View Source

Introduction

As happened in the last few years, the eduGAIN Security Team run a challenge to assess a critical part of the eduGAIN communication infrastructure: the security contacts of the eduGAIN Participants (where available). The security contacts email addresses has been retrieved from the eduGAIN Database using the APIs published on the technical site. The procedere used to collect the email addresses is available on the GEANT gitlab:

https://gitlab.geant.org/edugain/edugain-contacts/-/blob/master/identity_federations_security_contacts.py

The security contacts stored in the eduGAIN Database can also be browsed on the Member Federations page:

https://technical.edugain.org/status

Participants

In the eduGAIN Communication Challenge 2022-12, 47 eduGAIN Participants have been challenged:

AAF

AAI-EDUHR

ACONET

AZSCINET

BELNET

BIF

CAF

CAFE

CARSI

CYNET-IF

DFN-AAI

EDUID-AFRICA

EDUID-CZ

EDUID-HU

EDUID-NG

FENIX

FER

GAKUNIN

GRNET

HAKA

IDEM

INCOMMON

IRFED

LEAF

LITNET-FEDI

LK-LIAF

OMREN

PIONIER-ID

RAFIKI

RCTSAAI

RIF

ROEDUNETID

SA-MIF

SAFEID

SAFIRE

SIF

SIFULAN

SIR

SURFCONEXT

SWAMID

SWITCHAAI

TAAT

THAILDF

TIGERFED

TUAKIRI

UK-FEDERATION

WAYF

eduGAIN participants that didn't communicate their security contacts were excluded from the challenge.

Challenge timeline

2022-12-07T00:00:00+01 (YYYY-MM-DDTHH:MM:SS, time is UTC) - Start of the challenge.
2021-12-11T00:00:00+01 - End of the challenge.
2021-12-13 - Public report available (this wiki page).

What was assessed

Besides the validity of the available contact addresses also the reaction time was measured. This information was collected to be used as input for a later discussion on response times. The community would need to define target reaction times, which are regarded to be useful to be used in security incident coordination situations.

Results

Validity of the contact addresses

Assuming that all contacted participants received the challenge e-mail and understood what action was expected from them, we have a 81% success rate. In absolute numbers, 38 participants out of 47 have reacted within the challenge time frame (5 days). This results are in line with the 2021 Communication Challenge.

Reaction times

The graph above shows that the all reactions were recorded within 120 hours, with the majority within approximately 15 hours. Given that almost all time zones were covered in this global exercise the reaction times are very good and indicate that the security contact addresses of the participants are also monitored during out-of-office hours.

Follow Up

The participants that have not reacted to the challenge will be contacted by the eduGAIN support via alternative channels and a solution for the communication issues will be implemented and tested.