[Tf-aai] Filtering suspicious IdPs in CLARIN SPF

André Moreira andre at clarin.eu
Tue May 2 15:57:39 CEST 2017 

Great! If it works for everyone I prefer the Utrecht option, otherwise VC is also good.

Kind regards,
----
André Moreira
CLARIN ERIC
https://www.clarin.eu



> On 2 May 2017, at 11:05, Martin Matthiesen <martin.matthiesen at csc.fi> wrote:
> 
> Dear Taskforce,
> 
> I'd be willing to organise a task force meeting on this issue if there is enough interest. It could be either in Utrecht or as a VC.
> 
> The issue would be: Criteria for filtering out IdPs that allow self-registration.
> 
> Regards,
> Martin
> 
> --
> Martin Matthiesen
> CSC - Tieteen tietotekniikan keskus
> CSC - IT Center for Science
> PL 405, 02101 Espoo, Finland
> +358 9 457 2376, martin.matthiesen at csc.fi
> Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
> Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704
> 
> ----- Original Message -----
>> From: "André Moreira" <andre at clarin.eu>
>> To: "Jozef Mišutka" <misutka at ufal.mff.cuni.cz>
>> Cc: "tf-aai" <tf-aai at lists.clarin.eu>, "spf" <spf at clarin.eu>, "Willem Elbers" <willem at clarin.eu>
>> Sent: Monday, 1 May, 2017 18:20:04
>> Subject: Re: [Tf-aai] Filtering suspicious IdPs in CLARIN SPF
> 
>> Hi Jozef,
>> 
>> My apologies for the late answer.
>> I must admit I am a bit out of context here; is your idea to streamline a
>> workflow for the detection and blacklisting of suspicious IdPs, or just the
>> later?
>> 
>>>> 2. In 1a) or 1b) someone finds a suspicious IdP and CLARIN SPF should be
>>>> notified about it
>>>>   QUESTION: what is the best/preferred way to notify CLARIN SPF - trac? email?
>> 
>> 
>> My preference is via a trac ticket, so we could have both: an immediate
>> notification sent by email, plus the status and history of the actions taken.
>> Furthermore, I think it is also important to keep an inventory of the all the
>> blacklisted IdPs and the respective reasoning for their blacklisting. So I
>> suggest we create a trac page for the 'IdPs blacklist status’, but that the
>> initial reports of misbehaving IdPs are done with the creation of trac tickets.
>> Then the operator handling one of these tickets, would be responsible for
>> updating the 'IdPs blacklist status’ page.
>> 
>> 
>>>> 4. SPF will add this IdP into the filters
>>>>  QUESTION: is filtering (blacklisting) of IdPs in CLARIN SPF happening before
>>>>  they are published to https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
>>>>  and if so then where?
>>>>  ACTION POINT: make filtered IdPs public (will be decided what is the best way
>>>>  [1])
>> 
>> Yes, filtering happens before publishing. You can see the PyFF code we are using
>> here: https://github.com/clarin-eric/pyFF_config/blob/master/job_c.fd (see
>> ’select’ XPath expressions).
>> 
>> 
>> But again, I feel like I am not fully contextualised here, so I might not be
>> giving you the answers you were looking for. In that case, if it suits you, we
>> could schedule a skype call so we can have a more agile discussion?
>> 
>> 
>> Anyhow I hope this helps,
>> Kind regards,
>> ----
>> André Moreira
>> CLARIN ERIC
>> https://www.clarin.eu
>> 
>> 
>> 
>>> On 18 Apr 2017, at 12:29, Jozef Misutka <misutka at ufal.mff.cuni.cz> wrote:
>>> 
>>> Hi Andre,
>>> 
>>> (cc-ing tf-aai@ too for comments)
>>> 
>>> we should have a more formal and public way how to blacklist IdPs from CLARIN
>>> SPF. We have the tools, so we really need only minor changes and better
>>> documentation. In reality, this will be very rare but should be documented
>>> nevertheless.
>>> 
>>> The flow is like this:
>>> 
>>> 1. User authenticates to one of CLARIN SPF SPs
>>>   a) we have information about the IdP in
>>>   https://lindat.mff.cuni.cz/services/aaggreg/ so we can check if it looks
>>>   suspicious or not;
>>>   b) different web applications inform about new users (e.g., clarin-dspace sends
>>>   an email) so we can even check if the attributes seem ok.
>>>   ACTION POINT (optional): email new IdPs from attribute aggregator
>>> 
>>> 2. In 1a) or 1b) someone finds a suspicious IdP and CLARIN SPF should be
>>> notified about it
>>>   QUESTION: what is the best/preferred way to notify CLARIN SPF - trac? email?
>>> 
>>> 3. CLARIN evaluates if that IdP is really problematic or not
>>>   ACTION POINT: define a problematic/non problematic IdP e.g., problematic IdP is
>>>   the one that does not validate its users more that by sending emails
>>>   ACTION POINT: make this definition public (will be decided what is the best way
>>>   [1])
>>> 
>>> 4. SPF will add this IdP into the filters
>>>  QUESTION: is filtering (blacklisting) of IdPs in CLARIN SPF happening before
>>>  they are published to https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
>>>  and if so then where?
>>>  ACTION POINT: make filtered IdPs public (will be decided what is the best way
>>>  [1])
>>> 
>>> 
>>> To all, please feel free to comment, share practices etc. At LINDAT, we have the
>>> following page
>>> https://lindat.mff.cuni.cz/en/how-do-i-sign-up (see section Supported
>>> Organisations)
>>> 
>>> Best,
>>> Jozef
>>> 
>>> 
>>> [1] In my todo list is still to prepare a short CLARIN AAI requirements document
>>> where we could add it and publish that document.
>> 
>> 
>> 
>> [Plain text file:ATT00001]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.clarin.eu/cgi-bin/mailman/private/tf-aai/attachments/20170502/c2139c67/attachment.sig>

More information about the Tf-aai mailing list