1)	attended by MCR, Bill Sommerfeld
	regrets: Angelos, Luis

2)	revised requirements document to make -00 document.

3)	implementation requirements- C-API. 

	a) do not standardize on Unix-system calls.
	   setsockopt()/getsockopt()

	b) is there a namespace issue?

	c) "bits-on-wire" between application and keying system 
	   is out of scope for this document. More likely to use
	   OS-specific IPC mechanisms.

	d) key representation issue is identities. We need an
	   array of them.

	e) opaque token. What is it called?
	   synchronizably available.

	f) we would like to have async interface.
	   Is there always a select(2)/poll(2)'able FD?

	g) API is a attribute request/reply.
	   Need an attribute/length/value.
	   Type/length/value.

	   Need a sub-type/OID/thing for getting specific pieces
	   of PKIX certificates back.

	   Focus on strings as the answer.
	   BER/etc. encoded if you insist.

	h) comparison function for opaque token.
	i) need a second opaque token for the peer identity,
	   that can be compared.
	
	Get QoS people involved.   

4) TOKEN semantics.
   Protection TOKEN.	pToken
   Identity TOKEN.	iToken

   What is the validity period of the tokens?
   - can not live forever.
   - should not die when the connection dies.
   
   MUST live as long as the connection.
   SHOULD live for some time after the connection.
   
   Mapping from pToken -> iToken SHOULD live longer than the connection.

   *Token's SHOULD be free'ed when done with* 

   TOKENs persist across connections.
   TOKENs MAY NOT be passed literally to other processes/contexts. They
   MUST get translated to by a "send"/"import"/"export" function.

   recvmsg() case, you do not get it unless you ask for it.
   recommended size is about: 2*sizeof(void *)

   Applies to iTokens and pTokens.

5) basic attributes for "You-Jane"
   a) terse WHO.		(audit string)
   b) "appelation" WHO.		(audit string)
   c) string version of specific subjectAltName sub-types.
      Query will contain the appropriate CHOICE.

   d) raw concrete name	(for comparison/ACL use)
      - DER encoded, and/or canonical.
      - 
   Also the same thing for "Me-Tarzan".
   Term "credential" is not going to be used.

6) representation of identities

   types of identities:
	 1) anonymous hash of public key.

	 2) machine: - FQDN      
		     - subjectAltName: dNSName
		     - IP address (4, 6)
		     - subjectAltName: iPAddress

	 3) user:    - user@FQDN
		     - subjectAltName: rfc822Name

	 4) kerberos principal

7) "kinit" process/"ssh-add" process
   How to unlock a local identity.

   List identities which are 
	- loaded
	- available ? (but not loaded)
	- add identity	       
	- remove identity
 
    iToken's are returned. Export/Import is important here.

8) attributes of protection.
   - strength value.	Avoid notion of "bits" of crypto.
			Conversion of algorithm to strength value
			is a local matter. 
   - cost/speed.	QoS issue. LOCAL matter.

9) tokens for command/line GUIs.
   Common options for asking for specific things like "3DES ping".
   
10) terse strings and input/output.
    equivalent to ipsec_set_policy(3) from KAME, but not identical.

3:30pm.
	- requirements document
	- Bill and Michael to set up CVS repository for shared
	documents.