security: Use VDL's mechanism for wire <-> native conversions for
Blessings.

This commit is the counterpart to the API change in:
https://vanadium-review.googlesource.com/6290

Mostly simplifies, but there are some rough edges still left
which will be addressed in separate commits:
(1) At a few places, the caller wants to access the underlying
    certificate chains of a security.Blessings object.
    Have to work out this API, but for now they either use
    security.MarshalBlessings or do a VOM-roundtrip (when
    performance is a non-concern)
(2) The BlessingStore implementation can be simplified considerably
    now, and should have a clear wire spec (.vdl file).
(3) The persistent store used by the mgmt code
    (veyron/services/mgmt/lib/fs) is using GOB to write out
    serialized forms. There is a plan to convert this to VOM
    but in the mean time I had to do something ugly - translate
    from application.Envelope (which is no longer GOBable) to
    a different type. This will go away once the store is converted
    to VOM.

MultiPart: 2/2

Change-Id: Iafb791afedf0a3ea4c9c1c766300213dace7d692
diff --git a/runtimes/google/ipc/blessings_cache.go b/runtimes/google/ipc/blessings_cache.go
index 204715a..06ec74b 100644
--- a/runtimes/google/ipc/blessings_cache.go
+++ b/runtimes/google/ipc/blessings_cache.go
@@ -109,8 +109,7 @@
 		return ipc.BlessingsRequest{Key: val.id}
 	}
 	// otherwise we still need to send both key and blessings, but we must ensure that we send the same key.
-	wireBlessings := security.MarshalBlessings(blessings)
-	return ipc.BlessingsRequest{val.id, &wireBlessings}
+	return ipc.BlessingsRequest{val.id, &blessings}
 }
 
 // nextIdLocked creates a new id for inserting blessings. It must be called after acquiring a writer lock.
@@ -153,10 +152,7 @@
 	stats.recordBlessingCache(false)
 	// Slowpath, might need to update the cache, or check that the received blessings are
 	// the same as what's in the cache.
-	recv, err := security.NewBlessings(*req.Blessings)
-	if err != nil {
-		return security.Blessings{}, fmt.Errorf("ipc: create new client blessings failed: %v", err)
-	}
+	recv := *req.Blessings
 	c.Lock()
 	defer c.Unlock()
 	if cached, exists := c.m[req.Key]; exists {
diff --git a/runtimes/google/ipc/client.go b/runtimes/google/ipc/client.go
index 2a9f92a..f9ced6b 100644
--- a/runtimes/google/ipc/client.go
+++ b/runtimes/google/ipc/client.go
@@ -799,7 +799,7 @@
 		Method:           method,
 		NumPosArgs:       uint64(len(args)),
 		Deadline:         vtime.Deadline{deadline},
-		GrantedBlessings: security.MarshalBlessings(fc.grantedBlessings),
+		GrantedBlessings: fc.grantedBlessings,
 		Blessings:        blessingsRequest,
 		Discharges:       discharges,
 		TraceRequest:     ivtrace.Request(fc.ctx),
diff --git a/runtimes/google/ipc/server.go b/runtimes/google/ipc/server.go
index 3c7db7c..8340516 100644
--- a/runtimes/google/ipc/server.go
+++ b/runtimes/google/ipc/server.go
@@ -1149,11 +1149,6 @@
 
 func (fs *flowServer) initSecurity(req *ipc.Request) error {
 	// If additional credentials are provided, make them available in the context
-	blessings, err := security.NewBlessings(req.GrantedBlessings)
-	if err != nil {
-		return verror.New(verror.ErrBadProtocol, fs.T, newErrBadBlessings(fs.T, err))
-	}
-	fs.grantedBlessings = blessings
 	// Detect unusable blessings now, rather then discovering they are unusable on
 	// first use.
 	//
@@ -1161,11 +1156,12 @@
 	// the server's identity as the blessing. Figure out what we want to do about
 	// this - should servers be able to assume that a blessing is something that
 	// does not have the authorizations that the server's own identity has?
-	if blessings.PublicKey() != nil && !reflect.DeepEqual(blessings.PublicKey(), fs.flow.LocalPrincipal().PublicKey()) {
-		return verror.New(verror.ErrNoAccess, fs.T, fmt.Sprintf("blessing granted not bound to this server(%v vs %v)", blessings.PublicKey(), fs.flow.LocalPrincipal().PublicKey()))
+	if b := req.GrantedBlessings; b.PublicKey() != nil && !reflect.DeepEqual(b.PublicKey(), fs.flow.LocalPrincipal().PublicKey()) {
+		return verror.New(verror.ErrNoAccess, fs.T, fmt.Sprintf("blessing granted not bound to this server(%v vs %v)", b.PublicKey(), fs.flow.LocalPrincipal().PublicKey()))
 	}
-	fs.clientBlessings, err = serverDecodeBlessings(fs.flow.VCDataCache(), req.Blessings, fs.server.stats)
-	if err != nil {
+	fs.grantedBlessings = req.GrantedBlessings
+	var err error
+	if fs.clientBlessings, err = serverDecodeBlessings(fs.flow.VCDataCache(), req.Blessings, fs.server.stats); err != nil {
 		// When the server can't access the blessings cache, the client is not following
 		// protocol, so the server closes the VCs corresponding to the client endpoint.
 		// TODO(suharshs,toddw): Figure out a way to only shutdown the current VC, instead
diff --git a/runtimes/google/ipc/stream/vc/auth.go b/runtimes/google/ipc/stream/vc/auth.go
index b333b3a..43442b3 100644
--- a/runtimes/google/ipc/stream/vc/auth.go
+++ b/runtimes/google/ipc/stream/vc/auth.go
@@ -94,7 +94,7 @@
 	if err := enc.Encode(signature); err != nil {
 		return err
 	}
-	if err := enc.Encode(security.MarshalBlessings(b)); err != nil {
+	if err := enc.Encode(b); err != nil {
 		return err
 	}
 	if v >= version.IPCVersion7 {
@@ -143,13 +143,13 @@
 	}
 
