Introduction

As happened in the last few years, the eduGAIN CSIRT (formerly eduGAIN Security Team) run a challenge to assess a critical part of the eduGAIN communication infrastructure: the security contacts of the eduGAIN Participants, where available. The security contacts email addresses has been retrieved from the eduGAIN Database using the APIs published on the technical site. The proceder used to collect the email addresses is available on the GEANT gitlab:

https://gitlab.geant.org/edugain/edugain-contacts/-/blob/master/identity_federations_security_contacts.py

The security contacts are stored in the eduGAIN Database and can be browsed on the Member Federations page:

https://technical.edugain.org/status

Participants

In the eduGAIN Communication Challenge 2023-12, 48 eduGAIN Participants have been challenged:

AAF
AAI-EDUHR
ACONET
AZSCINET
BELNET
BIF
CAF
CAFE
CARSI
CYNET-IF
DFN-AAI
EDUID-AFRICA
EDUID-CZ
EDUID-HU
EDUID-NG
FENIX
FER
GAKUNIN
GRNET
HAKA
IDEM
INCOMMON
IRFED
LAIFE
LEAF
LITNET-FEDI
LK-LIAF
OMREN
PIONIER-ID
RAFIKI
RCTSAAI
RIF
ROEDUNETID
SA-MIF
SAFEID
SAFIRE
SIF
SIFULAN
SIR
SURFCONEXT
SWAMID
SWITCHAAI
TAAT
THAILDF
TIGERFED
TUAKIRI
UK-FEDERATION
WAYF

eduGAIN participants that didn't communicate their security contacts were excluded from the challenge.

Challenge timeline

  • 2023-12-13T11:12:00Z+00:00 - Start of the challenge.
  • 2023-12-18T11:00:00Z+00:00 - End of the challenge.
  • 2023-12-20 - Public report available (this wiki page).

What was assessed

  • That the provided security contact is a well formed email address.
  • That the provided email address is not bouncing.
  • That the recipients of the security contact are reading the mailbox and follow the link provided to confirm that the email address is still valid for the purpose.

Reaction times, meaning the time elapsed between the sending of the challenge and the click on the link provided, is measured as well to assess the responsiveness of the security contacts.

Results

Responses

Assuming that all contacted participants received the challenge e-mail and understood what action was expected from them, we had the following results: 75% success rate, in absolute numbers 36 participants out of 48 have reacted within the challenge time frame (5 days). This results are in line with the eduGAIN CommsChallenge2022-12 Results, though slightly worse.


36 participants (75 %) have reacted

48 participants have been challenged

34 participants (71 %) have reacted within 24 h

Reaction times

The graph above shows that the all reactions were recorded within 96 hours, with the vast majority within 24 hours. Given that almost all time zones were covered in this global exercise the reaction times are very good and indicate that the security contact addresses of the participants are also monitored during out-of-office hours. 

TimeRespondants
< 4h30
< 10h

32

< 24h

34

Follow Up

The participants that have not reacted to the challenge were contacted by eduGAIN CSIRT on 31-01-2024:

FederationAdditional response/clarification
CAFE
CARSI
FENIX
GAKUNINOK
HAKAOK
IRFED
LAIFE
OMRENOK
ROEDUNETIDOK
TIGERFED
WAYFOK
  • No labels