Isn't the benefit of PKI tokens that you don't have to validate them against the Keystone server directly ? Is that direct check called by clients anywhere (think when Nova receives a PKI token) ? On the other hand, would the crypto validation check revocation ? I'm trying to see if this is worth an advisory, or if it's really a corner case. Opinions welcome.
Isn't the benefit of PKI tokens that you don't have to validate them against the Keystone server directly ? Is that direct check called by clients anywhere (think when Nova receives a PKI token) ? On the other hand, would the crypto validation check revocation ? I'm trying to see if this is worth an advisory, or if it's really a corner case. Opinions welcome.