 	var (
-		wireb security.WireBlessings
-		sig   security.Signature
+		blessings security.Blessings
+		sig       security.Signature
 	)
 	if err = dec.Decode(&sig); err != nil {
 		return noBlessings, nil, err
 	}
-	if err = dec.Decode(&wireb); err != nil {
+	if err = dec.Decode(&blessings); err != nil {
 		return noBlessings, nil, err
 	}
 	var discharges map[string]security.Discharge
@@ -177,10 +177,6 @@
 			}
 		}
 	}
-	blessings, err := security.NewBlessings(wireb)
-	if err != nil {
-		return noBlessings, nil, err
-	}
 	if !sig.Verify(blessings.PublicKey(), append(tag, crypter.ChannelBinding()...)) {
 		return noBlessings, nil, errInvalidSignatureInMessage
 	}
diff --git a/security/agent/client.go b/security/agent/client.go
index cb887b2..92a33ab 100644
--- a/security/agent/client.go
+++ b/security/agent/client.go
@@ -105,23 +105,19 @@
 }
 
 func (c *client) Bless(key security.PublicKey, with security.Blessings, extension string, caveat security.Caveat, additionalCaveats ...security.Caveat) (security.Blessings, error) {
-	var blessings security.WireBlessings
+	var blessings security.Blessings
 	marshalledKey, err := key.MarshalBinary()
 	if err != nil {
 		return security.Blessings{}, err
 	}
-	if err = c.caller.call("Bless", results(&blessings), marshalledKey, security.MarshalBlessings(with), extension, caveat, additionalCaveats); err != nil {
-		return security.Blessings{}, err
-	}
-	return security.NewBlessings(blessings)
+	err = c.caller.call("Bless", results(&blessings), marshalledKey, with, extension, caveat, additionalCaveats)
+	return blessings, err
 }
 
 func (c *client) BlessSelf(name string, caveats ...security.Caveat) (security.Blessings, error) {
-	var blessings security.WireBlessings
-	if err := c.caller.call("BlessSelf", results(&blessings), name, caveats); err != nil {
-		return security.Blessings{}, err
-	}
-	return security.NewBlessings(blessings)
+	var blessings security.Blessings
+	err := c.caller.call("BlessSelf", results(&blessings), name, caveats)
+	return blessings, err
 }
 
 func (c *client) Sign(message []byte) (sig security.Signature, err error) {
@@ -142,26 +138,17 @@
 }
 
 func (c *client) BlessingsByName(pattern security.BlessingPattern) []security.Blessings {
-	var wbResults []security.WireBlessings
-	err := c.caller.call("BlessingsByName", results(&wbResults), pattern)
-	if err != nil {
+	var blessings []security.Blessings
+	if err := c.caller.call("BlessingsByName", results(&blessings), pattern); err != nil {
 		vlog.Errorf("error calling BlessingsByName: %v", err)
 		return nil
 	}
-	blessings := make([]security.Blessings, len(wbResults))
-	for i, wb := range wbResults {
-		var err error
-		blessings[i], err = security.NewBlessings(wb)
-		if err != nil {
-			vlog.Errorf("error creating Blessing from WireBlessings: %v", err)
-		}
-	}
 	return blessings
 }
 
