Delegation and Moonshot

Luke Howard lukeh at
Wed Apr 6 18:27:29 EDT 2011

> I will own up to being one of those.  I still regard the use of XML instead of ASN.1 as ugly in the context of Kerberos.  I would prefer an attribute certificate to a SAML assertion.

Even in the case where the explicit goal was SAML interoperability?

> IIUC Sam's real position was that adding authorization data could create interoperability problems.  Hopefully care is/will be taken so the problems are only DOS, and not incorrect authorization.

RFC 4120 specifies a way to to include non-critical authorisation data.

-- Luke

More information about the krbdev mailing list