ndk at sudonym.me
Mon May 23 18:23:09 EDT 2016
> ("I have agitated for auditing..." in the above is not implying "I have gotten agreement that we will audit....”)
Fair enough, and whether Hades or trustmarks, I think that we’re in general violent agreement on this point, with perhaps a feather of optimism in your cap.
> just clarifying that my previous statement was referring to a SAML-less "signature".
Understood. Even with this in place, I think there’s a lot of value in keeping the real-time fresh attribute release that SAML provides. Placing anything remotely mutable in a long-lived token possessed by the user leaves a lot to be desired.
I’m not fully grasping the distinction you draw between signed documents and signed SAML assertions, though. Is it that the end user signs the document and the IdP signs the assertions? Intended longevity of artifact? Something else?
More information about the users