Eric.Goodman at ucop.edu
Tue May 24 13:24:36 EDT 2016
>I’m not fully grasping the distinction you draw between signed documents
>and signed SAML assertions, though. Is it that the end user signs the document
>and the IdP signs the assertions? Intended longevity of artifact? Something else?
I think you are reading way more into my comments than are there. Arguably I was just being pedantic. When I mentioned "sign the document", I meant just straight up "sign the document" a la PGP. No assertions (HoK or otherwise), no SAML, no MFA.
I mentioned it because the ForceAuthn use case is really not about "electronic signatures", but "proof of presence" or perhaps "attestation": I initiate some high value transaction, and I am forced by the app (via the IdP) to (re-)authenticate myself to prove that I am present (performing the action) before the transaction is allowed. No actual cryptographic signature is stored in the application associated with the data I submitted; the proof that I "attested" to or was present for the activity is the application's concurrent log entries of me taking the action and of my authentication event.
Since the title of the post was "electronic signatures", I offered literally signing the data as an alternative to the ForceAuthn approach. You made the leap to HoK, but I wasn't talking about that. It is true personal certs would allow HoK assertions, but that has no real bearing on what I was distinguishing.
More information about the users