NVO prototype operates a "weak" CA - only valid e-mail required to register.
Strong validation of registrations is being investigated. This may add extra elements to the SSO profile.
The pubcookie system is used to maintain SSO between web portals. This mechanism may become part of the SSO profile.
The UAS/community log-in process uses MyProxy and doesn't specifically need a web-browser. Use of MyProxy (as opposed to WS-Trust) was reaffirmed for the v1.0 standard.
AstroGrid's prototype was demonstrated: community login + digital-signature of request to a service.
There is an open issue of what names for users are presented to services. Currently only X.500 from certificates. Is this enough? Do we need to correlate different X.500 DNs for the same scientist?
Authenticate-methods spec. got four clarifictions and can now go to v1.0WD immediately.
Decision: services using TLS are expected to support RFC3820 proxy-certificates. This may rule out regular TLS implemenations.
Decision: no IETF extensions to TLS (other than RFC3820) need be supported.
Decision: doesn't matter which version of WS-Security is used, support them both (later resarch showed that it the wire protocol is the same for both versions if only digital signature is used).
Decision: certificate-chain checking must respect limits on chain length stated inside certificates.