Unless I'm missing something, this spec misses the important use case where a holder-of-key SAML token is carried in a proxy certificate (completely analogous to the typical VOMS AC case).

SAML tokens embedded within proxy certificates isn't one of the "common denominators" identified by the pgi-wg as an "authz plumbing" (to borrow Morris' phrasing). And if the point of the PGI-WG is to move forward in a unified direction with SAML instead of documenting the mish-mash myriad of ways for expressing the same thing that exist now, then 2.0 would be the place to hang your hat. -Duane