3:29 p.m.
On 10 Jul 2018, at 16:32, Niels van Dijk
<niels.vandijk at surfnet.nl> wrote:
Signed PGP part
Hi,
On 10-07-18 15:56, Heather Flanagan wrote:
Or if/when we move from pyOIDC to the JWTConnect Python libraries.
— Roland
The higher up you go, the more mistakes you are allowed. Right at the top, if you make
enough of them, it's considered to be your style.
-Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May 1899-1987)
1. Satosa Security review
Team in GEANT is offering to do a security review of Satosa and is looking for guidance
on where to start. Ivan’s suggestion: “SATOSA only connects frontends to backend (and vice
versa), with some intermediate logic that defines the internal representation of the
information it has collected, plus the metadata and configuration. The "heavy
lifting" is left to the libraries that actually implement the standards. IMHO, the
tricky bits are there; in the libs. So, my vote would be yes, but lets start with the
shell (SATOSA) and see if we can move towards the core (libs) later.”
Note that SATOSA will evolve over time, so some of what gets reviewed will change. Should
we hold off on doing this until the code settles a bit? It could help prioritize, and the
GN4 project does have extra budget now. Could do a lightweight evaluation now, and more
in-depth next year. Ask Niels if this is a one-off thing; if it can be repeated, then go
ahead and do it now.
The intent is indeed to have multiple iterations. My proposal is in line with what Ivan
suggests: do a lightweight version now to set a baseline, that either GEANT project or
others can then use to work on top of.
I appreciate the software evolves (It should!) We should perhaps make some considerations
on when we feel it is needed to have a security review.
Based on Ivans comments I could imagine a new full version of SaToSa might be such an
event, but more likely a new version of either the pySAML or the pyOIDC library I think.
(which by itself might be a reason to also bumb the version number of SaToSa)