I’m going to start with the point which Dieter finished with yesterday, that Kerberos was originally intended to have three heads. The first was supposed to be an authentication mechanism, next there was supposed to be an authorisation or access control stage, and then there was supposed to be accounting, auditing and that kind of thing. My perception is that we did the first one, and we were half-way through doing the second one when public key cryptography came along. Then we all disappeared down a rabbit hole for twenty years, and we’ve just emerged now. The effect of public key was that we went back and did authentication again, but we never re-did authorisation, or did audit at all. Traditionally the authentication that’s associated with access control is a strong authentication, and it’s linked directly to the authorisation mechanism. The link between access and audit is indirect, and they’re linked via the identity that was used to do the authentication. There’s something not quite right about this. Even if (partial) anonymity isn’t a requirement, when you sit back and look at it dispassionately, it’s not the right way to do it. The fact that this isn’t quite right has some implications for system infrastructure that I want to raise.