Subject Re: Scope spoofing - Scoping Policy Framework?
From Tom Scavo <trscavo@xxxxxxxxxxxxx>
Date Wed, 11 Nov 2015 19:17:44 -0500

Hi Kristof,

On Wed, Nov 11, 2015 at 8:29 AM, Kristof Bajnok <bajnokk@xxxxxxx> wrote:
> As far as I know there are no policy requirements in eduGAIN for
> registering scopes for IdP and AA entities. IMHO there should be
> something. Currently we have this text in
> `All scopes used by the Identity Provider MUST be under a DNS domain
> which is possessed by the operating organisation.' I know it is not
> generic enough, so a better statement should be composed for eduGAIN.

FWIW, I don't think this is an eduGAIN issue. As I see it, eduGAIN is
service, not a policy making body.

> But which document should deal with this issue?

Well, I'm not sure it's the right problem to solve. There are three
important uses of domains in IdP metadata: entityID, scope, and
endpoints. All three are important, I think.

> One possible countermeasure is to run periodic checks on the metadata
> aggregate. Its main advantage is that it can be implemented as part of
> the eduGAIN operations effort.

I don't think the eduGAIN operators are in a position to claim much
about a scope in metadata. I don't see how anyone but the metadata
registrar can make such claims.

> However, there is no authoritative source
> that could determine whether one entity is entitled to claim the use of
> a scope or not. Some fuzzy guess could be made but that guess can be
> both false positive or negative.

Yes, that's true. When a registrar publishes an IdP entity descriptor,
the registrar is implicitly making a claim about the domains in that
metadata. If we standardize anything, it should be the essence of that

> First, it limits the scope to be a real domain name.

That horse has already left the barn, I'm afraid. In the case of
eduPersonUniqueId, the scope actually is a DNS domain.

> Second, it has problems with delegation and proxying.

Yes, it is well known that scoped attributes do not traverse a gateway
or proxy very well. That is "by design," I think.

> Is this something that needs some more effort to work out
> and/or standardise?

Yes, I think so. Have you thought about committing your thoughts to
the REFEDS 2016 Work Plan Preparation [1] document in the wiki?