 func (c *client) BlessingsInfo(blessings security.Blessings) map[string][]security.Caveat {
 	var bInfo map[string][]security.Caveat
-	err := c.caller.call("BlessingsInfo", results(&bInfo), security.MarshalBlessings(blessings))
+	err := c.caller.call("BlessingsInfo", results(&bInfo), blessings)
 	if err != nil {
 		vlog.Errorf("error calling BlessingsInfo: %v", err)
 		return nil
@@ -177,7 +164,7 @@
 }
 
 func (c *client) AddToRoots(blessings security.Blessings) error {
-	return c.caller.call("AddToRoots", results(), security.MarshalBlessings(blessings))
+	return c.caller.call("AddToRoots", results(), blessings)
 }
 
 type blessingStore struct {
@@ -186,43 +173,30 @@
 }
 
 func (b *blessingStore) Set(blessings security.Blessings, forPeers security.BlessingPattern) (security.Blessings, error) {
-	var resultBlessings security.WireBlessings
-	if err := b.caller.call("BlessingStoreSet", results(&resultBlessings), security.MarshalBlessings(blessings), forPeers); err != nil {
-		return security.Blessings{}, err
-	}
-	return security.NewBlessings(resultBlessings)
+	var previous security.Blessings
+	err := b.caller.call("BlessingStoreSet", results(&previous), blessings, forPeers)
+	return previous, err
 }
 
 func (b *blessingStore) ForPeer(peerBlessings ...string) security.Blessings {
-	var resultBlessings security.WireBlessings
-	err := b.caller.call("BlessingStoreForPeer", results(&resultBlessings), peerBlessings)
-	if err != nil {
-		vlog.Errorf("error calling BlessingStoreForPeer: %v", err)
-		return security.Blessings{}
-	}
-	blessings, err := security.NewBlessings(resultBlessings)
-	if err != nil {
-		vlog.Errorf("error creating Blessings from WireBlessings: %v", err)
-		return security.Blessings{}
+	var blessings security.Blessings
+	if err := b.caller.call("BlessingStoreForPeer", results(&blessings), peerBlessings); err != nil {
+		vlog.Errorf("error calling BlessingStorePeerBlessings: %v", err)
 	}
 	return blessings
 }
 
 func (b *blessingStore) SetDefault(blessings security.Blessings) error {
-	return b.caller.call("BlessingStoreSetDefault", results(), security.MarshalBlessings(blessings))
+	return b.caller.call("BlessingStoreSetDefault", results(), blessings)
 }
 
 func (b *blessingStore) Default() security.Blessings {
-	var resultBlessings security.WireBlessings
-	err := b.caller.call("BlessingStoreDefault", results(&resultBlessings))
+	var blessings security.Blessings
+	err := b.caller.call("BlessingStoreDefault", results(&blessings))
 	if err != nil {
 		vlog.Errorf("error calling BlessingStoreDefault: %v", err)
 		return security.Blessings{}
 	}
-	blessings, err := security.NewBlessings(resultBlessings)
-	if err != nil {
-		vlog.Errorf("error creating Blessing from WireBlessings: %v", err)
-	}
 	return blessings
 }
 
@@ -231,22 +205,13 @@
 }
 
 func (b *blessingStore) PeerBlessings() map[security.BlessingPattern]security.Blessings {
-	var wbMap map[security.BlessingPattern]security.WireBlessings
-	err := b.caller.call("BlessingStorePeerBlessings", results(&wbMap))
+	var bmap map[security.BlessingPattern]security.Blessings
+	err := b.caller.call("BlessingStorePeerBlessings", results(&bmap))
 	if err != nil {
 		vlog.Errorf("error calling BlessingStorePeerBlessings: %v", err)
 		return nil
 	}
-	bMap := make(map[security.BlessingPattern]security.Blessings)
-	for pattern, wb := range wbMap {
-		blessings, err := security.NewBlessings(wb)
-		if err != nil {
-			vlog.Errorf("error creating Blessing from WireBlessings: %v", err)
-			return nil
-		}
-		bMap[pattern] = blessings
-	}
-	return bMap
+	return bmap
 }
 
 func (b *blessingStore) DebugString() (s string) {
diff --git a/security/agent/server/server.go b/security/agent/server/server.go
index d89b7a8..78e9ace 100644
--- a/security/agent/server/server.go
+++ b/security/agent/server/server.go
@@ -271,28 +271,16 @@
 	return nil
 }
 
-func (a agentd) Bless(_ ipc.ServerCall, key []byte, with security.WireBlessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.WireBlessings, error) {
+func (a agentd) Bless(_ ipc.ServerCall, key []byte, with security.Blessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.Blessings, error) {
 	pkey, err := security.UnmarshalPublicKey(key)
 	if err != nil {
-		return security.WireBlessings{}, err
+		return security.Blessings{}, err
 	}
-	withBlessings, err := security.NewBlessings(with)
-	if err != nil {
-		return security.WireBlessings{}, err
-	}
-	blessings, err := a.principal.Bless(pkey, withBlessings, extension, caveat, additionalCaveats...)
-	if err != nil {
-		return security.WireBlessings{}, err
-	}
-	return security.MarshalBlessings(blessings), nil
+	return a.principal.Bless(pkey, with, extension, caveat, additionalCaveats...)
 }
 
