A system consistent with the present invention enables a program in a distributed
system to determine whether downloaded code is trustworthy before using the downloaded
code to communicate with other programs or services in the distributed system.
A client that downloads proxy code from a service can verify that both the service
and the downloaded code are trustworthy before using the code to communicate with
the service. "Trustworthy" code is code the client knows will enforce the client's
security constraints in communicating with the service, e.g., mutual authentication,
confidentiality, and integrity.
