Hannes wrote: > Melinda wrote: > > > > and that there are > > some non-trivial advantages to carrying authorizations in-band. > Namely... I don't wish to speak for Melinda, but this is a view shared by many within my own community. I have a long list of applications, collected from within this community, with which they would like to use SAML-based authorisation; and it seems to me that the ability for application protocols to share a common mechanism for expressing authorisation would mitigate or perhaps even avoid the need to make application-specific authorisation extensions. (The fact that SAML-based Web SSO uses SAML that is bound to the application-layer is, I believe, only an artifact of a requirement to avoid modifying contemporary Web browsers and I don't think it is an approach that would necessarily be desirable for the general case.) Binding authorisation to TLS, as suggested by this document, is one approach that would satisfy the 'common mechanism' requirement indicated previously. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf