Most computers today are insecure because security is costly in terms of user inconvenience
and foregone features, and people are unwilling to pay the price. Real-world security
depends more on punishment than on locks, but it's hard to even find network attackers,
much less punish them. The basic elements of security are authentication, authorization, and
auditing: the gold standard. The idea of one principal speaking for another is the key to
doing these uniformly across the Internet.

Computer system security is more than 30 years old. It has had many intellectual suc-
cesses, among them the subject/object access matrix model, 1 access control lists, 2
multilevel security using information flow3, 4 and the star property, 5 public-key
cryptography, 6 and cryptographic protocols. 7 Despite these successes, in an absolute
sense the security of the hundreds of millions of deployed computer systems remains
terrible. A determined and competent attacker could steal or destroy most of the information …