This section outlines the life cycle of a migrating agent to give an
example how components and services work together. Figure
![[*]](http://www.nm.informatik.uni-muenchen.de/common/icons/latex2html-97.1/cross_ref_motif.gif){kind=icon}
depicts part of the life cycle. To begin with, when
a manager initiates an agent it signs it to identify the initiator,
the first agent system etc. It supplies the agent with necessary
rights.
If an agent system receives an agent from the communication network,
some decryption and host authentication may already happen depending
on the communication service. This information can influence later
checks. If the agent has been encrypted the agent system decrypts it
and tests the integrity of the data received by checking the signature
that the sender has appended. Further checks are necessary to detect
replays, redirections or replications.
After the agent system concluded these checks it can assign first security attributes to the agent received, e.g. the overall security `level' of the transmission depending on the kind of encryption used. If possible, the agent system may already do some first code verification to assure that it is a mobile agent confirming to the implementation language specification. The following step is very important: authentication. The agent system verifies signatures and certificates attached and may find out, e.g. who wrote the agent, who sent it at the beginning, or intermediate locations. The agent system tries to map the set of identities attached to existing, valid subjects defining responsibilities for any later action. This may involve the key server or trust center.
Once authenticated, the agent system authorizes the agent, i.e. it assigns rights and checks credentials carried with the agent. As several parts influence authentication, authorization is not as easy as in ordinary operating systems. Trustworthiness may depend on each identity authenticated. Some of them may `add' rights, e.g. agents signed by two or more managers by aggregating their rights. Others may `remove' rights, e.g. for agents that visited a possibly malicious agent system. The actual way of determining rights may depend on security policies defined.
If the agent system decides to execute the agent after these checks, it starts the agent. In order to protect the agent system, the host system and other agents, the agent runs in a sandbox. Checks at run-time must make sure that the agent is not able to make illegal operations or violate access rights. To implement non-repudiation some operations require to log some state information to a non-repudiation service.
When the agent has finished its work and wants to migrate to another place the agent system stops execution and packs the agent with its current state. It may adjust rights of the agent, e.g. if the agent needs more rights at its next locations. The agent system signs the result to certify the execution and may log this to a non-repudiation service. Finally, it opens a (secure) communication link with the new place and sends the agent, maybe after encrypting it.