Delegation and Moonshot

[Luke Howard]

> I will own up to being one of those.  I still regard the use of XML instead of ASN.1 as ugly in the context of Kerberos.  I would prefer an attribute certificate to a SAML assertion.

Even in the case where the explicit goal was SAML interoperability?

> IIUC Sam's real position was that adding authorization data could create interoperability problems.  Hopefully care is/will be taken so the problems are only DOS, and not incorrect authorization.

RFC 4120 5.2.6.1 specifies a way to to include non-critical authorisation data.

-- Luke