In my current code, it happens that creating a WELLKNOWN/ANONYMOUS principal in a given realm allows that realm to start serving anonymous authentication if the realm also has pkinit enabled. I think that's OK; it is possible that someone has a principal of that name for another purpose, but the probability seems rather small. --Sam