if i understand, you are addressing a situation like a web page which may have all kinds of unknown modules, etc. if that is the case, then i don't believe that signing is security. just because the module came from microsoft and was signed with the super-private microsoft key, doesn't mean that the module doesn't do things that you don't allow. hey, the key could have been stolen (what would be the chances ;-) or it might just be buggy (what would be the chances). i think that you are going to have to run dis modules loaded in a situation like a web browser into a sandbox that has very restricted premissions in order to avoid security issues. in that case, there's not much point to all the complication of signing. erik ---------------- //the basic idea in all Plan 9 and Inferno is, that even network connections //are services offered by directories which are called "file systems" you're correct, of cource. but think about it in terms of a normal file system, like local disk or such. different users have different permissions to different things, right? we can tell these users are different people because they have a certain key/passwd/response. without signing on a dis module, we face two problems, both of which exist in any system with no authentication. first, when someone does something we don't like, we don't know who to blame. if someone's doing things i don't like on my system, i want to know about it. similarly, if i load a dis module that does things i don't like, i want to know who wrote it and/or who gave it to me. second, without any reasonable method of telling who's who, if i want to restrict _someone_ from doing something, i have to restrict _everyone_. if, for example, i trust myself, VN, and the Labs to write modules that make network connections, but not anyone else, i need to tell who wrote a given module, right? otherwise it's all-or-none. i'm either too restrictive or too permissive. security consists of (at least?) two parts: authentication (who am i) and authorization (what can i do). the file system model is an excelent way of taking care of authorization, but something still needs to be done for authentication, so i can trust people are who they say they are. dis signing is one suggestion of how to do it. -α.