An open discussion list for topics related to the eduGAIN interfederation service.

[Thijs Kinkhorst <thijs.kinkhorst AT surf.nl>]

[something went wrong when editing this message, resending in readable form]

Op 14-04-2021 om 12:14 schreef Peter Schober:
> * Guy Halse<guy AT tenet.ac.za>  [2021-04-07 09:44]:
> > What I don't have yet is a good model for demonstrating operational
> > control of an AzureAD entityID. However, like Thijs, I'm not
> > actually convinced it is completely necessary if our mechanisms for
> > validating organisational contacts are robust enough.
> So some registered contact person simply saying that this is "their"
> domain (for use in scopes, attribute values, entityIDs, etc.) is
> sufficient for you?
> I guess you may trust your own community with such claims (and might
> have easy legal recourse with local entities) but is that good enough
> for a global trust fabric, allowing for anyone to claim anyone else's
> "tenant" simply by saying so?

In short, yes, I believe our procedures, contracts, technological 
measures AND community individually already provide good guarantees and 
and that all four combined give me a very high confidence in the process.

Even if you think that impersonation is an actual and acute risk in 
eduGAIN (I'm not sure it is), I'm skeptical that DNS would be a better 
defense against it. Speaking for ourselves, we not re-check the DNS of 
entityIDs registered by other federations (also not sure how we would be 
able to do so for all entities), so even using DNS as a measure to test 
entityIDs against, does not for us protect against a scenario where 
eduID.at would roguely register an IdP giving out uva.nl credentials.


Kind regards,
Thijs