An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Thijs Kinkhorst <thijs.kinkhorst AT surf.nl> [2021-04-14 12:40]:
> Even if you think that impersonation is an actual and acute risk in
> eduGAIN (I'm not sure it is), I'm skeptical that DNS would be a
> better defense against it.

You mean WHOIS, not so much DNS, I suppose?

Indeed we use all registeres and databases available to us in order to
establish someone's right to use of a "name" (usually in the form of a
domain, e.g. as part of an entityID or scope value), see our very
short https://eduid.at/policy/mdrps/ esp. items 5.1. to 5.3.

> Speaking for ourselves, we not re-check the DNS of entityIDs
> registered by other federations (also not sure how we would be able
> to do so for all entities)

Sure, that's a weakness of eduGAIN -- joining does not
establish/mandate certain registration rules/processes for all
participating federations.
As it is we only ask for federations to document their practices but
more often that documentation only gives a very rough outline of these
processes at best (our own not excluded here).
Of course noone is going to read 70+ federations' practice statements
before inter-federating with them (i.e., accepting metadata from these
registrars), but it's still useful to be able to do that if/when the
need occurs.

> so even using DNS as a measure to test entityIDs against, does not
> for us protect against a scenario where eduID.at would roguely
> register an IdP giving out uva.nl credentials.

Well, if there was a gobal directory providing ownership information
over domains and federations had shared rules that required them to
consult these sources before registering namespaces (and follow simple
rules such as our own 5.1 to 5.3), then that would well protect us
all[1], no?
The issue is that "privacy protection" has rendered WHOIS unusable in
many cases and other sources are of varying quality and availability
(business registers, etc.) as most of us know from the pain of dealing
with WebPKI X.509 Certificate Authorities and their data sources.

I'm not convinved that simply giving up on such checks (and relying on
self-asserted statements by entity registrants) is the best we can do
here.

-peter

[1] Of course nothing can protect against rogue registars, we can only
try to detect that after the fact and then establish corrective
measures that may also help prevent that from happening again in the
future, possibly including terminating a given registrar's eduGAIN
participation in severe cases.