Electronic signatures

[Eric Goodman]

>I’m not fully grasping the distinction you draw between signed documents 
>and signed SAML assertions, though.  Is it that the end user signs the document 
>and the IdP signs the assertions?  Intended longevity of artifact?  Something else?

I think you are reading way more into my comments than are there. Arguably I was just being pedantic. When I mentioned "sign the document", I meant just straight up "sign the document" a la PGP. No assertions (HoK or otherwise), no SAML, no MFA. 


I mentioned it because the ForceAuthn use case is really not about "electronic signatures", but "proof of presence" or perhaps "attestation": I initiate some high value transaction, and I am forced by the app (via the IdP) to (re-)authenticate myself to prove that I am present (performing the action) before the transaction is allowed. No actual cryptographic signature is stored in the application associated with the data I submitted; the proof that I "attested" to or was present for the activity is the application's concurrent log entries of me taking the action and of my authentication event. 

Since the title of the post was "electronic signatures", I offered literally signing the data as an alternative to the ForceAuthn approach. You made the leap to HoK, but I wasn't talking about that. It is true personal certs would allow HoK assertions, but that has no real bearing on what I was distinguishing.
 
--- Eric