Refeds


Subject Re: Scope spoofing - Scoping Policy Framework?
From Kristof Bajnok <bajnokk@xxxxxxx>
Date Thu, 12 Nov 2015 14:48:19 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Niels,

On 2015-11-12 10:28, Niels van Dijk wrote:
> In theory I agree with your write-up, however in practice there
> are several issues.
> 
> One scenario we should include is where a proxy could be
> delivering many scopes on behalf of IdPs behind the proxy. THis is
> common for Hub-n-Spoke federations, but also exists in e.g. Uk
> Access federation where some proxies like eduServe exist. Also IdP
> as a Service scenarios could be serving multiple scopes
> 
> Another scenario is where institutions cold have multiple 'brands' 
> attached which are served from the some IdP.
> 
> I am not saying the scenarios above are conflicting with your 
> description, its just that whatever we come up with should also fit
> thes e.

IMHO a DNS-based SPF-like scope protection could be made to work with
proxies, if these proxies are *known to be proxies* by the relying
party. I mean that
* an institution can claim that a H&S federation proxy is entitled to
use its domain name as a scope
* an SP behind an SP proxy should disable scope validation (as it does
now, if I'm correct)

On the other hand, I realize it's no fun asking thousands of members
to perform a simple DNS modification, even if it's for protecting
their identities.

> By the way, if we are discussing scope, we should probably also
> add SchacHomeOrganisation into the discussion. We are for example 
> expecting the scope to match the SHO.

Yes by any chance.

> Please also find some comments and questions (to you and Tom)
> inline

Huh, I've just realized that I repeated most of your arguments... :)

Kristof
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJWRJijAAoJEOvivniws+4XuFoQAIZv6DkdNWYqtSEpApesifKj
2ZS6RQH40YtQEuBFUArACu0WdCUXVlNAIAoWQOPuDBc6NNGKCmij7LRSJlbre+qA
ttuPd2JZTO+ZStwtMft+anr3cGaE2Qz8nNdyDDLVTO7PLM6fCpKSsWJXQEtr43yx
cXzGLuWDJ3QrT9BHScxG1Zh5I6ScBnPZEqw0OeS3Di21zXu/gQGzsEmgxFNqkByB
tzWOyyVQTSG8MJyBYrCraePsvhXvu7GtJGWyW/ajqGguaoahVx/W2D4hHaQoj/Ga
cmdS9pUgBqPEeChvLAi9qa5MSJxDtNy/ob3A6O8EQXwuQlHrvbMoAnyHjCwwXL4G
NonnZTs2wtHNCIvkGAN8VHNZ0BLVAXN2WKFGnMr69FQdQzIKRssYDqCYZke7XMmv
ID1PR98Fn13I+XNfHyPx2YHyCsfIIcOEvnuIktnMuFO3SV7ATjN8horEl2VL3tMF
ndxhritMYT/KcoWrNrtBuM3eIq4QD6a748656lSzeRMD/rMp9EyvltRQraXRT8Nt
dU7rkbKqwMoZaPDXZivTw2SF1Ymb8GTyYY0juHdnX5o02+UW2THPBL8jo7KYSLQa
M1hkl6ZnsysBqTUvQiwnrPw5ND2CQdKtVigV3ZauSnCDjozuYMWipVPxmPoR0Ng+
OcC/hVuUg3SADRmQF3Rr
=N1IG
-----END PGP SIGNATURE-----