> I would prefer if channel bindings is done in a GS2 compatible way, to > allow a SAML SASL mechanism to be usable as a GSS-API mechanism as well. > By using the GS2 prefix, you also get support for authorization > identities. > > If authors are interested here, I could help with the GS2 prefix part so > that it causes minimal confusion for non-GSS-API people and still allows > that variant. I made this suggestion for the OpenID SASL mechanism as > well. I'm completely open to any and all SASL/GSS-related suggestions and improvements. This is sort of a 5 year old work item for me that dates back to SAML 2's initial design work, which I intended to demonstrate as a fit for SASL and never got the time or the perceived interest to get done. I just want to get a proposal out that "fits" my original intention for how this would look, and then let the experts on the non-SAML parts whack it into shape once there's an understanding of the compatibility trade-offs. -- Scott