Comment #7 on issue 28 by thost...@gmail.com: Security http://code.google.com/p/ogf-nsi-project/issues/detail?id=28 Hadn't seen that document before. In my opinion it misses one of the key points with NSI, i.e., that NSAs trust each other, and that a global user list isn't needed. When putting in signed requests into the message, an NSI infrastructure is essentially turned into a relay network. If a network provider does not trust other NSAs to make create connections, and requires proof of user identity, they should probably have users contact them directly and use something else than NSI. You can still propage end user identity (credentials are secrets, e.g., password or private keys, and are not intented for distribution), but the attributes can only be informative, not be used for authentication or authorization (not unlike the requesterNSA / providerNSA fields, and any other fields in the message).