> 1. How do you secure the communication to the Authentication Server The Authentication Server is currently a CGI (although it could be used as a module, or a servlet, etc.) and, as such, can be accessed through TLS. Furthermore, even in the case you don't use a direct TLS connection to it, the AS provides for what we call "split mode", in which the URL for the CGI processing user data is accessed through TLS, so authentication data (typically, passwords) are hidden from eavesdropping. We call it "split mode" because the TLS-based URL must redirect the request to a plain (non-TLS) URL once the authentication data have been verified, so the cookies coming from the (G)PoAs may be loaded. > 2. How do you secure the communication to the Point of Access. The communication from the AS to the PoA is secured by the fact that the assertions sent about the user (by redirection inside the HTML page sent from the AS to the user when authentication succeeds) are signed by the AS. Again, communication from the user browser to the PoA in normal use may be based in TLS if you require so. > 3. How do you enforce that the links are requested through your PoA > only? What stops the user from accessing the desired web-site > directly? The PoA is in itself a access control module installed inside Apache. If you go to a PAPI-protected location inside a Web server, it will call the PAPI PoA in order to evaluate your access rights. If you are not able to present valid PAPI tokens (the pair of cookies), access will be denied. I hope this helps in your understanding of PAPI. Needless to say, we will be very happy in answering whatever further question you have. Best regards, -- "Esta vez no fallaremos, Doctor Infierno" Diego R. Lopez [log in para visualizar] RedIRIS The Spanish NREN Tel: +34 955 056 621 Mobile: +34 669 898 094 -----------------------------------------