-----Original Message----- From: Frank Siebenlist [mailto:franks@mcs.anl.gov] Sent: Wednesday, October 12, 2005 9:06 PM ...

Note that with Kerberos cross-realm authentication, one realm is unable to issue credentials for the director of the other institute...

Isn't the kerberos realm included in the token, thereby providing the equivalent of the CA information?

With your proposed scheme, any "trusted" CA in Italy, Germany, even Holland..., would have the theoretical opportunity to issue a certificate that would impersonate the director of Berkeley, NCSA, Livermore, Los Alamos... and we would have no way to enforce any policy in real-time that could prevent it.

Impersonate? How? One of the points of this discussion is that there isn't enough information in the certificate to be able to use it reliably for knowing who someone is unless it's surrounded by a lot of other "context" (like registering with a VO and saying "here is my certificate"). The only way we could tell whether the Frank Siebenlist a certificate refers to is you is if it contains a lot of personally identification information (PII) about you (MMN, phone, SSN, birhtdate) ... all the kind of stuff that we've learned to NOT make available in a public setting. As David has pointed out, there's no real difference between having the CA's divide up the space of DN's or having them each have a unique CA name that we then append to the DN to get something globally unique.