Electronic signatures

Eric Goodman Eric.Goodman at ucop.edu
Mon May 23 14:00:03 EDT 2016

In this case, I disagree.

You can require signed requests to try ensure that the ForceAuthn is received at the IdP (although Scott tells me there may be ways that is still insufficient, given that Shib SP doesn’t map requests to responses), but even with that done, for IdPs that support SPNEGO, Kerberos and possibly X.509 authentication, or even “PPT delegated to (external) CAS servers”, there’s no guarantee that the authentication instant asserted by the IdP means what you think it means (e.g., it could mean, “yes, the user’s Kerb ticket is still valid”).

So in this case I mean literally auditing the IdP’s behavior.

All that said, what the use case under discussion here is actually “(re-)authenticating the user when information is submitted”. With InCommon now offering personal signing certificates, another approach would be to literally put an electronic signature on the information in question, taking SAML out of the equation altogether. I don’t know if that makes the problem any easier (“How was the signing key unlocked before the signature was created?”), but it does take SAML and Shib out of the equation…

--- Eric

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
Sent: Monday, May 23, 2016 10:50 AM
To: Shib Users
Subject: Re: Electronic signatures

The one option that people haven’t mentioned is signing authentication requests.  I don’t know whether that’s an option in your environment, but it’s the alternative.

On May 23, 2016, at 11:47, Eric Goodman <Eric.Goodman at ucop.edu<mailto:Eric.Goodman at ucop.edu>> wrote:

My (additional) assumption has always been that if you want to use ForceAuthn in this way that you need to audit the IdPs to ensure this behavior, or at least document it clearly to the IdP leveraging your service, since it's so common for IdPs to be out of compliance or to be in compliance in meaningless ways (e.g., kerb/IWA).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160523/7c660d6d/attachment-0001.html>

More information about the users mailing list