Shibboleth Developers

[Scott Cantor <>]

> I've been thinking about a "service" that would verify that the Human 
> Being (user) knows a shared secret at any point in time, on demand. 
> A relying party could invoke the "SSS" to verify "presence", for 
> example, at the time a transaction is being finalized, etc.  The SSS 
> would reply "yes" or "no".

Isn't that an authentication service?

> If a SSS makes sense, could that concept be integrated into a 
> Shib environment?

Well, you've got a handful of things that address presence in Liberty:

Proof by an SP that the user signed on to the site at such and such a time.

The ability to force reauthentication from the SP (which of course can't
insure actual user interaction given things like password caching).

An actual "interaction" service designed to support users stepping into a
transaction at a site to provide consent. This is conceptually similar to
what Shib envisioned for real time attribute release.

None of that except maybe the latter is technically strong, but all of it is
probably sufficient for the real world in most cases.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--