Open Issues with central banning:
(input from Nikhef)

- Is there a policy that says that all software providers must implement an
  access control mechanism which could be used by the "central banning
  framework"

- Do all currently deployed services support a "central banning framework"?
  (DPM for example). Note that the exact mechanism need not be fixed, but
  tooling around a (local) banning solution that can retrieve relevant data
  from a central ban service can be sufficient.

  It is important that comprehensive banning is done, even if it then is
  not completely automatic (yet), and tooling/scripting available for RCs.

- On the policy:
  "9.      You should implement the access limitations and banning lists
  defined centrally by Security Operations and should give them priority over
  local policies. The site implementation of the  central banning service
  should be configured such that any ban or restore action made by Security
  Operations is effective within the specified time period"

Here we have "should" and we can't probably ask for a "must" :) But we perhaps
have to expand a bit more on:
- the content of the ban list has to be endorsed by EGI-CSIRT. Endorsement
   is based on a risk analysis taking into account only security incident
   considerations by EGI-CSIRT.
- the process by which bans get added and removed by EGI CSIRT must be
   transparent
- ban list must only operate on individuals (Certificate DNs), not on VOs
   or other entities in the system (also in order to remain transparent and
   implementable in all systems)
- ban lists work as additional banning service, local policy has to be
   acknowledged.

- Technical "implementation":
Do not solely require Argus, but allow any alternative mechanism that
satisfies the policy -- this way the probability of the policy being
accepted and implemented will increase. EGI-CSIRT could e.g. also distribute
flat lists of subjects (signed and distributed to known authenticated
clients) that sites can process.

- Deployment of the framework:
NGIs should ensure that all sites in their constituency have access to an
effective banning service, either deployed at the NGI level, or - if the
resource centres in the NGI are able - in a distributed or RC-based
setup. For scalability reasons, the EGI-CSIRT central ban service should NOT
be the ban service used by individual services inside RCs.

- Ban list deployment:
How the policy is implemented at a particular RC or NGI may vary based on
the size and incident management response times at the RC. Unless adequate
local resources at the RC are available for assessing the central ban
list, fully automatic deployment should be preferred.
At RCs with sufficient CSIRT capability to react within the proposed four
working hours, the deployment could also be based on manually-assisted
banning.
The EGI-CSIRT central ban information should be available in ways that
support both mechanisms (i.e. also as a plain just of subjects).

So automatic deployment (implement as default) might be implemented by
"smaller" sites, bigger sites might want to manage the access control to
their resources autonomously/manually (implementation as an option).