While I don't really see a problem allowing the owner to be specified for vos create, I'd like to point out that you can just create a kerberos principal that is in system:administrators that the AFS server has a key to and authenticates as. It's certainly not a security exposure; given root on a db server, I can use pt_util to add something to system:administrators.