In an open network such as the Internet, multicast security services typically start with group session-key distribution. Considering scalability for group communication among widely-distributed members, we can find a currently-leading approach based on a CBT (Core-Based Tree) routing protocol, where Group Key Distribution Centers (GKDCs) are dynamically constructed during group-member joining process. In search of practical use of it, this paper first analyzes the CBT protocol in terms of its efficiency as well as security management. Then the paper proposes several improvements on the protocol with an aim to solve the problem identified. In particular, (1) an overuse of encryption and signatures is avoided and (2) a hybrid trust model is introduced by a simple mechanism for controling the GKDC distribution. A comprehensive comparison among the costs of several implementations is also carried out.