- Stop invalid users
* a recently disabled/deleted user may still have a valid cred. Keep a list of valid/invalid users on the aggregate and check callers against this list

- GetTicket
  * must verify_{site,slice,person,keys} on remote aggregate 

- Protogeni
* agree on standard set of functon calls
* agree on standard set of privs
* on permission error, return priv needed to make call
* cache slice resource states (if aggregate goes down, how do we know what
  slices were on it and recreate them? do we make some sort of transaction log)   


- Registry
* sfa.plc.api.SfaAPI.fill_record_pl_info() should add the sites PIs to a slice records researchers list
* update call should attempt to push updates to federated peers if 
  the peer has a record for an object that is updated locally  
* api.update_membership() shoudl behave more like resolve when looking up records (attempt to resolve records at federated registeries) instead of only looking in the local registry
* support generic registry records (dont depend on postgres!)


- Aggregate
* sfa.plc.slices.verify_site() should check if site['max_slices'] needs to be updated
* sfa.plc.slices.verify_slice() should check if slice['expires'] needs to be updated
 
- Component manager
* install the slice and node gid when the slice is created (create NM plugin to execute sfa_component_setup.py ?) 
    
-  SM call routing
* sfi -a option should send request to sm with an extra argument to 
  specify which am to contact instead of connecting directly to the am 
  (am may not trust client directly)

-  Initscripts on sfa / geniwrapper
* should sfa have native initscript support or should we piggyback off of myplc?

-  Fully integrate SOAP (need to throw either soap or xmlrpc exceptions depending on the client)
* started but not finished

- error messages
* error messages should be easier to understand
* (failing to connect to plcapi shoudl return a helpful message, not a generic internal server error)