Traditional secure RPC systems have focused on two models: capabilities and access control lists (ACLs). The main problem with capabilities is that they are too easy to copy, making complex security policies hard to maintain. The main problem with ACLs is that they are too hard to write, especially as security policies grow in complexity with roles, groups, and delegation.

An interesting property of remote agents, servlets, and similar new technologies is the concept of untrusted code running on a trusted platform. If such code wishes to make a secure remote procedure call, the RPC server needs to be able to distinguish between a secure RPC originating from the trusted server itself and a secure RPC originating from the untrusted agent. We are working on a solution to this problem based on existing Java security mechanisms which is as easy to use as a capability system with the same strong security properties of an ACL system.