I am a bit concerned about letting anyone with expired tokens
  to access things as System:Anyuser. As System:Anyuser means tokenless
  connections to the server, I may miss when my tokens expired,
  and unexpectedly lose the guarantee of server authenticity.
  I have the guarantee while I am using authenticated access (at least
  as long as nobody else fetches the objects before I do).

Given that we are using xor this is a bit iffy now, but I understand
the desire to separate architecture from crypto modules.

Here, your concern seems to be that the client can be sure that the
bits in the file, and the metadata, have been authenticated by the
server.  To really do this, you'd have to keep track of for which user
a file was authenticated, since one user can't know that another's key
isn't compromised.

One could use the SHA-1 hashes to avoid refetching the file, if the
issue is just authenticity.

FWIW, I use IPsec from clients to server, partly for this, but mostly
to get real confidentiality.



-- 
        Greg Troxel <gdt_at_ir.bbn.com>