Threat/Trust Model

[von]

• In CACR’s court to start and then loop in SOIC
• Omkar & Steve have started on this. Understanding WMS and modeling system as it currently works, what trust boundaries are, what are identities.

Notes from AHM:

• What do we trust entities in the WMS to do -- DECISION: The Pegasus user and Submit Node are assumed not to be malicious. -- System behavior with malicious user or submit node is undefined. -- I.e. we do not defend against a user lying about what workflows they ran or when they ran them. -- I.e. we do not defend against a compromised SN changing the user’s intention.
• Initial adversaries: -- Application-level data errors due to network, storage (bitrot) errors --- E.g. Globus, XSEDE, UChicago use cases. CERN storage paper. -- Explicitly not in computation, besides detecting lack of reproducibility.
• Other potential adversaries: -- Active network attacker -- Active storage/data-at-rest attacker

[von]

Steve: How to get signed provenance information from entities? What does it mean for, e.g. Big Red, to sign something? Is there something useful we can do?