...
What is authenticated by a ServiceTicket? When a ServiceTicket is validated, the validation response is a representation of the chain of Principals from associated with the GrantingTicket that granted the ServiceTicket, and the GrantingTicket (if any) that granted that GrantingTicket, and the GrantingTicket (if any) that granted that GrantingTicket, and so forth up the chain until we reach a GrantingTicket that was the first in the chain.
Understanding traditional ServiceTickets in this new scheme
CAS 2.0 ServiceTickets are ServiceTickets the GrantingTicket of which has a Principal that is a user – an authenticated netid – and which itself has a grantor of null.
Understanding traditional ProxyTickets in this new scheme
CAS 2.0 ProxyTickets are ServiceTickets the GrantingTicket of which has a Principal that is a service – an authetnicated proxy ticket receptor which received the PGT – and which itself has a grantor that is not null – that is the GrantingTicket issued to a previous authenticated service in the chain or to the end user's web browser.
It's turtles all the way down.