Subject Re: Scope spoofing - Scoping Policy Framework?
From Tom Scavo <trscavo@xxxxxxxxxxxxx>
Date Thu, 12 Nov 2015 17:55:36 -0500

On Thu, Nov 12, 2015 at 8:36 AM, Kristof Bajnok <bajnokk@xxxxxxx> wrote:
> On 2015-11-12 01:17, Tom Scavo wrote:
>> There are three
>> important uses of domains in IdP metadata: entityID, scope, and
>> endpoints. All three are important, I think.
> Actually I don't see how domain information in endpoints could be
> misused during registration. Its failure only affects the entity itself.

Protocol endpoints at the IdP are phishing opportunities for the Bad Guy.

> entityIDs are a bit more special than scopes. I would be a little
> suspicious if some unknown entities would start to get entityIDs with a
> domain '', but it is an ID, thus as long as they do not clash
> with mine, it is fine. EntityID clashing, on the other hand, can also be
> used as an attack.

Well, I didn't mean to equate entityIDs with scopes with endpoints. My
point was that all three are based on domains, and moreover, they are
often a single domain (at least in InCommon) so if we create a
standard for one, we effectively create a standard for all.