Introduction
As happened in the last few years, the eduGAIN CSIRT (formerly eduGAIN Security Team) run a challenge to assess a critical part of the eduGAIN communication infrastructure: the security contacts of the eduGAIN Participants, where available. The security contacts email addresses has been retrieved from the eduGAIN Database using the APIs published on the technical site. The procedure used to collect the email addresses is available on the GEANT gitlab:
The security contacts are stored in the eduGAIN Database and can be browsed on the Member Federations page:
https://technical.edugain.org/status
Participants
In the eduGAIN Communication Challenge 2023-12, 48 eduGAIN Participants have been challenged:
| AAF |
| AAI-EDUHR |
| ACONET |
| AZSCINET |
| BELNET |
| BIF |
| CAF |
| CAFE |
| CARSI |
| CYNET-IF |
| DFN-AAI |
| EDUID-AFRICA |
| EDUID-CZ |
| EDUID-HU |
| EDUID-NG |
| FENIX |
| FER |
| GAKUNIN |
| GRNET |
| HAKA |
| IDEM |
| INCOMMON |
| IRFED |
| LAIFE |
| LEAF |
| LITNET-FEDI |
| LK-LIAF |
| OMREN |
| PIONIER-ID |
| RAFIKI |
| RCTSAAI |
| RIF |
| ROEDUNETID |
| SA-MIF |
| SAFEID |
| SAFIRE |
| SIF |
| SIFULAN |
| SIR |
| SURFCONEXT |
| SWAMID |
| SWITCHAAI |
| TAAT |
| THAILDF |
| TIGERFED |
| TUAKIRI |
| UK-FEDERATION |
| WAYF |
eduGAIN participants that didn't communicate their security contacts were excluded from the challenge.
Challenge timeline
- 2023-12-13T11:12:00Z+00:00 - Start of the challenge.
- 2023-12-18T11:00:00Z+00:00 - End of the challenge.
- 2023-12-20 - Public report available (this wiki page).
What was assessed
- That the provided security contact is a well formed email address.
- That the provided email address is not bouncing.
- That the recipients of the security contact are reading the mailbox and follow the link provided to confirm that the email address is still valid for the purpose.
Reaction times, meaning the time elapsed between the sending of the challenge and the click on the link provided, is measured as well to assess the responsiveness of the security contacts.
Results
Responses
Assuming that all contacted participants received the challenge e-mail and understood what action was expected from them, we had the following results: 75% success rate, in absolute numbers 36 participants out of 48 have reacted within the challenge time frame (5 days). This results are in line with the eduGAIN CommsChallenge2022-12 Results, though slightly worse.
36 participants (75 %) have reacted
48 participants have been challenged
34 participants (71 %) have reacted within 24 h
Reaction times
The graph above shows that the all reactions were recorded within 96 hours, with the vast majority within 24 hours. Given that almost all time zones were covered in this global exercise the reaction times are very good and indicate that the security contact addresses of the participants are also monitored during out-of-office hours.
| Time | Respondants |
|---|---|
| < 4h | 30 |
| < 10h | 32 |
| < 24h | 34 |
Follow Up
The participants that have not reacted to the challenge were contacted by eduGAIN CSIRT on 31-01-2024: