Section 5.1 Introduction should mention that the subsequent sections 5.1.x are all design requirements.
Section 5.1.7 "Self-Service required" seems to open the door to a malicious gateway operator obtaining access without human review.
Should there be a requirement for using HTTPS to access the API?
Should spell in this document the acceptable format(s) for "submittime".
The self service still imposes a restriction of using XSEDE authentication for registering Gateways and getting an APIKEY. If an abuse is identified
- the offending APIKey can be revoked
- offending user account could be traced and followed up with
The possibility of similar abuse exists with currently existing design which is in production with no recourse. There is no way to find which user account is submitting garbage.