New Parameters

1. :signature
   The value of the signature in a performative is a digital signature signed on the content of the performative. This signature is signed by the agent that sends the KQML message.

2. :senderCert
   To verify the signature in a performative, the receiver needs the public key of the sender. The included senderCert of a performative enables the receiver to get and verify the authenticity of the public key, and then to verify the signature with the authenticated public key. Generally, signature and senderCert appear at the same time in a performative.

3. :senderCertChain
   For the dynamic management of certificates, the senderCertChain, in which the certificates of the agents along the path from the root security agent through the agent that is the holder of the senderCertChain, will be needed as parameter in the performative. See also [15].

4. :senderCertName
   This parameter indicates which kind of certificate is used by the sender of the massage, so that the receiver will be able to parse the information included in the senderCert with certain format under the name of ``senderCertName''.

5. :receiverCert
   The certificate of receiver's public key.

6. :receiverCertName
   The name of the receiver's public key certificate. This parameter indicates which public key of the receiver is used to encrypt the content of message, because with multi-certificate authentication system, a receiver can hold more than on public key certificate. Being informed of the certificate, the receiver can easily choose the corresponding private key to decrypt the encrypted content of the message.

Following is an example of KQML message with some new parameters:
tell:
:language CIPHER
:content {the encrypted M}
:receiverCertName CMUCertificate
and M is another KQML message embodied in the first KQML package:
tell:
:language PLAINTEXT
:content {the content}
:senderCert {a public certificate of sender}
:senderCertName RetsinaCertificate
:signature {signature signed by sender}

``tell'' is one of the performatives defined in original KQML[16], the new parameters in the performative enable agent to ``tell'' verifiable secrets:

1. The value of parameter language, CIPHER, indicates that the content is encrypted.
2. Knowing CMUCertificate, the receiver is able to choose the corresponding private key to decrypt the cipher.
3. With the signature signed by sender and the senderCert, the receiver can verify the authenticity of the content (cipher).

Generally speaking, signing before encrypting prevents the attack with ``trapdoor'' moduli for which the signed document can be forged by computing discrete logarithms and changing the public key (key spoofing)[17]. How to make such a decision is the job of planner that schedules how to complete a task step by step.
A detailed processing the KQML message would be as following:

1. The KQML parser of receiver extracts the content of first KQML package, encrypts M and passes it with RetsinaCertificate to security execution module.
2. The security execution module picks up the corresponding private key, decrypts it and gets plain M.
3. Since M is KQML message, it will be returned to KQML parser. The parser parses M and passes the content, signature, and senderCert to security execution module.
4. The security execution module verifies the authenticity and integrity of the content.