Jeff,
you are right of course. I see now how caching permissions is really quite complex.
It may not be feasible to come up with a flushing scheme that will keep db and cache in sync at all times. However, I believe it is the case that permissions change very seldom. I also believe that for the majority of sites it is perfectly acceptable to have the cached permissions lag the db permissions by some time (say one or a couple of hours). If I'm not mistaken this approach was used by Don for both SloanSpace and Greenpeace.
How about adding another parameter for the timeout of the permissions cache? I don't know what the default value should be, maybe 60 minutes?
/Peter