Hi Richard thanks for your comments. I am making an update that takes your comments into account. i) title change accepted ii) the difference between IDP and AA is an interesting one which Tom also raised. I think we need more discussion about this in the whole group to agree upon this issue iii) I have added a definition of attribute "Attribute is a property of an entity". Nice and simple, and all encompassing :-) iv) I have clarified credential to authorisation credential. An AC and a signed SAML assertion are both authorisation credentials. v)I have removed the capabilities text. vi) deleted "mode of" vii) I have put the defn in alphabetical order viii) added "when making a decision" to clarify how unacceptable credentials are ignored. ix) users present authorisation credentials, not attributes, since the latter cannot be trusted. The CVS turns the former into the latter. x) minor editorials all accepted. thanks David -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************