[Tf-aai] Filtering suspicious IdPs in CLARIN SPF

Martin Matthiesen martin.matthiesen at csc.fi
Tue May 2 11:05:28 CEST 2017 

Dear Taskforce,

I'd be willing to organise a task force meeting on this issue if there is enough interest. It could be either in Utrecht or as a VC.

The issue would be: Criteria for filtering out IdPs that allow self-registration.

Regards,
Martin

-- 
Martin Matthiesen
CSC - Tieteen tietotekniikan keskus
CSC - IT Center for Science
PL 405, 02101 Espoo, Finland
+358 9 457 2376, martin.matthiesen at csc.fi
Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704

----- Original Message -----
> From: "André Moreira" <andre at clarin.eu>
> To: "Jozef Mišutka" <misutka at ufal.mff.cuni.cz>
> Cc: "tf-aai" <tf-aai at lists.clarin.eu>, "spf" <spf at clarin.eu>, "Willem Elbers" <willem at clarin.eu>
> Sent: Monday, 1 May, 2017 18:20:04
> Subject: Re: [Tf-aai] Filtering suspicious IdPs in CLARIN SPF

> Hi Jozef,
> 
> My apologies for the late answer.
> I must admit I am a bit out of context here; is your idea to streamline a
> workflow for the detection and blacklisting of suspicious IdPs, or just the
> later?
> 
>>> 2. In 1a) or 1b) someone finds a suspicious IdP and CLARIN SPF should be
>>> notified about it
>>>    QUESTION: what is the best/preferred way to notify CLARIN SPF - trac? email?
> 
> 
> My preference is via a trac ticket, so we could have both: an immediate
> notification sent by email, plus the status and history of the actions taken.
> Furthermore, I think it is also important to keep an inventory of the all the
> blacklisted IdPs and the respective reasoning for their blacklisting. So I
> suggest we create a trac page for the 'IdPs blacklist status’, but that the
> initial reports of misbehaving IdPs are done with the creation of trac tickets.
> Then the operator handling one of these tickets, would be responsible for
> updating the 'IdPs blacklist status’ page.
> 
> 
>>> 4. SPF will add this IdP into the filters
>>>   QUESTION: is filtering (blacklisting) of IdPs in CLARIN SPF happening before
>>>   they are published to https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
>>>   and if so then where?
>>>   ACTION POINT: make filtered IdPs public (will be decided what is the best way
>>>   [1])
> 
> Yes, filtering happens before publishing. You can see the PyFF code we are using
> here: https://github.com/clarin-eric/pyFF_config/blob/master/job_c.fd (see
> ’select’ XPath expressions).
> 
> 
> But again, I feel like I am not fully contextualised here, so I might not be
> giving you the answers you were looking for. In that case, if it suits you, we
> could schedule a skype call so we can have a more agile discussion?
> 
> 
> Anyhow I hope this helps,
> Kind regards,
> ----
> André Moreira
> CLARIN ERIC
> https://www.clarin.eu
> 
> 
> 
>> On 18 Apr 2017, at 12:29, Jozef Misutka <misutka at ufal.mff.cuni.cz> wrote:
>> 
>> Hi Andre,
>> 
>> (cc-ing tf-aai@ too for comments)
>> 
>> we should have a more formal and public way how to blacklist IdPs from CLARIN
>> SPF. We have the tools, so we really need only minor changes and better
>> documentation. In reality, this will be very rare but should be documented
>> nevertheless.
>> 
>> The flow is like this:
>> 
>> 1. User authenticates to one of CLARIN SPF SPs
>>    a) we have information about the IdP in
>>    https://lindat.mff.cuni.cz/services/aaggreg/ so we can check if it looks
>>    suspicious or not;
>>    b) different web applications inform about new users (e.g., clarin-dspace sends
>>    an email) so we can even check if the attributes seem ok.
>>    ACTION POINT (optional): email new IdPs from attribute aggregator
>> 
>> 2. In 1a) or 1b) someone finds a suspicious IdP and CLARIN SPF should be
>> notified about it
>>    QUESTION: what is the best/preferred way to notify CLARIN SPF - trac? email?
>> 
>> 3. CLARIN evaluates if that IdP is really problematic or not
>>    ACTION POINT: define a problematic/non problematic IdP e.g., problematic IdP is
>>    the one that does not validate its users more that by sending emails
>>    ACTION POINT: make this definition public (will be decided what is the best way
>>    [1])
>> 
>> 4. SPF will add this IdP into the filters
>>   QUESTION: is filtering (blacklisting) of IdPs in CLARIN SPF happening before
>>   they are published to https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
>>   and if so then where?
>>   ACTION POINT: make filtered IdPs public (will be decided what is the best way
>>   [1])
>> 
>> 
>> To all, please feel free to comment, share practices etc. At LINDAT, we have the
>> following page
>> https://lindat.mff.cuni.cz/en/how-do-i-sign-up (see section Supported
>> Organisations)
>> 
>> Best,
>> Jozef
>> 
>> 
>> [1] In my todo list is still to prepare a short CLARIN AAI requirements document
>> where we could add it and publish that document.
> 
> 
> 
> [Plain text file:ATT00001]

More information about the Tf-aai mailing list