Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain


Chronological Thread 
  • From: Peter Schober <peter.schober AT univie.ac.at>
  • To: edugain-discuss AT lists.geant.org, edugain-sg AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
  • Date: Wed, 14 Apr 2021 12:14:18 +0200
  • Organization: ACOnet

(Found this sitting around in my drafts folder, so I'll just post it
now as is...)

* Guy Halse <guy AT tenet.ac.za> [2021-04-07 09:44]:
> Thus I think the concept of proving "ownership" or even "right to
> use" is dated. It is also one that other bodies, such as the CA/B
> Forum, have moved away from. What matters more these days is
> demonstrating operational control.

Whether the WebPKI's use of domain control validation is a good
example for the kind of trust we're trying to establish within
Identity Federations is questionable.
(If that were sufficient we could be blindly trusting whatever
unsigned metadata an entity posted at it's own entityID value in case
that's a URL. Oh wait, that's actually OIDC's "trust" model! ;))

Ask yourself this: Is anything able to get any DCV TLS certificate
trustworthy to do business with? Is that enough to know what
real-world entity is behind this certificate?

Even Thijs speaks out against DCV for trust etablishment:

* Thijs Kinkhorst <thijs.kinkhorst AT surf.nl> [2021-04-06 20:29]:
> In fact, I will argue that the approach of just looking at the DNS
> domain name is far from satisfactory for me. It would mean that the
> only power you need is to be able to create a DNS entry somewhere
> under the institution's domain.

I'm just not sure what the both of you are intending to replacing it with:

* Guy Halse <guy AT tenet.ac.za> [2021-04-07 09:44]:
> What I don't have yet is a good model for demonstrating operational
> control of an AzureAD entityID. However, like Thijs, I'm not
> actually convinced it is completely necessary if our mechanisms for
> validating organisational contacts are robust enough.

So some registered contact person simply saying that this is "their"
domain (for use in scopes, attribute values, entityIDs, etc.) is
sufficient for you?
I guess you may trust your own community with such claims (and might
have easy legal recourse with local entities) but is that good enough
for a global trust fabric, allowing for anyone to claim anyone else's
"tenant" simply by saying so?

-peter



Archive powered by MHonArc 2.6.19.

Top of Page