The segments kept by the segment keepers described by (p2,fsc) and (p2,vcsk) are discreet and consistent {(p3,segprop)} but we must trust the logic of the domains that create such segments to believe this. Is there some way that we can trust only a single authority in this matter so as not to have to trust the design and implementation of each such segment keeper as it comes along?

It seems clear that since the keeper has access to the TOD clock the consistency of the segment will depend on the segment keeper.

The discretion of the segment keeper seems to depend only on the keys of the keeper. If the keeper holds only the keys that are obviously necessary it would seem that the segment was necessarily discreet. Thus it would appear that discreet segments might be available without trusting the code of the keeper.