-func (a agentd) BlessSelf(_ ipc.ServerCall, name string, caveats []security.Caveat) (security.WireBlessings, error) {
-	blessings, err := a.principal.BlessSelf(name, caveats...)
-	if err != nil {
-		return security.WireBlessings{}, err
-	}
-	return security.MarshalBlessings(blessings), nil
+func (a agentd) BlessSelf(_ ipc.ServerCall, name string, caveats []security.Caveat) (security.Blessings, error) {
+	return a.principal.BlessSelf(name, caveats...)
 }
 
 func (a agentd) Sign(_ ipc.ServerCall, message []byte) (security.Signature, error) {
@@ -362,76 +350,46 @@
 	return a.principal.PublicKey().MarshalBinary()
 }
 
-func (a agentd) BlessingsByName(_ ipc.ServerCall, name security.BlessingPattern) ([]security.WireBlessings, error) {
+func (a agentd) BlessingsByName(_ ipc.ServerCall, name security.BlessingPattern) ([]security.Blessings, error) {
 	a.w.rlock()
 	defer a.w.runlock()
-	blessings := a.principal.BlessingsByName(name)
-	ret := make([]security.WireBlessings, len(blessings))
-	for i, b := range blessings {
-		ret[i] = security.MarshalBlessings(b)
-	}
-	return ret, nil
+	return a.principal.BlessingsByName(name), nil
 }
 
-func (a agentd) BlessingsInfo(_ ipc.ServerCall, blessings security.WireBlessings) (map[string][]security.Caveat, error) {
-	b, err := security.NewBlessings(blessings)
-	if err != nil {
-		return nil, err
-	}
+func (a agentd) BlessingsInfo(_ ipc.ServerCall, blessings security.Blessings) (map[string][]security.Caveat, error) {
 	a.w.rlock()
 	defer a.w.runlock()
-	return a.principal.BlessingsInfo(b), nil
+	return a.principal.BlessingsInfo(blessings), nil
 }
 
-func (a agentd) AddToRoots(_ ipc.ServerCall, wireBlessings security.WireBlessings) error {
-	blessings, err := security.NewBlessings(wireBlessings)
-	if err != nil {
-		return err
-	}
+func (a agentd) AddToRoots(_ ipc.ServerCall, blessings security.Blessings) error {
 	a.w.lock()
 	defer a.w.unlock(a.id)
 	return a.principal.AddToRoots(blessings)
 }
 
-func (a agentd) BlessingStoreSet(_ ipc.ServerCall, wireBlessings security.WireBlessings, forPeers security.BlessingPattern) (security.WireBlessings, error) {
-	blessings, err := security.NewBlessings(wireBlessings)
-	if err != nil {
-		return security.WireBlessings{}, err
-	}
+func (a agentd) BlessingStoreSet(_ ipc.ServerCall, blessings security.Blessings, forPeers security.BlessingPattern) (security.Blessings, error) {
 	a.w.lock()
-	resultBlessings, err := a.principal.BlessingStore().Set(blessings, forPeers)
-	a.w.unlock(a.id)
-	if err != nil {
-		return security.WireBlessings{}, err
-	}
-	return security.MarshalBlessings(resultBlessings), nil
+	defer a.w.unlock(a.id)
+	return a.principal.BlessingStore().Set(blessings, forPeers)
 }
 
-func (a agentd) BlessingStoreForPeer(_ ipc.ServerCall, peerBlessings []string) (security.WireBlessings, error) {
+func (a agentd) BlessingStoreForPeer(_ ipc.ServerCall, peerBlessings []string) (security.Blessings, error) {
 	a.w.rlock()
 	defer a.w.runlock()
-	return security.MarshalBlessings(a.principal.BlessingStore().ForPeer(peerBlessings...)), nil
+	return a.principal.BlessingStore().ForPeer(peerBlessings...), nil
 }
 
-func (a agentd) BlessingStoreSetDefault(_ ipc.ServerCall, wireBlessings security.WireBlessings) error {
-	blessings, err := security.NewBlessings(wireBlessings)
-	if err != nil {
-		return err
-	}
+func (a agentd) BlessingStoreSetDefault(_ ipc.ServerCall, blessings security.Blessings) error {
 	a.w.lock()
 	defer a.w.unlock(a.id)
 	return a.principal.BlessingStore().SetDefault(blessings)
 }
 
-func (a agentd) BlessingStorePeerBlessings(_ ipc.ServerCall) (map[security.BlessingPattern]security.WireBlessings, error) {
+func (a agentd) BlessingStorePeerBlessings(_ ipc.ServerCall) (map[security.BlessingPattern]security.Blessings, error) {
 	a.w.rlock()
-	bMap := a.principal.BlessingStore().PeerBlessings()
-	a.w.runlock()
-	wbMap := make(map[security.BlessingPattern]security.WireBlessings, len(bMap))
-	for p, b := range bMap {
-		wbMap[p] = security.MarshalBlessings(b)
-	}
-	return wbMap, nil
+	defer a.w.runlock()
+	return a.principal.BlessingStore().PeerBlessings(), nil
 }
 
 func (a agentd) BlessingStoreDebugString(_ ipc.ServerCall) (string, error) {
@@ -440,10 +398,10 @@
 	return a.principal.BlessingStore().DebugString(), nil
 }
 
-func (a agentd) BlessingStoreDefault(_ ipc.ServerCall) (security.WireBlessings, error) {
+func (a agentd) BlessingStoreDefault(_ ipc.ServerCall) (security.Blessings, error) {
 	a.w.rlock()
 	defer a.w.runlock()
-	return security.MarshalBlessings(a.principal.BlessingStore().Default()), nil
+	return a.principal.BlessingStore().Default(), nil
 }
 
 func (a agentd) BlessingRootsAdd(_ ipc.ServerCall, root []byte, pattern security.BlessingPattern) error {
diff --git a/security/agent/server/wire.vdl.go b/security/agent/server/wire.vdl.go
index d02c82e..65f1fc2 100644
--- a/security/agent/server/wire.vdl.go
+++ b/security/agent/server/wire.vdl.go
@@ -17,19 +17,19 @@
 // AgentClientMethods is the client interface
 // containing Agent methods.
 type AgentClientMethods interface {
-	Bless(ctx *context.T, key []byte, wit security.WireBlessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat, opts ...ipc.CallOpt) (security.WireBlessings, error)
-	BlessSelf(ctx *context.T, name string, caveats []security.Caveat, opts ...ipc.CallOpt) (security.WireBlessings, error)
+	Bless(ctx *context.T, key []byte, wit security.Blessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat, opts ...ipc.CallOpt) (security.Blessings, error)
+	BlessSelf(ctx *context.T, name string, caveats []security.Caveat, opts ...ipc.CallOpt) (security.Blessings, error)
 	Sign(ctx *context.T, message []byte, opts ...ipc.CallOpt) (security.Signature, error)
 	MintDischarge(ctx *context.T, forCaveat security.Caveat, caveatOnDischarge security.Caveat, additionalCaveatsOnDischarge []security.Caveat, opts ...ipc.CallOpt) (security.WireDischarge, error)
 	PublicKey(*context.T, ...ipc.CallOpt) ([]byte, error)
-	BlessingsByName(ctx *context.T, name security.BlessingPattern, opts ...ipc.CallOpt) ([]security.WireBlessings, error)
-	BlessingsInfo(ctx *context.T, blessings security.WireBlessings, opts ...ipc.CallOpt) (map[string][]security.Caveat, error)
-	AddToRoots(ctx *context.T, blessing security.WireBlessings, opts ...ipc.CallOpt) error
-	BlessingStoreSet(ctx *context.T, blessings security.WireBlessings, forPeers security.BlessingPattern, opts ...ipc.CallOpt) (security.WireBlessings, error)
-	BlessingStoreForPeer(ctx *context.T, peerBlessings []string, opts ...ipc.CallOpt) (security.WireBlessings, error)
-	BlessingStoreSetDefault(ctx *context.T, blessings security.WireBlessings, opts ...ipc.CallOpt) error
-	BlessingStoreDefault(*context.T, ...ipc.CallOpt) (security.WireBlessings, error)
-	BlessingStorePeerBlessings(*context.T, ...ipc.CallOpt) (map[security.BlessingPattern]security.WireBlessings, error)
+	BlessingsByName(ctx *context.T, name security.BlessingPattern, opts ...ipc.CallOpt) ([]security.Blessings, error)
+	BlessingsInfo(ctx *context.T, blessings security.Blessings, opts ...ipc.CallOpt) (map[string][]security.Caveat, error)
+	AddToRoots(ctx *context.T, blessing security.Blessings, opts ...ipc.CallOpt) error
+	BlessingStoreSet(ctx *context.T, blessings security.Blessings, forPeers security.BlessingPattern, opts ...ipc.CallOpt) (security.Blessings, error)
+	BlessingStoreForPeer(ctx *context.T, peerBlessings []string, opts ...ipc.CallOpt) (security.Blessings, error)
+	BlessingStoreSetDefault(ctx *context.T, blessings security.Blessings, opts ...ipc.CallOpt) error
+	BlessingStoreDefault(*context.T, ...ipc.CallOpt) (security.Blessings, error)
+	BlessingStorePeerBlessings(*context.T, ...ipc.CallOpt) (map[security.BlessingPattern]security.Blessings, error)
 	BlessingStoreDebugString(*context.T, ...ipc.CallOpt) (string, error)
 	BlessingRootsAdd(ctx *context.T, root []byte, pattern security.BlessingPattern, opts ...ipc.CallOpt) error
 	BlessingRootsRecognized(ctx *context.T, root []byte, blessing string, opts ...ipc.CallOpt) error
@@ -70,7 +70,7 @@
 	return v23.GetClient(ctx)
 }
 
