Delegation and Moonshot
lukeh at padl.com
Wed Apr 6 18:27:29 EDT 2011
> I will own up to being one of those. I still regard the use of XML instead of ASN.1 as ugly in the context of Kerberos. I would prefer an attribute certificate to a SAML assertion.
Even in the case where the explicit goal was SAML interoperability?
> IIUC Sam's real position was that adding authorization data could create interoperability problems. Hopefully care is/will be taken so the problems are only DOS, and not incorrect authorization.
RFC 4120 18.104.22.168 specifies a way to to include non-critical authorisation data.
More information about the krbdev