=========================================================================
#opendaylight-meeting: OpenDaylight Security Alaysis Team, second meeting
=========================================================================


Meeting started by icbts at 15:32:10 UTC.  The full logs are available
at
http://meetings.opendaylight.org/opendaylight-meeting/2014/opendaylight_security_alaysis_team__second_meeting/opendaylight-meeting-opendaylight_security_alaysis_team__second_meeting.2014-05-09-15.32.log.html
.



Meeting summary
---------------

* LINK:
  https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis
  (icbts, 15:32:58)
* Original document and disccussion from first meeting consolidated into
  team wiki page  (icbts, 15:34:37)
* ACTION: build upon Bundle/Application Security section - research
  bundle authorization in OSGi  (icbts, 15:38:45)
* RBAC for lifecycle operations vs perms for bundle wiring  (icbts,
  15:39:32)
* bundle signatures?  (icbts, 15:40:25)
* At load time bundle signature verification  (icbts, 15:40:52)
* At runtime authorization to bundles  (icbts, 15:41:04)
* Certificate to run bundles — ??  (icbts, 15:41:22)
* gpg signatures for bundles  (icbts, 15:43:21)
* We need to refine GPG signature vs certificates  (icbts, 15:43:43)
* example: Apache uses GPG signatures to validate that bundles are from
  the community  (icbts, 15:44:27)
* KEYS file contain public keys for user to validate bundles come from
  the community  (icbts, 15:44:53)
* Would a certifcate be a viable mechanism?  (icbts, 15:45:30)
* how to ensure that third parties can make vaild certs/signatures?
  (icbts, 15:46:01)
* Whom signs OpenDaylight releases?  (icbts, 15:46:36)
* Current status - nothing is being signed  (icbts, 15:46:49)
* ACTION: out line some usage paramaters for signing releases  (icbts,
  15:47:10)
* foundation has cert? developers? Whom holds the keys?  (icbts,
  15:48:34)
* TSC / Committers / Release Manager?  (icbts, 15:48:47)
* new topic: Export restrictions??  (icbts, 15:49:31)
* OpenDaylight Controllers PLugin Security  (icbts, 15:51:29)
* General recommendation for the plugins is as follows 1:: DDoS attack
  protection on plugin expose ports 2:: Utilize a common crypto key
  storage 3:: Support a pluggable or built-in certificate authority
  (icbts, 15:51:55)
* are there more recommendations?  (icbts, 15:52:05)
* ACTION: add recommendations to plugin section  (icbts, 15:53:15)
* How do we interact with other projects to communicate recommendations?
  (icbts, 15:53:36)
* TSC discussion for how recommendations to be shared  (icbts, 15:53:56)
* LINK:
  https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Authorization_of_External_Users
  (icbts, 15:55:00)
* RBAC for external users?  (icbts, 15:55:27)
* recommendations for external users 1:: Access protocol authorization:
  e.g. a user can only access via HTTPS 2:: Resource Authorization: e.g.
  what data in the URI tree can the user config/view 3:: Logging
  access/authorization: useful for incident response analysis.  (icbts,
  15:56:02)
* Discussion on #2  (icbts, 15:57:07)
* Root Admin, admins of certain parts of controller  (icbts, 15:57:36)
* Full vs partial access  (icbts, 15:57:45)
* Role Based Access Control  (icbts, 15:57:56)
* do all users have access to certain functions?  (icbts, 15:58:36)
* Resources vs Services?  (icbts, 15:58:49)
* can you make configurations? Which devices ?  (icbts, 15:59:14)
* Resources/Services authorization  (icbts, 15:59:40)
* LINK:
  https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Device.2FForwarding_Elements_BootStrap.2C_Authentication_and_Authorization
  (icbts, 16:00:08)
* Discovery of ODL controller and devices  (icbts, 16:00:23)
* Back tracking …. Susanta: tenant isolation in Controller?  (icbts,
  16:00:55)
* Any tenant level roles?  (icbts, 16:01:06)
* Super User for ACME ?  (icbts, 16:01:30)
* Returning to Bootstrap topic  (icbts, 16:04:16)
* controller vs device  (icbts, 16:08:32)
* LINK:
  https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Controller_Availability.2FClustering_and_Security
  (icbts, 16:09:15)
* no updates  (icbts, 16:09:19)
* Discussion of infinispan  (icbts, 16:09:57)
* Susanta leading discussion of current ODL controller clustering
  (icbts, 16:10:36)
* people do unexpected things … more research required  (icbts,
  16:17:11)
* LINK:
  https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Overall_Recommendations
  (icbts, 16:17:39)
* ACTION: on going discussion of security  (icbts, 16:18:08)
* review of highlevel recommendations  (icbts, 16:18:51)
* phone bridge issues encountered :S  (icbts, 16:23:50)
* application isolation  (icbts, 16:28:15)
* sandboxing  (icbts, 16:28:40)
* see
  https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Bundle.2FApplication_Security
  (icbts, 16:28:59)
* for more on sandboxing issues  (icbts, 16:29:07)
* should we capture everyone’s ID whom is working on Security?  (icbts,
  16:31:21)
* LINK:
  https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#References
  (icbts, 16:32:28)
* looking for link to article  (icbts, 16:32:36)
* Comments??  (icbts, 16:33:19)
* role based actor?  (icbts, 16:40:25)
* attributes vs user  (icbts, 16:40:42)
* plan for a week to research then present to TSC  (icbts, 16:41:41)



Meeting ended at 16:42:03 UTC.



People present (lines said)
---------------------------

* icbts (69)
* odl_meetbot (5)
* Madhu (2)
* Meenakshi_ (0)



Generated by `MeetBot`_ 0.1.4