-func (c implAgentClientStub) Bless(ctx *context.T, i0 []byte, i1 security.WireBlessings, i2 string, i3 security.Caveat, i4 []security.Caveat, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) Bless(ctx *context.T, i0 []byte, i1 security.Blessings, i2 string, i3 security.Caveat, i4 []security.Caveat, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "Bless", []interface{}{i0, i1, i2, i3, i4}, opts...); err != nil {
 		return
@@ -79,7 +79,7 @@
 	return
 }
 
-func (c implAgentClientStub) BlessSelf(ctx *context.T, i0 string, i1 []security.Caveat, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessSelf(ctx *context.T, i0 string, i1 []security.Caveat, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessSelf", []interface{}{i0, i1}, opts...); err != nil {
 		return
@@ -115,7 +115,7 @@
 	return
 }
 
-func (c implAgentClientStub) BlessingsByName(ctx *context.T, i0 security.BlessingPattern, opts ...ipc.CallOpt) (o0 []security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingsByName(ctx *context.T, i0 security.BlessingPattern, opts ...ipc.CallOpt) (o0 []security.Blessings, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingsByName", []interface{}{i0}, opts...); err != nil {
 		return
@@ -124,7 +124,7 @@
 	return
 }
 
-func (c implAgentClientStub) BlessingsInfo(ctx *context.T, i0 security.WireBlessings, opts ...ipc.CallOpt) (o0 map[string][]security.Caveat, err error) {
+func (c implAgentClientStub) BlessingsInfo(ctx *context.T, i0 security.Blessings, opts ...ipc.CallOpt) (o0 map[string][]security.Caveat, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingsInfo", []interface{}{i0}, opts...); err != nil {
 		return
@@ -133,7 +133,7 @@
 	return
 }
 
-func (c implAgentClientStub) AddToRoots(ctx *context.T, i0 security.WireBlessings, opts ...ipc.CallOpt) (err error) {
+func (c implAgentClientStub) AddToRoots(ctx *context.T, i0 security.Blessings, opts ...ipc.CallOpt) (err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "AddToRoots", []interface{}{i0}, opts...); err != nil {
 		return
@@ -142,7 +142,7 @@
 	return
 }
 
-func (c implAgentClientStub) BlessingStoreSet(ctx *context.T, i0 security.WireBlessings, i1 security.BlessingPattern, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingStoreSet(ctx *context.T, i0 security.Blessings, i1 security.BlessingPattern, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStoreSet", []interface{}{i0, i1}, opts...); err != nil {
 		return
@@ -151,7 +151,7 @@
 	return
 }
 
-func (c implAgentClientStub) BlessingStoreForPeer(ctx *context.T, i0 []string, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingStoreForPeer(ctx *context.T, i0 []string, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStoreForPeer", []interface{}{i0}, opts...); err != nil {
 		return
@@ -160,7 +160,7 @@
 	return
 }
 
-func (c implAgentClientStub) BlessingStoreSetDefault(ctx *context.T, i0 security.WireBlessings, opts ...ipc.CallOpt) (err error) {
+func (c implAgentClientStub) BlessingStoreSetDefault(ctx *context.T, i0 security.Blessings, opts ...ipc.CallOpt) (err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStoreSetDefault", []interface{}{i0}, opts...); err != nil {
 		return
@@ -169,7 +169,7 @@
 	return
 }
 
-func (c implAgentClientStub) BlessingStoreDefault(ctx *context.T, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingStoreDefault(ctx *context.T, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStoreDefault", nil, opts...); err != nil {
 		return
@@ -178,7 +178,7 @@
 	return
 }
 
