fies a number of issues related to security information r semantics on different layers of abstraction. In particular it is difficult to express caller and target accurately in the middleware security policy with the information available on the middleware layer. The problems discussed in this paper were encountered during the development of MICOSec [7], our CORBA Security Services implementation for the MICO ORB [3]. This section briefly reviews CORBA security and the terminology used. Section 2 describes the different f abstraction in a secure CORBA environment and identifies the boundaries of the middleware (ORB) layer. Section 3 evaluates the usefulness of a range of potential ways of describing the main ORB layer components: caller, message, and target. In section 4, our MICOSec CORBA Security implementation is presented. Finally, section 5 summarizes the observations of this paper, and a conclusion is given in section 6. Note that, although CORBA was chosen as an example for midd...