Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] Metadata checks

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] Metadata checks

Chronological Thread 
  • From: Nick Roy <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] Metadata checks
  • Date: Wed, 17 Jan 2018 22:22:20 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:vrodhB3/clTLAGY+smDT+DRfVm0co7zxezQtwd8ZseIfK/ad9pjvdHbS+e9qxAeQG9mDsrQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPfglEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmiDkJOSMl8G/ZicJwgqNbrw6uqRNw2IPUfJiVOOZicq/BYd8WW2xMVdtRWSxbBYO8apMCAfIAPelErIn2ukcArRy+BAKxA+7vzCVIhnj23KAh0uQhFx3G0xI6H9IIrnvUsMv5OL0MXu+o0anF1DPOZO5Y1zf67YjHaBEhofeUULJxd8rR1VcgFxnDjlqOtYzpISmZ2foQvGiG6edrSOGhi3Y/pg1svjSiyd0gh4bLi44PxF3J9z91zJs7KNGmUEJ2Y9CpHIFNuyyVLYd6X94uTmFytConyLAKpJi2dzUQxps93R7QcfmHfpCI4h39UOaRJi91imp5dby4mxq+71Gsx/P+WcWpyVpKqTFKncfWunAKyhzT9tOISvxg/kenxDmDzRjT6vtDIUAoi6XUN4Ihwr83lpoVq0jDGTL2mFnyjK+RcUUk+fKk5PjgYrXjvpOcNol0hR/iMqk2h8CzHes1PhIBUmWZ4+ix2r/u8VfkTLhEkPE6iqzZv4rbJcQfqK65GQhV0oM75ha5FTem19QZkGIGLFJDZBKIkZLpO1fQL/DkE/uzmUqjnyp2x/zeJL3uHo3NLmTfkLfmZbt96khcxxY0zdBa4pJUDbcBLOj0Wk/ru9zUFxo5PBKow+n9FdpyzJ8eVniWDq+CLaPSqUeI5uU1I+mQf4IVvDf9K+M55/71k3M1g14dfa+13ZQJcnC4GOppI1mHbXb2nNgODHoK7UICS7mgjVCeWDJae3/3RL8k/jYhFKqnC4zEQ4WqhvqGxijxVslTa3xPBlmQGDLzap2cXO0QQCOUKchklzsCE7+7RNly+wupsVrcyrFkZtDT62VMs4jkxfB04fHejxc/6WYyAsiAhTLeB1pol38FEmdllJt0plZwnw+O
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

On 1/10/18 5:00 PM, Cantor, Scott wrote:
> On 1/10/18, 6:50 PM,
> "
> on behalf of Tom Poage"
> <
> on behalf of
> >
> wrote:
>> Probably an off case, but a vendor registered a new instance of their
>> application for us into InCommon and
>> inadvertently used another school's ACS URL. Given (what I think are) the
>> several cases where SP ACS URLs span several
>> domains, I imagine a consistency/sanity check on ACS URLs is nigh on
>> impossible.
> There used to be a DNS-based approval step for cross-registering endpoints,
> but as I understand it from a recent case, that's no longer done. They vet
> the entityID, but the URLs are at the discretion of the registrant. If you
> think about it, you have to approve somebody registering a host in your DNS
> anyway, so them asking again is kind of superfluous.

That's right, for all these reasons (and more), we no longer inspect the
domains in endpoints at all. Customers asked us for more flexibility to
allow them or their vendors to publish metadata for each other, and this
is one of the results of that request. Two further results of that
request are that we now only do DCV-type checking (proof of control) on
domains in scopes and entityIDs. If you as an InCommon Site
Administrator can convince a DNS registrant to set a DNS record with a
nonce that the InCommon RA gives you, you can assert that domain as the
basis for a scope and/or an entityID. This is because people want to do
things like use outsourced / "cloud" IdPs. So - we relaxed our
controls. The community consultation on the scopes/entityIDs and proof
of control took place last year, and is at:

The change regarding endpoint locations was made in consultation with
the InCommon TAC's operations advisory group and went info effect in April.



> -- Scott

Archive powered by MHonArc 2.6.19.

Top of Page