Matt Crawford writes:
Proxy cert characteristics [...] But that key pair is typically created = generated at B and stays there, or is meant to stay there, and that is what is autochthonous.
But that's true of almost any key pair (it's generated in the smart card, HSM, laptop, ... and is meant to stay there), so it isn't an interesting statement about proxy key pairs in particular.
Oh no. Smart cards are quite portable. This is a particularly interesting example, since one of the common deployment scenarios consists of having the PKI management issue you a card, having installed the keys on it for you. Our HSMs at least are portable. Usually something has to be done for key movability in HSMs for disaster recovery. Key pairs in browsers and other software crypto stores are allowed to be copied from one store to another and indeed that is the typical way they have to be used in Grids. &c. The private keys in these cases are only meant to be kept private; appearance in a different locale is not necessarily a bad thing.