The part about X.509 attribute certificates looks fine, but at least the SAML part still needs some work: 1) I think the document needs to discuss the security considerations of bearer SAML assertions in more detail. While the countermeasures described in 3.3.2 may help against passive eavesdroppers, they still allow an active MiTM to "steal" the permission. This is IMHO a significant difference to typical SAML usage with HTTP-over-TLS, where the server is authenticated before the bearer assertion is sent. 2) Section 3.3.2: "When SAMLAssertion is used, the field contains XML constructs with a nested structure defined in [SAML1.1][SAML2.0]." This needs to be much more specific than "some XML from these documents". What element/elements? Is this an XML document (with XML declaration etc.), or just a "fragment"? Which encoding? And so on... 3) The document is last called for Proposed Standard, but contains a normative reference to Informational RFC (RFC 2704). I'd suggest removing the KeyNote stuff from this document (if someone really wants to do KeyNote, it can be a separate document). Minor editorial comments: 4) Section 2.3: the list type is "AuthorizationDataFormats" but enum is spelled "AuthzDataFormat". Best regards, Pasi _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf