] We describe a theory of authentication and a system that
] implements it. Our theory is based on the notion of
] principal and a %u2018speaks for%u2019 relation between
] principals. A simple principal either has a name or is a
] communication channel; a compound principal can express
] an adopted role or delegated authority. The theory shows
] how to reason about a principal%u2019s authority by
] deducing the other principals that it can speak for;
] authenticating a channel is one important application. We
] use the theory to explain many existing and proposed
] security mechanisms. In particular, we describe the
] system we have built. It passes principals efficiently as
] arguments or results of remote procedure calls, and it
] handles public and shared key encryption, name lookup in
] a large name space, groups of principals, program
] loading, delegation, access control, and revocation.

I may have memed this before. It is an outstanding paper.