Virtual Organisation Registration Security Policy
Draft policy document - ready for approval and adoption.
This is version 2.6 of this policy document, dated 29 June 2009, as finalised at the 26 June 09 JSPG meeting. This addresses all comments received during the "final call" and is now ready for approval and adoption.
The currently approved and adopted policy document is called "LCG/EGEE Virtual Organisation Security Policy" (version 1.7, dated 31 October 2005) and may be found at https://edms.cern.ch/document/573348/6
|Table of contents|
This policy defines a set of security-related responsibilities placed on the Grid implementing a procedure to register a VO with the Grid, and on the VO and its managers. All terms are defined in the Glossary (https://edms.cern.ch/document/573613)
VO Registration Requirements
To satisfy Grid security requirements a VO registration procedure must capture and maintain at least the following information:
- VO name. For new VOs this name must conform to the standard described in Appendix A. Existing VOs are not required to change their registered VO name.
- VO Acceptable Use Policy (see example provided in Appendix B).
- A signed copy of the VO Operations Policy (https://edms.cern.ch/document/853968/) document.
- Contact details and certificates for the VO Manager and at least one Alternate:
- Employing Institute
- VO Role (Manager or Alternate)
- Email address
- Telephone number
- X.509 certificate issued by a Certification Authority approved for use on the Grid
- A single email address of the security contact point to be used for reports of suspected identity compromises, misuse of resources or other security events related to the VO. Messages to this address should be handled confidentially and promptly.
- The name of the Site, Infrastructure or other body responsible for running the VO Membership service, together with the URL of one or more VO Membership Servers.
If a VO wishes to leave the Grid or the Grid decides to remove the VO, the registration information must be kept by the Grid for a minimum period consistent with the Traceability and Logging Policy (https://edms.cern.ch/document/428037/). Personal registration information must not be retained for longer than one year.
Additional operational requirements may be documented in the Grid-specific document describing the implementation of the VO Registration Procedure.
VO Acceptable Use Policy
The VO Acceptable Use Policy (AUP) is a statement which, by clearly describing the goals of the VO, defines the expected and acceptable usage of the Grid by the members of the VO. By requiring that all members of the VO who participate in the Grid agree to act within the constraints of the VO AUP the VO Manager defines a community of responsible users with a common goal. This definition enables Site Managers to decide whether to allow VO members to use their resources.
The VO AUP must:
- bind VO members to abide by the Grid Acceptable Use Policy (https://edms.cern.ch/document/428036).
- state who gives authority to the Policy.
Appendix A VO Naming
The VO name is a string, used to represent the VO in all interactions with grid software, such as in expressions of policy and access rights.
The VO name must be formatted as a subdomain name as specified in the IETF RFC1034 (http://www.ietf.org/rfc/rfc1034.txt) section 3.5. The VO Manager of a VO using a thus-formatted name must be entitled to the use of this name, when interpreted as a name in the Internet Domain Name System.
This entitlement must stem either from a direct delegation of the corresponding name in the Domain Name System by an accredited registrar for the next-higher level subdomain, or from a direct delegation of the equivalent name in the Domain Name System by ICANN, or from the consent of the administrative or operational contact of the next-higher equivalent subdomain name for that VO name that itself is registered with such an accredited registrar.
Considering that RFC1034 section 3.5 states that both upper case and lower case letters are allowed, but no significance is to be attached to the case, but that today the software handling VO names may still be case sensisitive, all VO names must be entirely in lower case.
Appendix B Sample VO Acceptable Use Policy
The following text is presented as an example of a minimal VO Acceptable Use Policy.
“This Acceptable Use Policy applies to all members of [VO Name] Virtual Organisation, hereafter referred to as the VO, with reference to use of the Grid. The [owner body] owns and gives authority to this policy. The goal of the VO is to [describe here the objectives of the VO]. Members and Managers of the VO agree to be bound by the Grid Acceptable Use Policy, the various security policies and other relevant Grid policies, and to use the Grid only in the furtherance of the stated goal of the VO.”