                            WebAuth To-Do List

 *) Currently, there is no good logout strategy other than closing the
    browser, since the user remains logged in to each web site they've
    visited even if they go to the logout page on the weblogin server and
    destroy their global credentials.  The best solution to this proposed
    so far is to maintain global state on the WebKDC servers (shared
    between them somehow) and to have the WebAuth servers query the WebKDC
    to see whether the credentials are still valid.  This is a lot of work
    and raises some basic questions (such as, is HTTPS too slow for that
    query from the WebAuth server).

    In the meantime, having the WebAuth logout handler automatically
    redirect to the weblogin logout page might ameliorate some of the
    problems.

 *) User request: It would be nice to have a per-directory option to
    recognize a login if the WebAuth cookie is available, but not force it
    if the user isn't logged in.  This might address the HelpSU dependence
    on S/Ident as well.

 *) User request: Currently, WebAuth always appends ?WEBAUTHR even if
    there's already an ? in the URL, which means that applications that
    want to do WebAuth themselves cannot do normal CGI parsing of the
    URL.  Just changing this would break backward compatibility, so a new
    option needs to be added to the request token allowing the
    implementation to request proper CGI syntax be used in the URL.  This
    option should probably be on by default with new versions of
    mod_webauth, since it's cleaner and doesn't cause any harm.

 *) A better error message when one talks to the WebKDC directly with a
    browser would be nice.  The current message is rather baffling, and
    it would be good to tell the naive user to set up an application server
    or weblogin server.

 *) If mod_webauth obtains a proxy token instead of an id token and
    WebAuthSubjectAuthType is set to krb5, mod_webauth needs to request an
    id token from the WebKDC and then verify it rather than simply
    trusting the identity in the proxy token.

 *) The mod_webauthldap module needs a lot of formatting and coding style
    cleanup.  All of WebAuth needs a general dead code removal pass and
    evaluation of all the places marked FIXME, spawning either entries for
    this list or removal as unimportant.

 *) Allow WebAuthExtraRedirect in the server and virtual host
    configuration.

 *) Allow users to forward tickets into the weblogin script via SPNEGO and
    use that forwarded ticket to create a first-class single sign-on
    cookie that can be used by sites requiring proxy credentials.

 *) Evaluate whether multiple realm support is possible.  It might be as
    easy as letting people enter a full principal name into the login
    field of weblogin, provided that cross-realm is set up properly, but
    I'm not sure.

 *) Provide a better way (over protocol, perhaps?) of synchronizing keyrings
    across machines in a pool.

 *) Compile the WebAuth version into the modules rather than getting the
    version from the webauth library.  In the webauth and webkdc modules,
    warn if the versions don't match at runtime (but proceed anyway).

 *) Add POD documentation for all Perl modules.  Many of the WebKDC modules
    currently don't have documentation.
