Rhys, 1. Terminology - Bullet #1 - s/which they have an organization/which they have an association/
2. Terminology - Move NAI before Identity to deal with problem of expand on first use. 3. Terminology - Bullet # 2 - Message sentence with the "and". I mis-read it the first time as the GSS-API would do the mapping rather than the identity selector. 4. Section 4- Context - s/user to user/user to use/ 5. Section 4 - Context - In the first bullet - I think you want to say that this is a GSS-API implementation specific file and not an application specific file. The term application is overloaded with the application that the user is using to talk to the service. 6. Section 6.1 - Is the issuing organization always going to be derivable from the NAI of the user? Under what circumstances would this not be the case? 7. Section 6.2.2. - Implies either a lot of different ways or some standard way being created to do this. This needs to be made clearer that there is going to be an association between the implementation of ABFAB, the UI and the IDP service. 8. Section 6.4 - bullet #2 - s/the identity provisioned/the identity automatically provisioned/ 9. Section 7 - add new section - Server identification. There are a number of different ways that services can be identified. The name of the service, the name of the server, parameters that are included in the service (for example the account that I am going to use to send mail), or some combination of the above. 10 Section 7 - Identity selection by calling application rather than GSS-API 11 Section 7 - last paragraph - last sentence - should this be an "automatic" option on some types of authentication failures? 12. Section 7.3 - why should the association only be doable after authentication? Esp for manual authentications. 13. Section 7.3.1 - It would be beneficial to list the types of things that are selections. I don't know that it is necessary to know the realm in all cases. 14. Section 7.3.1 - User-driven - on demand associations - Pop up a selection dialog box when you are trying to get to a service you have never seen before. 15. Section 8 - should applications attempt to use multiple names if there are multiple names associated with the service. Need to discuss possible privacy implications of this approach in terms of association of multiple names together. Import/Export of credentials Password protect the store - not the same as password used for the IDP Credentials that are "pluggable" - that may or may not be present on the machine _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
