• compliance testbed
    • wlcg.groups in the token are now sufficient to authorize storage access (issue#21)
      • no storage.* scope necessary
      • compliance tests updated
        • 2 related dCache compliance tests now fails
    • no agreement yet on different 401 vs. 403 error codes
  • xroot protocol with TLS and tokens
    • should work fine for two party copy
    • not completely clear if we have compatible third party implementation
  • passing tokens from xrdcp command
    • two different auth mechanisms - token & ZTN
    • dCache has to implement ZTN fallback to be fully compatible with XRootD
    • there may still be changes how xroot client deals with tokens