4 Use of Domain Names
In order to provide a basis for technical trust in an entity, the UK federation registrar verifies the registrant’s right to use particular domain names in the following contexts:
-
An
<EntityDescriptor>’sentityIDattribute, -
For identity provider entities, any
<shibmd:Scope>elements.
Registrations for which this right to use can not be established by the registrar SHALL be rejected.
In both contexts, this right to use a domain name MAY be established in one of the following ways:
-
A registrant is regarded as owning, and therefore having a right to use, any domain registered by the member. This determination extends to any sub-domain of the registered domain.
-
A registrant MAY be granted the right to make use of a specific domain name through a permission letter from the domain’s owner, either:
-
For a specific domain name, for use in a specified entity only. Such permission SHALL NOT be regarded as including permission for the use of sub-domains, or use in other than the specified entity.
-
Exceptionally, for a given domain name and its sub-domains, for use in any entity. Such a generic grant SHALL only be accepted in the case of closely-related legal entities.
-
Domain permission grant letters MAY be accepted both from federation members and from non-members. The acceptability of a permission grant is dependent on context, as described in the sections below.
4.1 Domain Names in entityID Attributes
Values of the entityID attribute for entities registered with the UK
federation MUST be an absolute URI using either the http, https or urn
schemes. https-scheme URIs are RECOMMENDED.
http-scheme and https-scheme URIs used for entityID values MUST contain a
host part whose value is a DNS domain. The registrant MUST demonstrate that the
domain used is either owned by them, or that specific permission has been given
to them to use the domain for the purpose of registering the entity (see above).
The use of urn-scheme URIs for entityID values is NOT RECOMMENDED but MAY be
permitted in exceptional circumstances. When permitted, such values MUST be part
of a properly delegated registry under the urn:mace namespace, as described in
[RFC3613]. The registrant MUST also demonstrate that
the urn:mace URI value in question has been issued for their use.
When establishing the right of a registrant to use a domain name in an
entityID attribute, the registrar may rely on either:
-
A permission letter from an existing UK federation member, or
-
A permission grant letter from a non-member after suitable validation of the non-member’s identity.
4.2 Domain Names in <shibmd:Scope> Elements
The UK federation’s convention is that scopes are named by DNS domain names,
expressed in lower case. Entity owners registering metadata containing
<shibmd:Scope> elements MUST demonstrate that each domain used is either owned
by them, or that specific permission has been given to them to use the domain
for the purpose of registering the entity.
When establishing the right of a registrant to use a domain name in a
<shibmd:Scope> element, the registrar MAY rely on a permission letter from an
existing UK federation member. Permission letters from non-members SHALL NOT be
accepted for this purpose.
As well as the ownership and permission grant mechanisms described above, two additional mechanisms are available in support of the UK Schools sector.
UK local authorities which are members of the UK federation SHALL be presumed by
the registrar to have permission to use any domain under the third-level
.sch.uk domain for their area.1 For example, Aberdeen City Council SHALL
be presumed to have permission to use any domain under aberdeen.sch.uk. This
presumption SHALL be set aside if challenged by the individual registrant of
such a domain.
English local authorities which are members of the UK federation, or any Regional Broadband Consortium which is a member of the UK federation and of which the local authority is part, SHALL be implicitly allocated permission by the federation registrar to have permission to use a synthetic domain of the following form, along with all corresponding sub-domains:
code
.eng.ukfederation.org.uk
In this construction, code shall be the three-digit numeric LA code assigned to the local education authority.2 For example, Dorset’s code is 835.