Back on the topic of this thread:
Keyczar authenticates all symmetric ciphertexts by default. However, it HMACs the output, rather than using one of the authenticated cipher modes.
HMAC is definitely slower and might be less secure than the MAC functions used by the AE modes, which (especially with CCM and EAX) are based on AES instead of hash functions.
On the other hand, there is more public code implementing HMAC than there is for EAX.
I've found that OCB is faster than CCM or EAX because it's only one pass, but unfortunately is patented. It can be used under the GNU GPL, though.
Phil Rogaway considers EAX to have been "supplanted by SIV". I'm not sure if I agree with that, but do like SIV for applications requiring deterministic, authenticated output with tight length overhead.
Back on the topic of this thread: Keyczar authenticates all symmetric ciphertexts by default. However, it HMACs the output, rather than using one of the authenticated cipher modes.