The PEM and PGP/X.509 authentication models and the Biba Integrity Model have limitations inherent in their design that diminish their practicality in real world applications. The ICE-TEL trust model addresses some of these difficulties, and introduces a few new limitations. The Common Security Services Manager's Trust Policy Interface Specification provides the guidelines with which new trust policies may be encoded, but does not implement an actual policy. This paper describes a new model that permits both the identity of the sender of a message, and the trustworthiness of the sender of the message to be determined. The model works regardless of whether or not the message was signed by a certificate authority with which the recipient has a relationship. The model can be implemented without changing the format of certificates that are currently in use, and could be used as a module in a broader security framework, such as the Common Security Services Manager.