PS: I don't know if this is all covered in the CONS documentation
yet; I did
a lot of thinking/work on CONS last summer, and it may not have all be
written up in specs yet.
My advice to the LISP people was that they didn't need to implement
this
security stuff in any prototype implemenatations they were doing
(where
manpower is limited, and the chief concern is trying to get some
real-world
data on things like delays, unforseen operational issues, etc),
because it
doesn't change the fundamentals of the operation at all; it's just
security
sugar layered over everything.