ssh-agent use in different security domains

[Saku Ytti]

Consider this topology

                domain1-server1      domain2-server2
                            |                             |
    laptop - domain1-server1 ---- domain2-server1


Laptop has two ssh identities, domain1 and domain2.


I don't wish to store identity locally in any of the servers. As far
as I understand, there isn't any way to limit ssh-agent to allow only
signing domain2 servers with domain2 identity? So Evil Admin of
domain2 could potentially ssh using my domain1 identity to domain1
server?


But need this be so? Couldn't we have something like

cat >> .ssh/config
host *.domain1.*
  Identity permit domain1-key
  Identity deny all

host *.domain2.*
  Identity permit domain2-key
  Identity deny all
^D

Or maybe ssh-agent itself could prompt user: 'domain2-server2 wants me
to sign with identity domain1-key, allow? yes/no, [ ] always?'.

Or is this problem already solved somehow?
-- 
  ++ytti