edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Guy Halse <guy AT tenet.ac.za>
- To: <edugain-discuss AT lists.geant.org>, <edugain-sg AT lists.geant.org>
- Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
- Date: Wed, 14 Apr 2021 13:23:46 +0200
- Organization: Tertiary Education & Research Network of South Africa NPC
Hi
On 2021/04/14 12:14, Peter Schober
wrote:
Whether the WebPKI's use of domain control validation is a good example for the kind of trust we're trying to establish within Identity Federations is questionable.And WHOIS as a means of proving domain "ownership" for scopes and entitiyIDs is somehow better?
Even pre-GDPR, the information contained in WHOIS is/was largely self-asserted. I am whomever I tell my Registrar that I am, and they don't care provided my credit card works. I have *never* been asked to prove identity by a DNS Registrar for anything other than a moderated domain (such as our .ac.za).
Now what is WHOIS is both self-asserted and largely redacted and inaccessible. Here's what I have to work with when I try to use WHOIS to validate the edugain.org domain:
Domain Name: edugain.orgAt least with the DCV approach, I know that the person I am talking to has some level of administrative control over the domain; with WHOIS I now have nothing...
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Email: info AT domain-contact.org
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Email: info AT domain-contact.org
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Email: info AT domain-contact.org
Billing Name: REDACTED FOR PRIVACY
Billing Organization: REDACTED FOR PRIVACY
Billing Email: info AT domain-contact.org
Ask yourself this: Is anything able to get any DCV TLS certificate trustworthy to do business with? Is that enough to know what real-world entity is behind this certificate?To be clear, I don't believe that either DCV or WHOIS are sufficient on their own. I'm suggesting that, coupled with other mechanisms we already have, DCV provides analogous levels of trust to WHOIS.
In this regard, I'm with Thijs:
On 2021/04/14 12:35, Thijs Kinkhorst
wrote:
In short,
yes, I believe our procedures, contracts. technolical measures AND
community are individually already provide good guarantees and and
that all four combined give me a very high confidence in the
process. I'm talking about DCV performed by an individual who has been formally designated as a contact for the the organisation responsible for the entity. And that organisation being one with whom there is a direct contractual relationship, and whose identity is verifiable (OV in the PKI analogy). And in a lot of cases, certainly for smaller federations, a person with whom there is an established interpersonal relationship (Thijs's "community" point).
And to extend this to the Azure case, I'm talking about finding an equivalent of DCV to verify the tenant ID used in that entityID that can be coupled with the above to provide a fairly high confidence that the Azure entityID belongs to the organisation claiming it.
Thus far the best I've managed there is to have that individual demonstrate operational control of the tenant over Zoom. Not ideal. Doesn't scale. But doable (and funnily enough, akin to how AATL vendors are doing validation for document signing certs).
Kind regards,
- Guy
--
Guy Halse
Executive Officer: Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592
Guy Halse
Executive Officer: Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Daniel Muscat, 06-Apr-2021
- RE: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Aristos Anastasiou, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Guy Halse, 07-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Guy Halse, 04/14/2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Chris Phillips, 06-Apr-2021
- <Possible follow-up(s)>
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Chan, Toby [ITS], 07-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Terry Smith, 07-Apr-2021
Archive powered by MHonArc 2.6.19.