Subject Re: Scope spoofing - Scoping Policy Framework?
From Tom Scavo <trscavo@xxxxxxxxxxxxx>
Date Thu, 12 Nov 2015 18:02:13 -0500

On Thu, Nov 12, 2015 at 5:09 AM, Nicole Harris <nicole.harris@xxxxxxxxx> wrote:
> This is just about documenting what DOES exist and not about dictating
> what should be done so if people have examples of how they current craft
> scopes or could point me to existing documents that would be grand.

InCommon's scope policy is effectively documented here:

At the end of the day, InCommon is very strict about scopes in
metadata (which is also true of entityIDs and endpoint locations in
metadata, at least IdP metadata). The IdP must "own" the domain in
question. Usually ownership relies on the whois database. That is less
than ideal but I don't know of a better way. That's why I'm interested
in this issue that Kristof has raised.