Mockups: Create ACL
The user enters his or her username and authentication agent in address form.
The browser loads the authentication page from the authentication agent. The authentication agent is now in control.
Authentication service specified ACL creation page. Letting the authentication service specify this imposes fewer API restrictions on services.
When done, the authentication agent calls the browser with the completed ACL.
This is an unfortunate necessity. As the authentication service specifies the ACL creation page, we need to confirm the created ACL before signing and returning it.
We can let hosting services show ACLs in sandboxes. HTML5 has a special "seamless" mode for sandboxes where the style of the outside page can be applied to the inner sandbox. However, we do need to look into potential security implications.