Review OOD web architecture:
Where to store them
As an aside, a -major- hurdle to getting some other kind of authentication
adopted is that it requires maintaining and running non-standard software
in the critical path of authentication. If none of the
capability-restricting features of SciTokens will be used, pursuing an SSH
CA would speed adoption immensely. This is NOT an x509 PKI.
Rather than requiring extra binaries on the system, to accept SSH
certificates, modern OpenSSH requires one or two lines to the sshd config
file, and a file with the CA's public key.
I have developed an identity bridge that consumes Globus Auth access
tokens, and produces SSH CA certificates, with the intent that it can be
used for our OOD deployment. It's specific to SDSC's NSF resources, but
the process might be adapted to something that would work XSEDE-wide.