Now we are ready for true support for forwarding credentials.

The credentials should be associated with the SecurityIdentity itself. A permission check is required to acquire them (maybe even both a code permission check and a user authorization check).

We could support holding one credential per type+algorithm combination, or simply a list of credentials which can be queried.

Authentication client API should be enhanced to search a security domain's current identity for a forwarding credential to use.