An open discussion list for topics related to the eduGAIN interfederation service.

[Daniel Muscat <daniel.muscat AT um.edu.mt>]

HI all,

  Is there anyone who can give me feedback on Cirrus Bridge?

Regards

Daniel

On Fri, 4 Aug 2023 at 10:29, Daniel Muscat <daniel.muscat AT um.edu.mt> wrote:

Dear all,

   In relation to this thread, Microsoft is now encouraging using Cirrus Bridge ( https://learn.microsoft.com/en-us/azure/active-directory/architecture/multilateral-federation-solution-one ) to integrate Azure Ad with eduGAIN. Does anybody use this product and can give feedback on how worthy it is?

Regards

Daniel

On Wed, 14 Apr 2021 at 13:24, Guy Halse <guy AT tenet.ac.za> wrote:

Hi

On 2021/04/14 12:14, Peter Schober wrote:

Whether the WebPKI's use of domain control validation is a good
example for the kind of trust we're trying to establish within
Identity Federations is questionable.

And WHOIS as a means of proving domain "ownership" for scopes and entitiyIDs is somehow better?

Even pre-GDPR, the information contained in WHOIS is/was largely self-asserted. I am whomever I tell my Registrar that I am, and they don't care provided my credit card works. I have *never* been asked to prove identity by a DNS Registrar for anything other than a moderated domain (such as our .ac.za).

Now what is WHOIS is both self-asserted and largely redacted and inaccessible. Here's what I have to work with when I try to use WHOIS to validate the edugain.org domain:

Domain Name: edugain.org
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Email: info AT domain-contact.org
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Email: info AT domain-contact.org
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Email: info AT domain-contact.org
Billing Name: REDACTED FOR PRIVACY 
Billing Organization: REDACTED FOR PRIVACY
Billing Email: info AT domain-contact.org

At least with the DCV approach, I know that the person I am talking to has some level of administrative control over the domain; with WHOIS I now have nothing...

Ask yourself this: Is anything able to get any DCV TLS certificate
trustworthy to do business with? Is that enough to know what
real-world entity is behind this certificate?

To be clear, I don't believe that either DCV or WHOIS are sufficient on their own. I'm suggesting that, coupled with other mechanisms we already have, DCV provides analogous levels of trust to WHOIS.

In this regard, I'm with Thijs:

On 2021/04/14 12:35, Thijs Kinkhorst wrote:

In short, yes, I believe our procedures, contracts. technolical measures AND community are individually already provide good guarantees and and that all four combined give me a very high confidence in the process.

I'm talking about DCV performed by an individual who has been formally designated as a contact for the the organisation responsible for the entity. And that organisation being one with whom there is a direct contractual relationship, and whose identity is verifiable (OV in the PKI analogy). And in a lot of cases, certainly for smaller federations, a person with whom there is an established interpersonal relationship (Thijs's "community" point).

And to extend this to the Azure case, I'm talking about finding an equivalent of DCV to verify the tenant ID used in that entityID that can be coupled with the above to provide a fairly high confidence that the Azure entityID belongs to the organisation claiming it.

Thus far the best I've managed there is to have that individual demonstrate operational control of the tenant over Zoom. Not ideal. Doesn't scale. But doable (and funnily enough, akin to how AATL vendors are doing validation for document signing certs).

Kind regards,

- Guy

--

Guy Halse Executive Officer: Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za Office: +27(21)763-7102 http://www.tenet.ac.za/contact https://orcid.org/0000-0002-9388-8592

--

Regards

Daniel

--

Regards

Daniel