-func (c implAgentClientStub) BlessingStorePeerBlessings(ctx *context.T, opts ...ipc.CallOpt) (o0 map[security.BlessingPattern]security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingStorePeerBlessings(ctx *context.T, opts ...ipc.CallOpt) (o0 map[security.BlessingPattern]security.Blessings, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStorePeerBlessings", nil, opts...); err != nil {
 		return
@@ -303,19 +303,19 @@
 // AgentServerMethods is the interface a server writer
 // implements for Agent.
 type AgentServerMethods interface {
-	Bless(ctx ipc.ServerCall, key []byte, wit security.WireBlessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.WireBlessings, error)
-	BlessSelf(ctx ipc.ServerCall, name string, caveats []security.Caveat) (security.WireBlessings, error)
+	Bless(ctx ipc.ServerCall, key []byte, wit security.Blessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.Blessings, error)
+	BlessSelf(ctx ipc.ServerCall, name string, caveats []security.Caveat) (security.Blessings, error)
 	Sign(ctx ipc.ServerCall, message []byte) (security.Signature, error)
 	MintDischarge(ctx ipc.ServerCall, forCaveat security.Caveat, caveatOnDischarge security.Caveat, additionalCaveatsOnDischarge []security.Caveat) (security.WireDischarge, error)
 	PublicKey(ipc.ServerCall) ([]byte, error)
-	BlessingsByName(ctx ipc.ServerCall, name security.BlessingPattern) ([]security.WireBlessings, error)
-	BlessingsInfo(ctx ipc.ServerCall, blessings security.WireBlessings) (map[string][]security.Caveat, error)
-	AddToRoots(ctx ipc.ServerCall, blessing security.WireBlessings) error
-	BlessingStoreSet(ctx ipc.ServerCall, blessings security.WireBlessings, forPeers security.BlessingPattern) (security.WireBlessings, error)
-	BlessingStoreForPeer(ctx ipc.ServerCall, peerBlessings []string) (security.WireBlessings, error)
-	BlessingStoreSetDefault(ctx ipc.ServerCall, blessings security.WireBlessings) error
-	BlessingStoreDefault(ipc.ServerCall) (security.WireBlessings, error)
-	BlessingStorePeerBlessings(ipc.ServerCall) (map[security.BlessingPattern]security.WireBlessings, error)
+	BlessingsByName(ctx ipc.ServerCall, name security.BlessingPattern) ([]security.Blessings, error)
+	BlessingsInfo(ctx ipc.ServerCall, blessings security.Blessings) (map[string][]security.Caveat, error)
+	AddToRoots(ctx ipc.ServerCall, blessing security.Blessings) error
+	BlessingStoreSet(ctx ipc.ServerCall, blessings security.Blessings, forPeers security.BlessingPattern) (security.Blessings, error)
+	BlessingStoreForPeer(ctx ipc.ServerCall, peerBlessings []string) (security.Blessings, error)
+	BlessingStoreSetDefault(ctx ipc.ServerCall, blessings security.Blessings) error
+	BlessingStoreDefault(ipc.ServerCall) (security.Blessings, error)
+	BlessingStorePeerBlessings(ipc.ServerCall) (map[security.BlessingPattern]security.Blessings, error)
 	BlessingStoreDebugString(ipc.ServerCall) (string, error)
 	BlessingRootsAdd(ctx ipc.ServerCall, root []byte, pattern security.BlessingPattern) error
 	BlessingRootsRecognized(ctx ipc.ServerCall, root []byte, blessing string) error
@@ -332,19 +332,19 @@
 // The only difference between this interface and AgentServerMethods
 // is the streaming methods.
 type AgentServerStubMethods interface {
-	Bless(ctx ipc.ServerCall, key []byte, wit security.WireBlessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.WireBlessings, error)
-	BlessSelf(ctx ipc.ServerCall, name string, caveats []security.Caveat) (security.WireBlessings, error)
+	Bless(ctx ipc.ServerCall, key []byte, wit security.Blessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.Blessings, error)
+	BlessSelf(ctx ipc.ServerCall, name string, caveats []security.Caveat) (security.Blessings, error)
 	Sign(ctx ipc.ServerCall, message []byte) (security.Signature, error)
 	MintDischarge(ctx ipc.ServerCall, forCaveat security.Caveat, caveatOnDischarge security.Caveat, additionalCaveatsOnDischarge []security.Caveat) (security.WireDischarge, error)
 	PublicKey(ipc.ServerCall) ([]byte, error)
-	BlessingsByName(ctx ipc.ServerCall, name security.BlessingPattern) ([]security.WireBlessings, error)
-	BlessingsInfo(ctx ipc.ServerCall, blessings security.WireBlessings) (map[string][]security.Caveat, error)
-	AddToRoots(ctx ipc.ServerCall, blessing security.WireBlessings) error
-	BlessingStoreSet(ctx ipc.ServerCall, blessings security.WireBlessings, forPeers security.BlessingPattern) (security.WireBlessings, error)
-	BlessingStoreForPeer(ctx ipc.ServerCall, peerBlessings []string) (security.WireBlessings, error)
-	BlessingStoreSetDefault(ctx ipc.ServerCall, blessings security.WireBlessings) error
-	BlessingStoreDefault(ipc.ServerCall) (security.WireBlessings, error)
-	BlessingStorePeerBlessings(ipc.ServerCall) (map[security.BlessingPattern]security.WireBlessings, error)
+	BlessingsByName(ctx ipc.ServerCall, name security.BlessingPattern) ([]security.Blessings, error)
+	BlessingsInfo(ctx ipc.ServerCall, blessings security.Blessings) (map[string][]security.Caveat, error)
+	AddToRoots(ctx ipc.ServerCall, blessing security.Blessings) error
+	BlessingStoreSet(ctx ipc.ServerCall, blessings security.Blessings, forPeers security.BlessingPattern) (security.Blessings, error)
+	BlessingStoreForPeer(ctx ipc.ServerCall, peerBlessings []string) (security.Blessings, error)
+	BlessingStoreSetDefault(ctx ipc.ServerCall, blessings security.Blessings) error
+	BlessingStoreDefault(ipc.ServerCall) (security.Blessings, error)
+	BlessingStorePeerBlessings(ipc.ServerCall) (map[security.BlessingPattern]security.Blessings, error)
 	BlessingStoreDebugString(ipc.ServerCall) (string, error)
 	BlessingRootsAdd(ctx ipc.ServerCall, root []byte, pattern security.BlessingPattern) error
 	BlessingRootsRecognized(ctx ipc.ServerCall, root []byte, blessing string) error
@@ -385,11 +385,11 @@
 	gs   *ipc.GlobState
 }
 
