Refeds


Subject RE: Scope spoofing - Scoping Policy Framework?
From Mikael Linden <mikael.linden@xxxxxx>
Date Thu, 12 Nov 2015 12:05:59 +0200 (EET)

Hi Kristof,

> my theorem in brief: scopes play a key role in federated access control 
> therefore steps should be taken in order to prevent scope spoofing in 
> interfederation context.

I completely agree!

> As far as I know there are no policy requirements in eduGAIN for 
> registering scopes for IdP and AA entities. IMHO there should be 
> something.

Just to provide some background information on why scopes are not part of 
eduGAIN SAML2 metadata profile. In January 2013 we discussed in the eduGAIN 
policy team if scopes  should be part of the IdPs' mandatory metadata 
elements. It was decided not to include mandatory <shibmd:Scope> element in 
an IdP's eduGAIN metadata because the reliability of that information would 
be closely related to their Home federation's registration practices and the 
metadata profile didn't want to regulate those.

Instead, the scope thing was placed to the eduGAIN attribute profile because 
scopes are an attribute thing:
" 1.4. Scoped Attributes
If a Service Provider makes use of a scoped attribute (such as 
eduPersonScopedAffiliation or
eduPersonPrincipalName), it is encouraged to use available mechanisms to 
ensure the “scope” value of the
attribute matches one permitted to the Identity Provider asserting the 
value."

Cheers,
mikael (former eduGAIN policy subtask chair)


-----Original Message-----
From: Kristof Bajnok [mailto:bajnokk@xxxxxxx]
Sent: 11. marraskuuta 2015 13:29
To: REFeds <refeds@xxxxxxxxxx>
Subject: [refeds] Scope spoofing - Scoping Policy Framework?

Hi all,

my theorem in brief: scopes play a key role in federated access control 
therefore steps should be taken in order to prevent scope spoofing in 
interfederation context.

By scopes I mean the use of the proprietary shibmd:Scope metadata extension, 
because both Shibboleth and SimpleSAMLphp SPs are able to verify scoped 
attribute values with metadata. I think the use of scopes is quite common in 
federations.


As far as I know there are no policy requirements in eduGAIN for registering 
scopes for IdP and AA entities. IMHO there should be something. Currently we 
have this text in eduID.hu:
`All scopes used by the Identity Provider MUST be under a DNS domain which 
is possessed by the operating organisation.' I know it is not generic 
enough, so a better statement should be composed for eduGAIN.
But which document should deal with this issue?

However, I think scope spoofing is a more threatening attack vector than 
simply rely on policy to prevent them to happen.

One possible countermeasure is to run periodic checks on the metadata 
aggregate. Its main advantage is that it can be implemented as part of the 
eduGAIN operations effort. However, there is no authoritative source that 
could determine whether one entity is entitled to claim the use of a scope 
or not. Some fuzzy guess could be made but that guess can be both false 
positive or negative. There might be an eduGAIN scope registry database 
instead, but that would be an administration nightmare, I'm afraid.

Or, on the other hand, SP software could implement something like Sender 
Policy Framework (SPF) does for mail. That would mean that domain owners 
could register RR records to their DNS containing the entityIDs that are 
entitled to use the domain name as a scope. Although I think it would be a 
more or less secure and maintainable solution, there are a couple of 
disadvantages with this, even beyond the trivial one (lack of 
implementation, slow acceptance). First, it limits the scope to be a real 
domain name. Second, it has problems with delegation and proxying.

I'm finishing here because I haven't been thinking too much about this.
I just wanted draw your attention to this topic and I'm interested in your 
thoughts. Is this something that needs some more effort to work out and/or 
standardise?

Best regards,
Kristof