Subject Re: Scope spoofing - Scoping Policy Framework?
From Kristof Bajnok <bajnokk@xxxxxxx>
Date Thu, 12 Nov 2015 14:36:18 +0100

Hi Tom,

On 2015-11-12 01:17, Tom Scavo wrote:
> On Wed, Nov 11, 2015 at 8:29 AM, Kristof Bajnok <bajnokk@xxxxxxx> wrote:
>> As far as I know there are no policy requirements in eduGAIN for
>> registering scopes for IdP and AA entities. IMHO there should be
>> something. 
> FWIW, I don't think this is an eduGAIN issue. As I see it, eduGAIN is
> service, not a policy making body.

I think eduGAIN provides a trust framework, too. And because forging
scopes might lead to identity spoofing, I'd like to have this issue
addressed in its policy as well.

>> But which document should deal with this issue?
> Well, I'm not sure it's the right problem to solve. There are three
> important uses of domains in IdP metadata: entityID, scope, and
> endpoints. All three are important, I think.

Actually I don't see how domain information in endpoints could be
misused during registration. Its failure only affects the entity itself.

entityIDs are a bit more special than scopes. I would be a little
suspicious if some unknown entities would start to get entityIDs with a
domain '', but it is an ID, thus as long as they do not clash
with mine, it is fine. EntityID clashing, on the other hand, can also be
used as an attack. However, I think there are more possibilities for an
aggregate operator to detect and mitigate, that's why I suggest this to
be a topic of another thread.

>> One possible countermeasure is to run periodic checks on the metadata
>> aggregate. Its main advantage is that it can be implemented as part of
>> the eduGAIN operations effort.
> I don't think the eduGAIN operators are in a position to claim much
> about a scope in metadata. I don't see how anyone but the metadata
> registrar can make such claims.

My proposal about SPF tries to put it on the organization operating the
domain's DNS.

> Yes, that's true. When a registrar publishes an IdP entity descriptor,
> the registrar is implicitly making a claim about the domains in that
> metadata. If we standardize anything, it should be the essence of that
> claim.


>> First, it limits the scope to be a real domain name.
> That horse has already left the barn, I'm afraid. In the case of
> eduPersonUniqueId, the scope actually is a DNS domain. talks
about 'administrative domain'. Is it semantically equivalent with a
registered domain name?

>> Second, it has problems with delegation and proxying.
> Yes, it is well known that scoped attributes do not traverse a gateway
> or proxy very well. That is "by design," I think.

Yeah, but H&S federations and also SP proxies use them commonly. Of
course, in this case only the proxy who is able to verify the scope.

>> Is this something that needs some more effort to work out
>> and/or standardise?
> Yes, I think so. Have you thought about committing your thoughts to
> the REFEDS 2016 Work Plan Preparation [1] document in the wiki?

Thanks for pointing this out. TODO.