Duane Merrill wrote:
* Delegation is a useful feature to be addressed and supported by the architecture. (I hesitate at making it a /requirement /for participating in the architecture: composition of features, no-pay-no-play, etc.). Perhaps also include a motivating simple generic use-case of: "I want to run my job, the executor needs to obtain resources/input on my behalf, etc."
Good use cases for delegation can include portals and workflow engines. It can sometimes also be useful during resource discovery.
* Delegation mechanisms have historically been closely tied to credential mechanisms (e.g., X-509 proxy certs and MyProxy, holder-of-key SAML assertions, etc.), which we have stated the OGSA is to be flexible with in terms of type, subject to profiling by the OGSA security model. (Grand-unifying delegation specifications pending....)
Be careful here not to fall into the Usual Security Trap. That's where you say "you can do this, or you can do that, or you can do the other, and there's a bazillion ways to combine them". Implementors hate that sort of thing, since it gives them very little guidance as to what to really write. Fewer options, more utility. :-) Donal.