Discussion of namespace overlap rules according to the IGTF Charter
(http://www.igtf.net/charter.html).
Question of definition of "authority". Is it the CA instance or the
organization that runs the CA. It is the "accredited authority". The
organization is the "PMA member".
Proposal: allow a member that runs multiple CAs to have namespace
  overlaps. Change in Section 3.1. We still have the requirement that
  "every identifier ... is associated with one and only one identity."
Benefits:
- Simpler for users. They have a single DN from the Classic/MICS/SLCS.
  One entry in VOMS and grid-mapfiles rather than multiple.
- Allows users to "upgrade" from SLCS to MICS/Classic (for example).
- Allows users to "downgrade" from MICS/Classic to SLCS (for example,
  if they're away from their computer and need a short-lived
  certificate.
- Simpler for system administrators.
- Allows CA roll-overs.
Issues:
- Makes incident response more difficult. A DN in the logs would not
  map directly to a single CA. If a DN is associated with abuse,
  multiple certificates may need to be revoked across multiple CAs.
- One of the CAs is compromised. Makes others suspect.
- Can't differentiate between them in VOMS? May want to give one admin
  rights and not the other. VOMS can do an issuer check. It is
  configurable in VOMS. Middleware could parse the OID.
Would be very difficult to coordinate/allow overlap between
organizations. This is only feasible in the case one organization runs
multiple CA instances.
In SLCS, the certificate is short-lived but the identity is
long-lived.
If the level of assurance (LOA) is different from SLCS than
MICS/Classic, then do we need to identify them differently?
Require a top-level policy document that describes how you guarantee
uniqueness among all the CAs in the organization.
Shall we allow the same issuer to issue the same DN in SLCS and
Classic but differentiate by only OID? No, the Issuer should also be
different.
The Issuing CA must be uniquely associated with a profile.
Can't have a single authority accredited under multiple APs.
Need a memorandum to the other PMAs for their approval.
Describe the namespace management in each CP/CPS or a separate
document? OK to do it in each CP/CPS so long as they are maintained
consistently.