Comment 4 for bug 1324592

> Is there any existing need for impersonation?

Yes, AFAIK all of the current use-cases for trusts (heat/solum/ceilometer) require impersonation.

If we need to add a temporary check which denies creating a trust with a trust-scoped token, that sounds fine to me, but then I'd like to get a spec worked out asap for explicit chaining, which is what I tried to specify in the trusts-chained-delegation BP (which was marked implemented for Icehouse), but clearly didn't explain very well because limited-use-trusts got implemented instead :)

I'm happy to work with ayoung to define a spec which enables a limited chain of delegation, and do the work to implement it, as it is needed for Solum/Heat interoperability ref bug #1317293 (and potentially heat/ceilometer too)