My takeaway from the conversations we're having as the second and third-order resultants of the LinkedIn password break is that, if there *is* an accepted definition of the problem, in slices small enough for implementers to understand, a lot of people haven't read it. Including me. *Is* there a good defnition of the current shape of the authentication/ authorization problem as it presently exists in the Wide Area with the General Public as audience, which someone can point to? One that identifies, as it goes along, all the points we batted around today, like "person or PC", "multiple accounts", "non/repudiation", and whatever you call "multiple services not being able to tell you're the same person as an account holder, unless you *want* them to"? Not even the solutions, you understand, just the definition of the problem? Seems to me we're on different pages in the hymnal... Off-list, please; I'll summarize. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274