authorization with junk keys
unmodified web browser uses ssl
web server records transcript of ssl handshake
transcript is inspected by tgs+
issues service ticket if valid
ssl challenge is actually generated by tgs+
- this moderates web server vulnerability