Electronic signatures

[Eric Goodman]

>> So in this case I mean literally auditing the IdP’s behavior.

>I can understand the appeal and the value.  I don’t think there’s a 
>chance in Hades that SP’s will get to audit their IdP’s.  

I only meant this within the context an organization or a specific bilateral agreement. Referring to my previous comment:

[me speaking]
>I have agitated for auditing the ForceAuthn response behavior of the IdPs 
>*in my system* [i.e., "those operated by entities within University of California"] 
>as a prelude to leveraging ForceAuthn this way, but I don't see any realistic way 
>to support it federation-wide short of something like a trustmark. (And I think the 
>development of such a trustmark is not high on anyone's priority list.)

("I have agitated for auditing..." in the above is not implying "I have gotten agreement that we will audit....")

[Nate again]
>It becomes an even more interesting option when combined with holder-of-key SAML 
>assertions that can bind the assertion minted by the IdP to the same keypair that can 
>be presented to the SP.
>
>http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso.html

FWIW, I didn't mean HoK assertions in SAML. I meant that you could literally digitally sign the information being presented. As in: "I uploaded an Adobe Acrobat document which is signed with my signing key". Not arguing for or against HoK -- either would be feasible (and likely problematic in the short term) -- just clarifying that my previous statement was referring to a SAML-less "signature".

--- Eric