[Tf-aai] Blacklisting IdPs: A proposal
Jozef Misutka
misutka at ufal.mff.cuni.cz
Fri Nov 22 09:09:30 CET 2019
On Tue, 19 Nov 2019 at 17:11, Martin Matthiesen <martin.matthiesen at csc.fi>
wrote:
> Dear Taskforce,
>
> I'd like some feedback on the proposal, also positive comments are
> appreciated. This issue will be discussed on the next SCCTC VC 11.12.
>
> Regards,
> Martin
>
> --
> Martin Matthiesen
> CSC - Tieteen tietotekniikan keskus
> CSC - IT Center for Science
> PL 405, 02101 Espoo, Finland
> +358 9 457 2376, martin.matthiesen at csc.fi
> Public key :
> https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
> Fingerprint: AA25 6F56 5C9A 8B42 009F BA70 74B1 2876 FD89 0704
>
> ----- Original Message -----
> > From: "Martin Matthiesen" <martin.matthiesen at csc.fi>
> > To: "tf-aai" <tf-aai at lists.clarin.eu>
> > Sent: Tuesday, 5 November, 2019 19:36:19
> > Subject: [Tf-aai] Blacklisting IdPs: A proposal
>
> > Hi,
> >
> > Here's my suggestion for blacklisting IdPs. Some details need to be
> discussed,
> > for example what happens if an IdP provides eppn to SPs, but not mail and
> > another SP needs mail and the IdP does not react? Should that be a
> reason for
> > blacklisting?
>
>
> > I wonder whether we should mark IdPs as "blacklisted" in the Discovery
> Service,
> > but still make login via them possible for those SPs that work with the
> > Attribute Set provided.
> >
> > Concretely, the blacklisting should be accessible from:
> >
> > https://discovery.clarin.eu
> >
> > Change the "If you cannot find..." text as follows:
> >
> > "If you cannot find your organisation in the list below, this maybe for
> two
> > reasons: Your home organisation does not provide a login option or we
> have
> > blacklisted your home organisation, because your home organisation does
> not
> > provide CLARIN member services with sufficient information about users
> that try
> > to log in, for example the user's email adress. Please check our list of
> > blacklisted IdPs for more information about the blacklisting process.
> >
> > If you cannot login for reasons stated above, please select the
> clarin.eu
> > website account and use your CLARIN website credentials. If you don't
> have such
> > credentials you can register an account here."
> >
> >
> > The "list of blacklisted IdPs"
> >
> > ---+ IdPs currently blacklisted by CLARIN
> >
> > * IdP One
> > * IdP Two
> >
> > (maybe searchable)
> >
> > ---+ CLARIN's blacklisting process
> >
> > The CLARIN Service Provider Federation was created to ensure
> cross-border login
> > to CLARIN services. If an IdP after repeated requests refuses the
> release of
> > attributes to CLARIN services this IdP is blacklisted, since it is
> effectively
> > not usable with CLARIN services. CLARIN also considers considerable
> > administrative hurdles, like filling out complex paperwork which is not
> in
> > English as a reason to blacklist and IdP.
> >
> > ---++ The process in detail
> >
> > 1. An SP operator requests Attribute Release from an IdP on behalf of
> CLARIN and
> > states CLARIN's support for the Data Protection Code of Conduct as well
> as
> > Research and Scholarship and cc's spf at clarin.eu.
> > 2. The IdP either
> > 2.1. does not react or
> > 2.2. demands a complex application procedure to allow Attribute Release
> > 3. The SP operator waits a week and
> > 2.1. sends a reminder or
> > 2.2. requests a simpler application procedure.
> > 4. The SP operator requests that clarin.eu contacts the IdP directly
> and informs
> > about a possible blacklisting if the issue is not resolved within 2
> weeks.
> > 5. If no resolution is found after 2 weeks the IdP is blacklisted.
> >
> > Comments?
>
Firstly, thank you for the proposal Martin.
We should distinguish 2 cases in blacklisting. Firstly, those that are a
security risk (e.g., those that allow for unverified users) and those that
do have issues with attribute release.
Security villains:
- do not include in the feed
- hence, not included in discovery
- marginal priority: mention it somewhere
Attribute release villains:
- include in the feed
- include in discovery with red flag/background/logo of a villain with a
warning that using it might result in failed login (not because of our
problem) and a link pointing to (see below)
- medium priority: mention it somewhere
Nobody will read long text on https://discovery.clarin.eu/, I would put
there a big button - [I cannot login] that will go to a new page describing
the issues.
I would put your text there, the list of villains but rephrase it with the
following notes:
- I suppose most users will go for low hanging fruit = CLARIN IdP rather
than bother with the University so that should be the first option (we are
here primarily for the users and not to fight AAI battles)
- not in SPF is not equally bad as attribute release and moreover, the user
can do more (theoretically) with attribute release
I suggest to create a google doc that can be commented with the above text.
Best,
Jozef
> >
> > Martin
> >
> > --
> > Martin Matthiesen
> > CSC - Tieteen tietotekniikan keskus
> > CSC - IT Center for Science
> > PL 405, 02101 Espoo, Finland
> > +358 9 457 2376, martin.matthiesen at csc.fi
> > Public key :
> https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
> > Fingerprint: AA25 6F56 5C9A 8B42 009F BA70 74B1 2876 FD89 0704
> > _______________________________________________
> > Tf-aai mailing list
> > Tf-aai at lists.clarin.eu
> > https://lists.clarin.eu/cgi-bin/mailman/listinfo/tf-aai
> _______________________________________________
> Tf-aai mailing list
> Tf-aai at lists.clarin.eu
> https://lists.clarin.eu/cgi-bin/mailman/listinfo/tf-aai
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clarin.eu/cgi-bin/mailman/private/tf-aai/attachments/20191122/be5c3bf6/attachment.htm>
More information about the Tf-aai
mailing list