Adopting the layered structure with trusted security service repositories developed in the Cherubim system, a set of reflective bootstrapping protocols recursively bootstrap other security services as necessary. The design of the reflective structures and protocols is based on our current work in developing a reflective Object Request Broker(ORB) [SSC97]. A reflective system gives a user program access to its definition and evaluation rules and defines interfaces and protocols for altering them. In our evaluation of customizations to the reflective ORB to support real-time processing, fault tolerance, and load balancing, we determined that the reflective facilities necessary for one feature supported additional features without drastically changing the initial architecture. In general, change is supported by reifying the structure and evaluation strategy in the ORB. Using this approach, a change to the ORB amounts to creating new subclasses for components and using the resulting objects in the architecture. This leaves the underlying system performance practically unaffected. Although these results were obtained within the context of an ORB architecture, we believe that the technique and concept used there will also apply to the design and development of the proposed reflective secure bootstrapping process in active networking environments. For example, the reflective ORB accommodates application specific customization by reifying method call processing in the form of Invoker andDispatcher objects. So to incorporate real-time support, client programs supply a subclass of Invoker and Dispatcher that knows about marshaling with deadlines. In the same way, we can introduce reflection to the bootstrapping process by reifying some entities that are important to bootstrapping and may have different implementations in different situations. Therefore, except for the core service, the bootstrapping protocols themselves can be customized and configured to fit into the diverse security requirements of different organizations and applications.
As for the core service, although the need to change the core service should be small (core security protocols and algorithms haven't changed much in the last twenty years), our design also allows user configurability at boot time, e.g., using a smart card. This feature will allow the system to accommodate any base level changes in cryptographic technology which may be caused by changes in government regulation or advances in cryptography.