...
SEC_TOKEN_POOL_SIGNING_KEY (a.k.a. pool signing key): where does it need to live? Only on the CM? On all nodes? Other?
tokens: Can I create a "system" token to allow me as root to use things like condor_off from the CM?
condor_off vs condor_drain
...