                            WebAuth To-Do List

 *) Currently, there is no good logout strategy other than closing the
    browser, since the user remains logged in to each web site they've
    visited even if they go to the logout page on the weblogin server and
    destroy their global credentials.  The best solution to this proposed
    so far is to maintain global state on the WebKDC servers (shared
    between them somehow) and to have the WebAuth servers query the WebKDC
    to see whether the credentials are still valid.  This is a lot of work
    and raises some basic questions (such as, is HTTPS too slow for that
    query from the WebAuth server).

    In the meantime, having the WebAuth logout handler automatically
    redirect to the weblogin logout page might ameliorate some of the
    problems.

 *) User request: It would be nice to have a per-directory option to
    recognize a login if the WebAuth cookie is available, but not force it
    if the user isn't logged in.  This might address the HelpSU dependence
    on S/Ident as well.

 *) A better error message when one talks to the WebKDC directly with a
    browser would be nice.  The current message is rather baffling, and
    it would be good to tell the naive user to set up an application server
    or weblogin server.

 *) The mod_webauthldap module needs a lot of formatting and coding style
    cleanup.
