edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Daniel Muscat <daniel.muscat AT um.edu.mt>
- To: edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
- Date: Fri, 29 Sep 2023 20:34:43 +0200
HI all,
Is there anyone who can give me feedback on Cirrus Bridge?
Regards
Daniel
On Fri, 4 Aug 2023 at 10:29, Daniel Muscat <daniel.muscat AT um.edu.mt> wrote:
Dear all,In relation to this thread, Microsoft is now encouraging using Cirrus Bridge ( https://learn.microsoft.com/en-us/azure/active-directory/architecture/multilateral-federation-solution-one ) to integrate Azure Ad with eduGAIN. Does anybody use this product and can give feedback on how worthy it is?RegardsDanielOn Wed, 14 Apr 2021 at 13:24, Guy Halse <guy AT tenet.ac.za> wrote:Hi
On 2021/04/14 12:14, Peter Schober wrote:And WHOIS as a means of proving domain "ownership" for scopes and entitiyIDs is somehow better?Whether the WebPKI's use of domain control validation is a good example for the kind of trust we're trying to establish within Identity Federations is questionable.
Even pre-GDPR, the information contained in WHOIS is/was largely self-asserted. I am whomever I tell my Registrar that I am, and they don't care provided my credit card works. I have *never* been asked to prove identity by a DNS Registrar for anything other than a moderated domain (such as our .ac.za).
Now what is WHOIS is both self-asserted and largely redacted and inaccessible. Here's what I have to work with when I try to use WHOIS to validate the edugain.org domain:
Domain Name: edugain.orgAt least with the DCV approach, I know that the person I am talking to has some level of administrative control over the domain; with WHOIS I now have nothing...
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Email: info AT domain-contact.org
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Email: info AT domain-contact.org
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Email: info AT domain-contact.org
Billing Name: REDACTED FOR PRIVACY
Billing Organization: REDACTED FOR PRIVACY
Billing Email: info AT domain-contact.org
To be clear, I don't believe that either DCV or WHOIS are sufficient on their own. I'm suggesting that, coupled with other mechanisms we already have, DCV provides analogous levels of trust to WHOIS.Ask yourself this: Is anything able to get any DCV TLS certificate trustworthy to do business with? Is that enough to know what real-world entity is behind this certificate?
In this regard, I'm with Thijs:
On 2021/04/14 12:35, Thijs Kinkhorst wrote:
In short, yes, I believe our procedures, contracts. technolical measures AND community are individually already provide good guarantees and and that all four combined give me a very high confidence in the process.
I'm talking about DCV performed by an individual who has been formally designated as a contact for the the organisation responsible for the entity. And that organisation being one with whom there is a direct contractual relationship, and whose identity is verifiable (OV in the PKI analogy). And in a lot of cases, certainly for smaller federations, a person with whom there is an established interpersonal relationship (Thijs's "community" point).
And to extend this to the Azure case, I'm talking about finding an equivalent of DCV to verify the tenant ID used in that entityID that can be coupled with the above to provide a fairly high confidence that the Azure entityID belongs to the organisation claiming it.
Thus far the best I've managed there is to have that individual demonstrate operational control of the tenant over Zoom. Not ideal. Doesn't scale. But doable (and funnily enough, akin to how AATL vendors are doing validation for document signing certs).
Kind regards,
- Guy
--
Guy Halse
Executive Officer: Trust & IdentityTertiary Education & Research Network of South Africa NPC
Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592
--RegardsDaniel
Regards
Daniel- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Daniel Muscat, 09/29/2023
Archive powered by MHonArc 2.6.24.