[Tf-aai] Filtering suspicious IdPs in CLARIN SPF
Martin Matthiesen
martin.matthiesen at csc.fi
Tue May 2 11:05:28 CEST 2017
Dear Taskforce,
I'd be willing to organise a task force meeting on this issue if there is enough interest. It could be either in Utrecht or as a VC.
The issue would be: Criteria for filtering out IdPs that allow self-registration.
Regards,
Martin
--
Martin Matthiesen
CSC - Tieteen tietotekniikan keskus
CSC - IT Center for Science
PL 405, 02101 Espoo, Finland
+358 9 457 2376, martin.matthiesen at csc.fi
Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
Fingerprint: AA25 6F56 5C9A 8B42 009F BA70 74B1 2876 FD89 0704
----- Original Message -----
> From: "André Moreira" <andre at clarin.eu>
> To: "Jozef Mišutka" <misutka at ufal.mff.cuni.cz>
> Cc: "tf-aai" <tf-aai at lists.clarin.eu>, "spf" <spf at clarin.eu>, "Willem Elbers" <willem at clarin.eu>
> Sent: Monday, 1 May, 2017 18:20:04
> Subject: Re: [Tf-aai] Filtering suspicious IdPs in CLARIN SPF
> Hi Jozef,
>
> My apologies for the late answer.
> I must admit I am a bit out of context here; is your idea to streamline a
> workflow for the detection and blacklisting of suspicious IdPs, or just the
> later?
>
>>> 2. In 1a) or 1b) someone finds a suspicious IdP and CLARIN SPF should be
>>> notified about it
>>> QUESTION: what is the best/preferred way to notify CLARIN SPF - trac? email?
>
>
> My preference is via a trac ticket, so we could have both: an immediate
> notification sent by email, plus the status and history of the actions taken.
> Furthermore, I think it is also important to keep an inventory of the all the
> blacklisted IdPs and the respective reasoning for their blacklisting. So I
> suggest we create a trac page for the 'IdPs blacklist status’, but that the
> initial reports of misbehaving IdPs are done with the creation of trac tickets.
> Then the operator handling one of these tickets, would be responsible for
> updating the 'IdPs blacklist status’ page.
>
>
>>> 4. SPF will add this IdP into the filters
>>> QUESTION: is filtering (blacklisting) of IdPs in CLARIN SPF happening before
>>> they are published to https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
>>> and if so then where?
>>> ACTION POINT: make filtered IdPs public (will be decided what is the best way
>>> [1])
>
> Yes, filtering happens before publishing. You can see the PyFF code we are using
> here: https://github.com/clarin-eric/pyFF_config/blob/master/job_c.fd (see
> ’select’ XPath expressions).
>
>
> But again, I feel like I am not fully contextualised here, so I might not be
> giving you the answers you were looking for. In that case, if it suits you, we
> could schedule a skype call so we can have a more agile discussion?
>
>
> Anyhow I hope this helps,
> Kind regards,
> ----
> André Moreira
> CLARIN ERIC
> https://www.clarin.eu
>
>
>
>> On 18 Apr 2017, at 12:29, Jozef Misutka <misutka at ufal.mff.cuni.cz> wrote:
>>
>> Hi Andre,
>>
>> (cc-ing tf-aai@ too for comments)
>>
>> we should have a more formal and public way how to blacklist IdPs from CLARIN
>> SPF. We have the tools, so we really need only minor changes and better
>> documentation. In reality, this will be very rare but should be documented
>> nevertheless.
>>
>> The flow is like this:
>>
>> 1. User authenticates to one of CLARIN SPF SPs
>> a) we have information about the IdP in
>> https://lindat.mff.cuni.cz/services/aaggreg/ so we can check if it looks
>> suspicious or not;
>> b) different web applications inform about new users (e.g., clarin-dspace sends
>> an email) so we can even check if the attributes seem ok.
>> ACTION POINT (optional): email new IdPs from attribute aggregator
>>
>> 2. In 1a) or 1b) someone finds a suspicious IdP and CLARIN SPF should be
>> notified about it
>> QUESTION: what is the best/preferred way to notify CLARIN SPF - trac? email?
>>
>> 3. CLARIN evaluates if that IdP is really problematic or not
>> ACTION POINT: define a problematic/non problematic IdP e.g., problematic IdP is
>> the one that does not validate its users more that by sending emails
>> ACTION POINT: make this definition public (will be decided what is the best way
>> [1])
>>
>> 4. SPF will add this IdP into the filters
>> QUESTION: is filtering (blacklisting) of IdPs in CLARIN SPF happening before
>> they are published to https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
>> and if so then where?
>> ACTION POINT: make filtered IdPs public (will be decided what is the best way
>> [1])
>>
>>
>> To all, please feel free to comment, share practices etc. At LINDAT, we have the
>> following page
>> https://lindat.mff.cuni.cz/en/how-do-i-sign-up (see section Supported
>> Organisations)
>>
>> Best,
>> Jozef
>>
>>
>> [1] In my todo list is still to prepare a short CLARIN AAI requirements document
>> where we could add it and publish that document.
>
>
>
> [Plain text file:ATT00001]
More information about the Tf-aai
mailing list