2 files changed, 81 insertions, 40 deletions

diff --git a/docs/objects-and-schemes b/docs/objects-and-schemes
index 97e6289..763a24b 100644
--- a/docs/objects-and-schemes
+++ b/docs/objects-and-schemes
@@ -10,17 +10,21 @@ Introduction
 
 Object Types
 
-  duo
+  duo-ldap
+  duo-pam
+  duo-radius
+  duo-rdp
 
     Stores the configuration for a Duo Security integration.  Duo is a
     cloud provider of multifactor authentication services.  A Duo
     integration consists of some local configuration and a secret key that
     permits verification of a second factor using the Duo cloud service.
-    Currently, only UNIX integrations are supported.  In the future, this
-    object type will likely be split into several object types
-    corresponding to the supported types of Duo integrations.
+    Each of these types is the same except for the output, which is
+    specialized towards giving information in the format suited for a
+    specific application.
 
-    Implemented via Wallet::Object::Duo.
+    Implemented via Wallet::Object::Duo::PAM, Wallet::Object::Duo::RDP,
+    Wallet::Object::Duo::LDAPProxy, Wallet::Object::Duo::RadiusProxy.
 
   file
 
@@ -33,6 +37,16 @@ Object Types
 
     Implemented via Wallet::Object::File.
 
+  password
+
+    Stores a file with single password in it and allows retrieval of that
+    file.  This is built on the file object and is almost entirely
+    identical in function.  It adds the ability to automatically generate
+    randomized content if you get the object before it's been stored,
+    letting you get autogenerated passwords.
+
+    Implemented via Wallet::Object::Password.
+
   keytab
 
     Stores a keytab representing private keys for a given Kerberos
diff --git a/docs/stanford-naming b/docs/stanford-naming
index c86c820..cb05a23 100644
--- a/docs/stanford-naming
+++ b/docs/stanford-naming
@@ -90,27 +90,6 @@ Object Naming
 
         (OLD: <group>-<server>-htpasswd-<app>)
 
-    password-ipmi/<server>
-
-        Stores the password for remote IPMI/iLO/ILOM access to the
-        system.
-
-        (OLD: <group>-<server>-password-ipmi)
-
-    password-root/<server>
-
-        Stores the root password for a given server.
-
-        (OLD: <group>-<server>-password-root)
-
-    password-tivoli/<server>
-
-        Stores the Tivoli TSM backup password for a given server.  See
-        also tivoli-key/<server>, but depending on what one wants to do
-        with the password, this may be a better representation.
-
-        (OLD: <group>-<server>-password-tivoli)
-
     ssh-<type>/<server>
 
         Stores the SSH private key for <server>.  For shared private keys
@@ -197,20 +176,6 @@ Object Naming
 
         (OLD: <group>-<service>-gpg-key)
 
-    password/<group>/<service>/<name>
-
-        A password for some account, service, keystore, or something
-        similar that is not covered by one of the more specific naming
-        conventions, such as a password used to connect to a remote ssh
-        service.  <service> is the service that uses this password and
-        <name> is the thing the password is used for (such as the remote
-        account name).  This may be a file containing only the password,
-        or a configuration file of some type that includes a field name
-        and the password.  (However, use the db type described above for
-        database passwords.)
-
-        (OLD: <group>-<server>-password-<account>)
-
     properties/<group>/<service>[/<name>]
 
         The properties file for a Java application that contains some
@@ -262,6 +227,68 @@ Object Naming
     <group>-<server>-pam-<app>
     <group>-<service>-puppetconf
     <group>-<service>-shibboleth
+    <group>-<server>-password-ipmi
+    <group>-<server>-password-root
+    <group>-<server>-password-tivoli
+    <group>-<server>-password-<account>
+
+    Replaced by password objects:
+
+    password-ipmi/<server>
+    password-root/<server>
+    password-tivoli/<server>
+
+    password/<group>/<service>/<name> should be replaced by the password
+    service/<group>/<service>/<name> object if a single password, or by
+    the file object db/* or config/* format if the object contains more
+    than just the bare password.
+
+  Password
+
+    Passwords are a recent type and so most password data is actually
+    in file objects.  However, we'd like to move things there both for
+    the added features of password objects to self-set, and because it
+    helps clean up the file namespace a little more.
+
+    Host-based:
+
+    ipmi/<server>
+
+        Stores the password for remote IPMI/iLO/ILOM access to the
+        system.
+
+    tivoli/<server>
+
+        Stores the Tivoli TSM backup password for a given server.  See
+        also tivoli-key/<server> in the file section, but depending on
+        what one wants to do with the password, this may be a better
+        representation.
+
+    root/<server>
+
+        Stores the root password for a given server.
+
+    system/<server>/<account>
+
+        Stores the password for a non-root system account, such as a user
+        required for file uploads.
+
+    app/<server>/<application>
+
+        Stores an application password bound to a certain server.
+
+    Service-based:
+
+    service/<group>/<service>/<name>
+
+        A password for some account, service, keystore, or something
+        similar that is not covered by one of the more specific naming
+        conventions, such as a password used to connect to a remote ssh
+        service.  <service> is the service that uses this password and
+        <name> is the thing the password is used for (such as the remote
+        account name).  This should only be for something including the
+        password and nothing else.  See the file password/ object name
+        for something that includes more data.
 
 ACL Naming