Thank you for this Nice session ...very didactic...
WS trust in indeed interesting as building block...but people using it must know that their work is not finished at security level, the multiparty protocol must still be carefully designed...
Examples of things I would think about
1.In your example regarding the age, how does the "wine seller" know that "22" is really the age of the person submitting the SAML token to him and that the token was not stolen and just sent to him ?
shouldn't there be a signdrivingdeptprivkey (certificate user, age corresponding to certificate user presented when the user requested assertion from the "drive dept")?
2. I suppose also that there is a need to have all parties (wine reseller, user, Drive dept) be all securely synchonized with the same time server (in some kind of secure way?) in order to make sure that the signed assertions are all still "fresh" and avoid
making the relying party accept old assertions that could have become osbolete?