UIDs on the Hurd are separate from processes.  A process has
[[capabilities]] designating so-called UID vectors that
are implemented by an [[auth]] server.  This
makes them easily [[virtualizable]].

When a process wishes to gain access to a resource provided by a third
party (e.g., a file system) and that party wishes to authenticate the client
so as to implement some identity-based access control ([[IBAC]]) policy,
the latter initiates a three-way authentication handshake.  The server
and client each then begin an authentication sequence with
their respective [[trust]]ed auth servers.  If they have
a mutally trusted ancestor and an auth server does not abort the
transaction, then the client is delivered a new capability
naming a newly authenticated session with the server
and the server is delivered the client's designated UID vector.

For more details, see section 2.3 of the [[HurdCritique]].