Updated README and TODO files to reflect the current state of the

project.

CASA-auth-token/server-java/Svc/README

@@ -326,7 +326,19 @@ CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDERS
 
 SECURITY CONSIDERATIONS
 
-- TBD -
+The ATS runs over Tomcat and by default receives requests over HTTPS on port 2645. For ease
+of use, the basic ATS setup scrip creates a self-signed certificate to be used by SSL. The
+use of self-signed certificates weakens the security properties of the SSL channel by forcing
+clients to accept them. At this time, the default mode for auth_token clients is to allow
+self signed-certificates. It is recommended that administrators obtain a certificate signed
+by the appropriate authority and configure the ATS to use it and change the auth_token client
+configuration to not accept invalid certificates to avoid this issue.
+
+CASA Authenticatication Tokens when compromised can be used to either impersonate
+a user or to obtain identity information about the user. Because of this it is
+important that the tokens be secured by applications making use of them. It is
+recommended that the tokens be transmitted using SSL.
+
  
 
 

CASA-auth-token/server-java/Svc/TODO

@@ -10,10 +10,13 @@ This file contains a list of the items still outstanding for AuthTokenSvc.
 
 OUTSTANDING ITEMS
 
-- Switch to a Web Services model where the Client/Server protocol uses SOAP.(This is under evaluation).
+- Switch Client/Server communication to use SOAP.(This is under evaluation).
 - Add code to verify that client/server communications occur over HTTPS.
 - Add logging.
 - Create plug-in API for Identity Token Providers.
 - Change printfs used for debugging into a suitable mechanism.
 - Create tool to connect Tomcat instance to Apache Server and disabling port 2645 listener.
+- Create tool to help administrators import certificates into the ATS's key store.
+- Create tool to better edit the iaRealms file.
+- Add identity token encryption capabilities.