Accept mil.no domain as a scope despite failing the public suffix heuristic #15
Comments
|
I've created the branch described above ( As to procedure, if we're going to ship this as a single point fix, what I'd suggest is that I open a new feature branch for a 10.1 release, then open a pull request from @nroy Sound good? |
|
@iay yes that sounds good, thank you. |
|
I have created a branch |
|
The new plan is to implement this as part of the v11 milestone. I will remove the |
|
Completed as commit 2ab829d. |
The FEIDE IdP, imported from eduGAIN, claims the
mil.noscope on behalf of the Norwegian military. Our current configuration rejects this because it is a public suffix. We'd like to accept it nevertheless.Background: we reject scopes (plain non-regex scopes and the "literal tail" of regex scopes) which are present in the Public Suffix List, on the reasoning that we should only accept scopes that are capable of being owned and that membership of the PSL is an excellent heuristic for domains which can not be registered. This has always been a heuristic, of course, and as long as we are convinced that a domain is indeed being legitimately used as the name of a security domain then accepting it nevertheless is reasonable. It's a testament to the reasonableness of the heuristic that this is the first time this has come up.
If we want to make an exception for the specific use case (
mil.noas a single, non-regex scope) then it's easy to add an "immediately accept this" validator rule in front of the rules that check for PSL membership.I think making a more general exception would be a mistake: we don't want to accept most -- almost all -- public suffixes (
co.uk, etc.) as scopes.We put a change for this into the UK federation tooling yesterday. I will make a topic branch which (a) cherry-picks that change from upstream for clarity and (b) also makes the same change to the InCommon eduGAIN policy, then hand that over for review.
CC: @nroy @jlasker
The text was updated successfully, but these errors were encountered: