Electronic signatures

[Nate Klingenstein]

> With InCommon now offering personal signing certificates

Sorry, I neglected to reply to this part.  It’s a great observation.

Everyone thinks of two-factor authentication being performed and enforced by the IdP, but you allude to the SP being able to do it.  I’ve seen it used sparingly in production, but if the SP is in a position where it can or needs to credential users, it’s an option.

It becomes an even more interesting option when combined with holder-of-key SAML assertions that can bind the assertion minted by the IdP to the same keypair that can be presented to the SP.

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso.html

This is a potential deployment trend for higher-risk implementations that I’ve followed closely, but I’ve seen limited traction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160523/a2d82140/attachment.html>