Current models of Internet Computing are highly asymmetric – a host protects itself from malicious mobile Java programs, but there is no way to get assurances about the behavior of a program running remotely. The asymmetry stems from a behavior-based security model: hosts ensure conformance to a given security policy by restricting the actions of programs. In contrast, security models that are based on cryptography (including code signing) are inherently symmetric by design but do not match the open architecture of the Internet and are unsuitable for reasoning about program behavior. We propose a new paradigm that combines the openness of the former with the symmetry of the latter and thereby enables completely new applications in a globally connected world.