*MACE-WebISO Conference Call*
January 22, 2002

*Participants*

Nathan Dors -- Washington (chair)
Steven Carmody -- Brown
Jeff Eaton -- CMU
Scott Fullerton -- Wisconsin
Bob Morgan -- Washington
Steve Willey -- Washington
Russell Yount -- CMU
Nate Klingenstein -- Internet2 (scribe)

*Discussion*

      Given the amount of time elapsed since the last call, Nathan opened
the call with a thorough review of the action items in the previous
minutes.  A suite of utilities in the Apache and IIS distributions have
been completed which permit further testing of encryption between
Pubcookie and app servers, which has been used to some effect by CMU and
Hawaii.  Action item number two -- to complete effective documentation
on how to implement pubcookie in a basic webpage -- has been
half-completed, with information added to the IIS distribution package,
but too little in the mod_pubcookie module.  Nevertheless, [AI]
improving the Pubcookie manuals has been made a continuing action item.
Bob has made "several odd contacts" with representatives from the
University of British Columbia, with some measure of pinging back and
forth and an offer of joining the group having been made.  It also
appears that they have, at least, "poked at" Pubcookie.
      The Pubcookie anonymous CVS is up and running, and it has been used
to some effect by local departments at Washington.  Nathan believes that
it is in sufficient shape to be of use to departmental sysadmins, and
has received good feedback.  A pubcookie-dev email list has been
created, with the intent to provide a resource for people actively
modifying Pubcookie.  This will foster discussion about code changes,
allow groups to announce intentions to work on certain parts of the
code, to resolve merge conflicts, and similar developmental goals.
While there is a limited current membership, if there is enough demand,
a model will be developed for bringing in additional core team members
to the list.

Top-Down and Bottom-Up

      The group reflected that it had, to date, followed bimodal top-down
and bottom-up approach to managing the group.  Extensive work has been
done on refining the WebISO model, evaluation of scenarios, and coming
up with broader views of the landscape.  Conversely, there has been
explicit work on solving some of the problems posed by Pubcookie,
including development of manuals and bug fixes.  Nathan expressed a hope
of his that the group is nearing a point where there will be no more
need to use call time for things like installation bugs because there
will be more information, tools, and triage material online.  He would
prefer calls would be used primarily in the traditional manners of
review and validation.
      Scott expressed that he thinks it's good that the group is
differentiating the two approaches and is conscious of each.  His
personal preference for future approaches was to work primarily on
top-down later on, with a current focus on bottom-up efforts to make
sure Pubcookie works well and is vetted in a variety of environments as
long as there is an eventual goal to focus on the top-down approach
eventually.  Especially given the rate at which Shibboleth is
proceeding, and its ability to use a WebISO solution, focusing on making
Pubcookie broadly and easily implementable is an important current goal.

The WebISO Model

      [AI] Bob foolishly volunteered to write at least a chunk of the
charter for WebISO that he believes needs to exist.  This would provide
a metric against which to measure the process towards specific goals of
the group.  This would answer such questions as whether feature requests
or patches are part of the scope of the group.
      A companion to this to document in assisting to guide the group
would be development of a basic WebISO model.  Creation of this model
would help to judge and expand the functionality of different WebISO
models and help the group to understand the role and interfacing of a
WebISO system on campus in implementation.
      Definition of a WebISO model is a significant challenge.  There is
a thin line between a level of specificity which would be strict enough
to define out of WebISO-hood several WebISO systems currently in
existance and a level of specificity which is so general it encompasses
all of authentication.  Models such as Pubcookie, Bluestem, and CAS all
have significantly different parameters and manage critical WebISO
functions such as state in very different ways.  Michael Gettes of
Georgetown has tried to convince Bob that WebISO is a subset of
Shibboleth, since Shibboleth is just authentication across domains.  If
there is a good model defined, things like logouts and message formats
in various WebISO systems could be better tailored and standardized to
suit the model itself.  This model would also be helpful for Shibboleth
itself so that when Steven tells pilot sites they need to deploy a
WebISO system for use in Shibboleth, he can have a document to point to
which accurately and thoroughly describes the functionality a WebISO
system needs to have to support Shibboleth.
      Nathan noted that there have been design discussions similar to the
model definition elaborated on earlier which were conducted within the
Pubcookie design team and on the WebISO list.  Capturing these design
discussions in some form would be helpful.

*Action Items*

1.  Improving the Pubcookie manuals has been made a continuing action
item.

2.  Bob foolishly volunteered to write at least a chunk of the charter
for WebISO that he believes needs to exist.