So, short summary for review before passing it to NIKHEF:

The objects can be simplified to 4 classes:
1. LHCb client
2. LHCb portal
3. LHCb services
4. Other grid services (let's say gLite)

The client contacts the portal with user credentials and the connection 
is kept alive for performance reasons over several queries.

The portal contacts the services with portal certificate (the host 
cert?) and the connections are kept alive for performance reasons. The 
user DN is passed in the messages from portal to the services to 
identify the user (and in the future the VOMS groups?).

The client delegates the user proxy to the LHCb services so that they 
can contact the gLite services using user credentials.

Everything happens over openssl (with some GridSite code for proxies) 
connections. The portal and services are simple python standalone services.

The problems I see are that the portal to services connections are not 
done with user credentials, which prevents trustworthy audit trail and 
also makes the portal compromise catastrophic (In any case the 
compromise would be bad, but in this case it would be very bad). There 
was suggestion that the whole LHCb part of the system could be 
considered as a single service, a black box. But, I don't think the 
services all ran inside a single site? If the communication passes site 
boundaries, it definitely can't be considered as a black box.

Another point is the python stand alone server, I would be more 
comfortable running under some well known container like apache.

Some questions:
Are all queries logged with time and user DN?
What kind of authorization system do you have? ACLs?