Middleware gives applications an abstract view of the underlying technology. Access control policies define the authorisations of principals. When no suitable representation of principals is available on the middleware layer, policies resort to using verifiable identifiers of underlying cryptographic mechanisms. However, this approach collides with the aim of hiding mechanism-specific details, which include the underlying cryptographic mechanisms. This paper analyses the difficulties of fitting cryptographic mechanisms into a middleware security architecture without breaking either security or the original middleware design goals.