I'ld tend to agree with this.  Kfs for us is primarily a toy that we
use only on a few standalone systems that we'ld never type allow on.
All of our other systems are 'file system'-less.  Hostowner controls
local resources and, as such, is a superuser for that box.  To a lesser
extent, it can be a superuser to a larger domain since the authentication
server will allow some id's to 'speak for' other id's when connecting
to resources.  I'm currently toying with a complete public key based
system that doesn't even have this speaks for relation so that there
is no super-user.  This arrangement makes a lot of things nicer but
makes somethings more awkward.  For example, I can have a hostagent
running on my terminal that brokers all authentication for my processes,
even ones on cpu servers.  However, when making calls out from a cpu
server, I still have to trust the owner of that cpu server to be running
a system that does what my processes ask it to.  Hence, I'm trusting the
host owner making him a super-user of sorts.  However, the sphere of trust
can be much more arbitrariy and egocentric and I like that.

Cron in such a system becomes much harder.  The cron process has to
possess some of  my private keys in order to do it's job.  I could
limit its ability by certifying scripts that it runs but that's more
work.  However, I think I'm going to bite the bullet and do it.

I'm much enamoured of Mazieres' SFS.  I'ld like to make our authentication
mechanism as easy to use.