edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Peter Schober <peter.schober AT univie.ac.at>
- To: edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
- Date: Wed, 14 Apr 2021 13:08:56 +0200
- Organization: ACOnet
* Thijs Kinkhorst <thijs.kinkhorst AT surf.nl> [2021-04-14 12:40]:
> Even if you think that impersonation is an actual and acute risk in
> eduGAIN (I'm not sure it is), I'm skeptical that DNS would be a
> better defense against it.
You mean WHOIS, not so much DNS, I suppose?
Indeed we use all registeres and databases available to us in order to
establish someone's right to use of a "name" (usually in the form of a
domain, e.g. as part of an entityID or scope value), see our very
short https://eduid.at/policy/mdrps/ esp. items 5.1. to 5.3.
> Speaking for ourselves, we not re-check the DNS of entityIDs
> registered by other federations (also not sure how we would be able
> to do so for all entities)
Sure, that's a weakness of eduGAIN -- joining does not
establish/mandate certain registration rules/processes for all
participating federations.
As it is we only ask for federations to document their practices but
more often that documentation only gives a very rough outline of these
processes at best (our own not excluded here).
Of course noone is going to read 70+ federations' practice statements
before inter-federating with them (i.e., accepting metadata from these
registrars), but it's still useful to be able to do that if/when the
need occurs.
> so even using DNS as a measure to test entityIDs against, does not
> for us protect against a scenario where eduID.at would roguely
> register an IdP giving out uva.nl credentials.
Well, if there was a gobal directory providing ownership information
over domains and federations had shared rules that required them to
consult these sources before registering namespaces (and follow simple
rules such as our own 5.1 to 5.3), then that would well protect us
all[1], no?
The issue is that "privacy protection" has rendered WHOIS unusable in
many cases and other sources are of varying quality and availability
(business registers, etc.) as most of us know from the pain of dealing
with WebPKI X.509 Certificate Authorities and their data sources.
I'm not convinved that simply giving up on such checks (and relying on
self-asserted statements by entity registrants) is the best we can do
here.
-peter
[1] Of course nothing can protect against rogue registars, we can only
try to detect that after the fact and then establish corrective
measures that may also help prevent that from happening again in the
future, possibly including terminating a given registrar's eduGAIN
participation in severe cases.
- [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Daniel Muscat, 06-Apr-2021
- RE: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Aristos Anastasiou, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Guy Halse, 07-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 04/14/2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Guy Halse, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Chris Phillips, 06-Apr-2021
- <Possible follow-up(s)>
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Chan, Toby [ITS], 07-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Terry Smith, 07-Apr-2021
Archive powered by MHonArc 2.6.19.