*MACE-WebISO Conference Call* April 2, 2002 *Participants* Nathan Dors -- Washington(chair) Tom Dopirak -- CMU Jeff Eaton -- CMU Scott Fullerton -- Wisconsin Todd Piket -- MTU Steve Willey -- Washington Russell Yount -- CMU Nate Klingenstein -- Internet2(scribe) *Discussion* Next Process Steps Nathan wanted to work with the group to define a vision of how the next few weeks will proceed with the MACE-WebISO group in conjunction with the Pubcookie development team. Todd initially offered his assitance in setting up an autoconf; however, significant code unification remains to be done before the code base is in state that is ready for autoconfing. The group initiated discussion about what work needed to be done, how to parcel out this work, and which deliverables are relatively imminent. The requirements discussions need to be revived, as well. Having these requirements in hand and well-understood will be useful going into the face-to-face and for discussion of future Pubcookie design. Nathan read through Virginia Tech's discussion of their authPortal WebISO system. He was particularly impressed by their description of the WebISO model, and a subsequent analysis of how the Virginia Tech model maps onto the basic requirements for a WebISO system. This points to the usefulness and need for the WebISO group to work on a similar model itself. [AI] Nathan will do what he can to push on Bob to release a draft paper on the WebISO model. Next Implementational Steps There are a handful of things that Nathan expressed the desire to implement in Pubcookie over the coming months. The first would be development of the ability to destroy cookies in client browsers to begin supporting some of the application domain, multi-level login and logout scenarios that the group has developed. The mechanics of doing so are currently in discussion. The second idea would serve to allow for different authentication domains covered by the same WebISO system. By packaging an authentication domain with the userID in the traditional user@realm format, an intelligent Pubcookie client webserver would be able to identify the domain under which the user had been authenticated. Using the user@realm format provides one way to maintain backwards compatibility, as older or simpler versions of Pubcookie can just treat the entire string as the user identifier. Another approach may simply add a configuration option to application and login servers to strip or include the @realm part of the attribute, as well. This capability is extended further by the ability to have Pubcookie access multiple backend authentication systems using a simple plug-in model. The CMU contingent suggested creation of a more extensible framework to build the trust model between servers. Adding this framework could serve to limit the pain of changing server keys if the necessity arose, or switching to a new authentication model on campus. Providing the encryption services based around this sort of framework could be challenging, however. A further extension would be to add plugins for Pubcookie clients; creation of an XML wrapping for browser cookies or using some similar standard would allow sites to define their own methods for client authentication. [AI] Larry and Russell offered to formalize their thoughts about these modifications and send the results to the list. *Action Items* 1. Nathan will do what he can to push on Bob to release a draft paper on the WebISO model. 2. Larry and Russell offered to formalize their thoughts about these modifications and send the results to the list.