This needs much work and material. Talk about the TCB.

A common unstated assumption is that boundaries between machines are also trust boundaries. Usually the operator of a computer chooses the operating system that runs there or is at least in a position to tamper with the security mechanisms of that system. This need not be so but that is another story.

Divisions of large companies once chose to use outside time sharing services in preference to their in-house computer services because of issues both of trust and of ability of the computer systems to keep secrets.

On this site we advocate unifying the idea of trust boundaries to cover the spectrum from adversarial communications, to the boundaries of the sort implicit in the subroutine facilities provided by classic computer languages. In the former messages are scrutinized upon receipt against carefully designed rules and acted upon within tight rules.

It is perhaps necessary to motivate why capabilities should be combined with distribution. To some, the communications link between two computers seems the most natural place for a trust boundary. If the computers at the two ends of a link are by different organizations, then the code in those computers may normally be thought to be by programmers with limited mutual trust and that all messages over the wire subject to application scrutiny. How can system code help?