A protection model is presented for a general-purpose computing system based on keys attached as ‘seals’ and ‘signatures’ to values exchanged among processes. A key attached to a value as a ‘seal’ does not prevent that value from being propagated to any place within the system; rather, it guarantees that the value and any information derived from it cannot leave the system unless the same key is presented. A key attached to a value as a ‘signature’ is used by a process to verify the origin of the received data. Solutions to problems from the areas of interprocess communication and proprietary services are given