I've been handed this ticket. The client side behavior will be handled using GSS_C_DELEG_POLICY_FLAG as specified in http://tools.ietf.org/html/draft-lha-gssapi-delegate-policy-04 . Code from Apple has already been committed to handle the flag, and I am working on the cross-realm handling now. I don't yet have specific plans to use the flag in any client program. That leaves the KDC support. Sam wanted us to use the same user-visible flag name as the Sandia patch, but I honestly think it will be less confusing if we remain consistent with the RFC (ok-as-delegate) than if we use the redundant-seeming "allow-ok-as-delegate" name. What do the people from Sandia think? Will it be particularly traumatic to switch to a different name for setting the flag in kadmin?