** * Aim to keep VO effort to a minimum --- # Trust Fabric of OIDC/OAuth * Now possible to separate transport/encryption from token siging * What level of assurance required for each component? * How to distribute trust anchors? * Discussed in **EUGridPMA** * Call planned in **WLCG AuthZ WG** --- # Guidance on Token Flows * DOMA WG will continue to run tests and prototypes in conjunction with the AuthZ WG * **WLCG AuthZ WG** to produce guidelines based on workable models --- # OAuth Challenges Challenges proposed by Brian Bockelman  Plus... * Traceability challenge * Multi-tenancy token issuer model --- # Additional Attribute Collection * Implementing federated identity means separating Authentication from Authorisation * Care must be taken on which attributes are collected and shared * VOs may have to play a larger role in collection of Authorisation data --- # Next Steps * Discussions to continue in IGTF, EUGridPMA, WLCG AuthZ WG, JSPG