Subject Re: Scope spoofing - Scoping Policy Framework?
From Peter Schober <peter.schober@xxxxxxxxxxxx>
Date Thu, 12 Nov 2015 21:48:45 +0100

* Sara Hopkins <sara.hopkins@xxxxxxxx> [2015-11-12 21:07]:
> The UK federation considers scopes and entity IDs both to be critical and
> has a requirement that the registrant of an entity owns the domain name in
> the entity ID and/or scope, or if they do not, that the owner of that domain
> name writes a letter to the federation operator granting permission to the
> entity registrant for use of the domain in the entity ID and/or scope.
> We do not have any such requirement regarding the domain name in the
> endpoints.

FWIW, from our :

  The FOP will ensure that any entity registered satisfies the following
  criteria, that

  5.1 values and ownership of any referenced namespaces (DNS names, URIs,
      etc.) are appropriate, e.g. in md:EntityDescriptor/@entityID or
      protocol endpoint URLs,

  5.2 any shibmd:Scope extension elements represent security domains
      of the organization, or authorization from the owner of the
      security domain has been presented (if applicable),

So our 5.2 is currently a bit more explicit. Also 5.1 is reaching
quite far as it is, potentially also including (though not primarily
intended for) e.g. RequestedAttribute names.