*MACE-WebISO Conference Call* January 21, 2003 *Participants* Nathan Dors -- Washington(chair) Steven Carmody -- Brown Scott Fullerton -- Wisconsin Larry Greenfield -- CMU Karsten Huneycutt -- Duke Bob Morgan -- Washington Steve Willey -- Washington Nate Klingenstein -- Internet2(scribe) *Discussion* The call was originally intended as a discussion with OKI, but in lieu of a refined WebISO proposal that discussion was postponed until a later date (February 18th if sufficient progress is made in the interim). This call was used to discuss an initial paper on a WebISO API developed by Larry. Taxonomy & API's Larry acknowledged that the huge variety in WebISO systems that was noted in the survey was a significant challenge to writing a common API for vendor applications to plug into. Many of these different functionalities would require different behavior and capabilities of the client servers and client webapps, meaning any specification eventually agreed upon probably couldn't encompass every WebISO design in production today. Some of the distinctions between systems are significant enough to make development of a common Apache module even less feasible. Session Management Significant discussion ensued regarding the amount of control applications could be entrusted with and how much they may sometimes desire. Karsten maintained that applications could generally be entrusted with management of their own sessions, although the rest of the group suggested this may still be a useful functionality to provide for applications that did not want to maintain their own. The least common denominator for communication between applications and WebISO systems is a simple and quick transfer of user ID, meaning that some systems may not even expect to maintain sessions. Logout remains one of the most difficult capabilities to provide. Drawing a distinction between the authentication session and the application session is an important step. Bob suggested that a reasonable and consistent approach would be to provide support for logout of the authentication session and allow applications to handle their own sessions. While, in his words, "we can argue that mass-logout is a flawed concept that should be fought vigorously, people want it anyway, and want it out of a system."