> Does that make sense?

yes. very good explaination.

however, i can't see how i could use this. while i do manage >2 auth domains
(and growing), i still have the requirement that everyone have an @tld
address, so the administration needs to be centralized, regardless.
conversely, leaf nodes can't depend on the main auth server, since
this would mean no work could be done if they can't contact the
main auth server.

perhaps i just lack imagination.

- erik