edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Thijs Kinkhorst <thijs.kinkhorst AT surf.nl>
- To: edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
- Date: Wed, 14 Apr 2021 12:39:41 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8E8U8bf/kRGUABp0WXsuJ9UEVWWHHgHmBbKKLw3ZLmE=; b=nAXBJP4Gy4z1R8mMrSDMiQXvfavRQ2BenxLoO9SxpEGAzNmF/fW8Ysu0wcH5iorD/O7C4Bf9XL/kMw5OSi7cEAAWYtb6vd7Q6iwvAbDtVAJpz1aYleXUD0LK0Ahyode/BrHOrBoVwI70zSv9S7kvy3mvRZ4A8vvuAZUxWRPSziyH6XI8RJibgYQpVG/yNnjhFXU2lIHTpDS9YStscI75vgBYBH3TVc/QxJUVRo6+TxmlxHuKe54xu+XPKqgDWP1+62Kpj4TrutKEi3d1y+AYvjtyOoZuyfpUr5cEJcw24rWvkFWJeWCqx4Jupn80Fzn8PLBitTvo/VJB+ZqrXipLuQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lGiThzGAgpaRah7ortOWbj8jl43/sa2O2tKNL8RSmMm9phBYwF8DjjPJeYFxBnSw7sMhNHLUK0r6MJhp4OsuwicyVga1eysq3y47rKj3VtzdY9aJybxzxYu0mNyljppOeJ+Qu0R8XeEO4qNuKEbKlguNcYVbiw5Sq4CilOiBxbH2J81ZywxMHoHdlKRJ98zBSwQTWfhFjScdU4w7WDZRS/Aa6ypDzMV7xZlyTKsCDS6A7MO4+ytbL8w+v4cKgYFeBY9FMI6/54ntYomBZV39gVO+gvaAM/slNofwbNZNlKqo4Ebe4VVTmIkJEOWh1pa5z7n9r+63oG4jK5lP31GOCA==
- Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=surf.nl;
- Organization: SURF
[something went wrong when editing this message, resending in readable form]
Op 14-04-2021 om 12:14 schreef Peter Schober:
* Guy Halse<guy AT tenet.ac.za> [2021-04-07 09:44]:
What I don't have yet is a good model for demonstrating operationalSo some registered contact person simply saying that this is "their"
control of an AzureAD entityID. However, like Thijs, I'm not
actually convinced it is completely necessary if our mechanisms for
validating organisational contacts are robust enough.
domain (for use in scopes, attribute values, entityIDs, etc.) is
sufficient for you?
I guess you may trust your own community with such claims (and might
have easy legal recourse with local entities) but is that good enough
for a global trust fabric, allowing for anyone to claim anyone else's
"tenant" simply by saying so?
In short, yes, I believe our procedures, contracts, technological measures AND community individually already provide good guarantees and and that all four combined give me a very high confidence in the process.
Even if you think that impersonation is an actual and acute risk in eduGAIN (I'm not sure it is), I'm skeptical that DNS would be a better defense against it. Speaking for ourselves, we not re-check the DNS of entityIDs registered by other federations (also not sure how we would be able to do so for all entities), so even using DNS as a measure to test entityIDs against, does not for us protect against a scenario where eduID.at would roguely register an IdP giving out uva.nl credentials.
Kind regards,
Thijs
- [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Daniel Muscat, 06-Apr-2021
- RE: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Aristos Anastasiou, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Guy Halse, 07-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 04/14/2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Guy Halse, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Chris Phillips, 06-Apr-2021
- <Possible follow-up(s)>
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Chan, Toby [ITS], 07-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Terry Smith, 07-Apr-2021
Archive powered by MHonArc 2.6.19.