Attending: Jens (chair+mins), Steve, David, JohnH, Dan, Sam, RobC, Winnie, Teng, Matt, Govind

Apols: Brian (on leave)


0. Operational blog posts

   No operational issues.

   In the past quarter, we only had two blog posts which is not enough.

1. GDBs: https://indico.cern.ch/category/6890/

   David and Sam gave a summary of yesterweek's GDB.

   - The "SciToken" is a JWT-based token embedded in an OAuth2 flow (cf. RFC6749, 6750).
     The difference from Macaroons (see chat) should be that the latter are symmetric key based, whereas the former are based
     on asymmetric keys (certificates?)  The basic idea is to limit what users can do with the token (a la Macaroons and Tickets,
     see chat), but people object that they don't necessarily know what they want to do beforehand.  Sam argues that they should know;
     even for jobs that bind late, they can still pull the token in with the workload.  (There is an analogy with EUDAT where the federated
     login essentially has a "login" which generates a christmas tree token because EUDAT doesn't know what the user will do after they log
     in except for directing them back to a particular service - however, this sort of illustrates the point, as the EUDAT token is a login
     token rather than supporting a specific action.)

   - There is an update from the storage accounting team.
     https://twiki.cern.ch/twiki/bin/view/LCG/AccountingTaskForce#Description_of_the_storage_topol

     Comments (from the experiments) were invited for this document,
     https://docs.google.com/document/d/1yzCvKpxsbcQC5K9MyvXc-vBF1HGPBk4vhjw3MEXoXf8/edit
     but has now closed; between now and December, storage developers will be asked whether this is feasible or, if not, why not;
     the reporting will be given at the December GDB.  (December is also a good time for RAL to work on its reporting as we don't have
     time any other time of the year...)

     UK representation on the task force consists of John Gordon and Adrian Coveney from STFC (APEL), and Andrew McNab representing
     LHCb.

   - There were no other storage related highlights.  The system/costing work does not focus on storage; for those interested in
     storage/cost models, they should look up the Terena storage task force work from some years ago (see GridPP notes from 20140219)

2. Any more loose ends we didn't cover yesterweek (like docs?)

   - Our key docs are now much greener!  Thanks to all who have greened their key docs.  Mr Davies is on leave but we should hear about
     his dCache work at some point.

3. AOB

   NOB


David Crooks: (18/10/2017 10:03:00)
https://indico.cern.ch/event/578991/contributions/2746656/attachments/1538987/2412485/SciTokens-GDB-Oct-2017.pdf
jens: (10:04 AM)
https://research.google.com/pubs/pub41892.html
Samuel Cadellin Skipsey: (10:06 AM)
https://scitokens.org/technical_docs/Verification
David Crooks: (10:07 AM)
Also the OSG AuthZ perspective talk: https://indico.cern.ch/event/670330/contributions/2741948/attachments/1533250/2400753/OSG-AAI-WG.pdf
jens: (10:07 AM)
https://docs.irods.org/4.1.3/icommands/tickets/
Samuel Cadellin Skipsey: (10:19 AM)
https://github.com/scitokens for those interested in the dev work
(there's currently xrootd and cvmfs scitokens stuff for integration)
David Crooks: (10:20 AM)
https://indico.cern.ch/event/670330/contributions/2741949/attachments/1539165/2412853/INDIGO-AAI-October-2017.pdf
https://indico.cern.ch/event/578991/contributions/2738742/attachments/1538745/2412004/ResRep.pdf