Dave, The scenario you descibed cis most apprpopriately averted by having the Corp. A cross certificate for Corp. B employ the name constraints extension, to ensure that certs issued under Corp B, and presented to the Corp. A SG, are suitable restricted in the range of IDs that they assert. Steve