We propose to deal with this problem by means of a recently developed security mechanism for distributed systems called Law-Governed Interaction (LGI). LGI can associate a singular mode of interaction with any given group of distributed agents, subjecting all such interactions to an explicitly specified ``law,'' that defines the security policy regarding this mode of interaction. An agent operating under a given law L can be trusted implicitly to satisfy the policy defined by this law, without having to validate each operation with some trusted server. This makes LGI scalable to a significant extend, and it contributes to the fault tolerance of this mechanism.
LGI can thus support a wide range of security models and policies, including: conventional discretionary models that use capabilities and access-control lists, mandatory lattice-based access control models, and the more sophisticated models and policies required for commercial applications. Moreover, under LGI, a single agent may be involved in several different modes of interactions, and thus be subject to several disparate security policies. All such policies would be defined by laws expressed in a single formalism, and be enforced in a unified manner.
Another advantage of the proposed security mechanism is that it completely hides from the users all aspects of key management. The trust between the interacting agents under LGI is the result of constraints being imposed on the exchange of messages between them.
For more information, see http://athos.rutgers.edu/~minsky.