I am glad you brought this up. We are walking in the realm of what I call "the circle of pain". It is a circle because of the relations between the different (administrative) domains involved. It all boils down to trust. Do I trust SURFnet to "control"/"make reservations" my (ESnet's) network? Since we are dealing with max 25 networks we still could arrange the legal framework around a federation of trust of "NSI" networks. GLIF might be a starting point for such federation. We all commit to that and need to arrange the paperwork around it. NSI deals with the technical implications of that.

We should not forget that it all starts with a researcher that wants to carry out an experiment between UCLA and the UvA (NL) involving huge data streams... Reserving a network is just one part of the equation. He needs to reserve storage and perhaps computing power as well... back to the GRID world... So far, just increasing the problem...

Since in NSI we mostly dealing with machine-2-machine communication, except from the initiation point (request) from an user we should keep it fairly simple as you describe below. The part were it touches on SAML and INCOMMON/EDUGAIN is were the user is involved. At that point the trust is delegated from user level to machine level. The researcher is indeed authorized to make a reservation from all networks between point A and B.

Another point we should consider is that at the time of reservation the user is still authorized to have access at the time of execution of that reservation. If his contract stops as May 30th, but the reservation is for June 10, than it should not be granted... This is not an NSI issue and should be solved by higher layers.