Threat/Trust Model

[von]

• In CACR’s court to start and then loop in SOIC
• Omkar & Steve have started on this. Understanding WMS and modeling system as it currently works, what trust boundaries are, what are identities.

Notes from AHM:

• What do we trust entities in the WMS to do
  -- DECISION: The Pegasus user and Submit Node are assumed not to be malicious.
  -- System behavior with malicious user or submit node is undefined.
  -- I.e. we do not defend against a user lying about what workflows they ran or when they ran them.
  -- I.e. we do not defend against a compromised SN changing the user’s intention.
• Initial adversaries:
  -- Application-level data errors due to network, storage (bitrot) errors
  --- E.g. Globus, XSEDE, UChicago use cases. CERN storage paper.
  -- Explicitly not in computation, besides detecting lack of reproducibility.
• Other potential adversaries:
  -- Active network attacker
  -- Active storage/data-at-rest attacker

[von]

Steve: How to get signed provenance information from entities? What does it mean for, e.g. Big Red, to sign something? Is there something useful we can do?