"We shouldn't distribute MediaWiki without a permission model", well we've done so for about 13 years. :-D Security issues with authorization extensions outlines some of the problems. IMHO two realistic goals for this RFC would be:
- reduce hardcoded and scattered permission checks in core (e.g. checks for a specific default user group hardcoded in the code for a special page or action);
- introduce pervasive and low-level hooks to override core's behaviour where needed, making it possible for Lockdown to be simpler to implement and to not need core hacks at all (bug 64787 and friends).