Subject Re: Scope spoofing - Scoping Policy Framework?
From Sara Hopkins <sara.hopkins@xxxxxxxx>
Date Thu, 12 Nov 2015 20:07:19 +0000

On 12/11/2015 13:36, Kristof Bajnok wrote:

Actually I don't see how domain information in endpoints could be
misused during registration. Its failure only affects the entity itself.

entityIDs are a bit more special than scopes. I would be a little
suspicious if some unknown entities would start to get entityIDs with a
domain '', but it is an ID, thus as long as they do not clash
with mine, it is fine. EntityID clashing, on the other hand, can also be
used as an attack. However, I think there are more possibilities for an
aggregate operator to detect and mitigate, that's why I suggest this to
be a topic of another thread.

The UK federation considers scopes and entity IDs both to be critical and has a requirement that the registrant of an entity owns the domain name in the entity ID and/or scope, or if they do not, that the owner of that domain name writes a letter to the federation operator granting permission to the entity registrant for use of the domain in the entity ID and/or scope.

We do not have any such requirement regarding the domain name in the endpoints.

Sara Hopkins
Support Team
UK Access Management Federation for Education and Research

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.