An open discussion list for topics related to the eduGAIN interfederation service.

[Thijs Kinkhorst <thijs.kinkhorst AT surf.nl>]

Op 14-04-2021 om 12:14 schreef Peter Schober:
> * Guy Halse<guy AT tenet.ac.za>  [2021-04-07 09:44]:
> > What I don't have yet is a good model for demonstrating operational
> > control of an AzureAD entityID. However, like Thijs, I'm not
> > actually convinced it is completely necessary if our mechanisms for
> > validating organisational contacts are robust enough.
> So some registered contact person simply saying that this is "their"
> domain (for use in scopes, attribute values, entityIDs, etc.) is
> sufficient for you?
> I guess you may trust your own community with such claims (and might
> have easy legal recourse with local entities) but is that good enough
> for a global trust fabric, allowing for anyone to claim anyone else's
> "tenant" simply by saying so?

In short, yes, I believe our procedures, contracts. technolical measures 
AND community are individually already provide good guarantees and and 
that all four combined give me a very high confidence in the process.

Even if you think that impersonation is an actual and acute risk in 
eduGAIN (I'm not sure it is), I'm skeptical that DNS would be a better 
defense against it. Speaking for our selves, not re-check the DNS of 
entityIDs registered by other federations (also not sure how we would be 
able to do so for all entities), so even using DNS as a measure does not 
protect against a scenario where eduID.at would roguely register an IdP 
giving out uva.nl credentials.


Kind regards,
Thijs