In this paper, we have described the architecture of CRISIS, a security system for wide area applications. In designing CRISIS, we have endeavored to systematically apply principles from related fields to increase system security, availability, and performance across the wide area. These principles include: redundancy, caching, local autonomy, least privilege, and complete accountability. This paper describes how these principles have influenced our design and details the specific protocols used to carry out common operations across the wide area. Relative to earlier efforts, CRISIS uses transfer certificates as a simple mechanism for lightweight creation of roles and capabilities. While the current implementation runs only on Solaris, we expect to port the system to other platforms in the near future.