e.g. allows a web server to impersonate a client when
accessing a database resource
a.k.a. “double-hop authentication”
with other implementations, open (IETF based)
mature (10 years)
• renewable session tickets • avoids unnecessary roundtrips to domain controllers
• allows verification of server identity
• Assumes network is un-trusted • Real encryption!