Raw notes from meeting

Negotiate security layer... similar encryption to SSL.

Can SASL negotiate to use TLS for encryption?

There's an open source SASL C library -- Cyrus SASL?

Stateless HTTP vs. connection oriented

Mozilla has GSSAPI support for some things -- at least for IMAP and LDAP..

How do universities perceive their problem as different from large enterprises? - large enterprises have the ability to do more lock-down - large enterprises can pay big $$ for proprietary single-sign-on solutions

Universities are using their buying power to leverage commercial software providers into doing Shibboleth

Mozilla isn't interested in adding Shibboleth support to HTTP per se, although they may be more interested in having HTTP work with SASL for other reasons.

What is the network architecture of Shibboleth? How does the authentication work?

Could we get somebody from CSG to teach us about Shibboleth at some point?

Currently shibboleth works by redirecting the user to a log-in form on some other server, then back to the content server. Central Authentication System (CAS) works somewhat the same way.

OpenID^? no longer does redirects to the authentication server. Instead the content server gives the client some JavaScript to tell it to go to its authentication server and

What if the HTTP server had a 3rd authentication scheme which was "external"? It would challenge the user to go to an external server -- this would work with things like OpenID^?, LID, maybe InfoCard^?. The client then goes to their identification authority server and obtains a token which it sends to the authority server -- maybe using WS-Federation?

Twisted might already have SASL and Kerberos 4 with its POP3 client...