>>>>> "Ivan" == Ivan Popov <pin_at_medic.chalmers.se> writes:

    Ivan> I'd like to give, say, a login process at site A an identity
    Ivan> name ensured by site B, so that the login program would
    Ivan> painlessly and securely verify my proof via B -

I don't really understand the application, though.  A passport, as you
say, is purely authentication, and doesn't provide authorization for
real services.  It just allows "the authorities" to track the behavior
of a particular identity.  I can understand why "the authorities"
would want this, but from the point of view of a service user, what is
the benefit of this?  I suppose some users could benefit by obtaining
services essentially anonymously on the strength of having an identity
vouched for by a particular authority (MasterCard?), but I don't see
why this requires a global namespace uniquely identifying users.

We already have Kerberos and SSH which have some of these features;
what new applications would be enabled by (eg) allowing TGTs from
multiple Kerberos realms at a given host?

-- 
Institute of Policy and Planning Sciences     http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.