>I think AFS uses the correct model. Credentials are really an attribute
>of the user and for the best security should be tracked by the kernel like
>any other security attribute of the user (UID, GID, supplemental groups,
>capabilities, etc.). But that gets into really nasty cross-platform
>issues, not to mention annoying kernel licensing issues.

AFS makes this easier by not having to actually do any Kerberos on the
client side, of course. I agree with you that it should be a kernel
attribute ... it's just that real life gets in the way.