-func (s implAgentServerStub) Bless(ctx ipc.ServerCall, i0 []byte, i1 security.WireBlessings, i2 string, i3 security.Caveat, i4 []security.Caveat) (security.WireBlessings, error) {
+func (s implAgentServerStub) Bless(ctx ipc.ServerCall, i0 []byte, i1 security.Blessings, i2 string, i3 security.Caveat, i4 []security.Caveat) (security.Blessings, error) {
 	return s.impl.Bless(ctx, i0, i1, i2, i3, i4)
 }
 
-func (s implAgentServerStub) BlessSelf(ctx ipc.ServerCall, i0 string, i1 []security.Caveat) (security.WireBlessings, error) {
+func (s implAgentServerStub) BlessSelf(ctx ipc.ServerCall, i0 string, i1 []security.Caveat) (security.Blessings, error) {
 	return s.impl.BlessSelf(ctx, i0, i1)
 }
 
@@ -405,35 +405,35 @@
 	return s.impl.PublicKey(ctx)
 }
 
-func (s implAgentServerStub) BlessingsByName(ctx ipc.ServerCall, i0 security.BlessingPattern) ([]security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingsByName(ctx ipc.ServerCall, i0 security.BlessingPattern) ([]security.Blessings, error) {
 	return s.impl.BlessingsByName(ctx, i0)
 }
 
-func (s implAgentServerStub) BlessingsInfo(ctx ipc.ServerCall, i0 security.WireBlessings) (map[string][]security.Caveat, error) {
+func (s implAgentServerStub) BlessingsInfo(ctx ipc.ServerCall, i0 security.Blessings) (map[string][]security.Caveat, error) {
 	return s.impl.BlessingsInfo(ctx, i0)
 }
 
-func (s implAgentServerStub) AddToRoots(ctx ipc.ServerCall, i0 security.WireBlessings) error {
+func (s implAgentServerStub) AddToRoots(ctx ipc.ServerCall, i0 security.Blessings) error {
 	return s.impl.AddToRoots(ctx, i0)
 }
 
-func (s implAgentServerStub) BlessingStoreSet(ctx ipc.ServerCall, i0 security.WireBlessings, i1 security.BlessingPattern) (security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingStoreSet(ctx ipc.ServerCall, i0 security.Blessings, i1 security.BlessingPattern) (security.Blessings, error) {
 	return s.impl.BlessingStoreSet(ctx, i0, i1)
 }
 
-func (s implAgentServerStub) BlessingStoreForPeer(ctx ipc.ServerCall, i0 []string) (security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingStoreForPeer(ctx ipc.ServerCall, i0 []string) (security.Blessings, error) {
 	return s.impl.BlessingStoreForPeer(ctx, i0)
 }
 
-func (s implAgentServerStub) BlessingStoreSetDefault(ctx ipc.ServerCall, i0 security.WireBlessings) error {
+func (s implAgentServerStub) BlessingStoreSetDefault(ctx ipc.ServerCall, i0 security.Blessings) error {
 	return s.impl.BlessingStoreSetDefault(ctx, i0)
 }
 
-func (s implAgentServerStub) BlessingStoreDefault(ctx ipc.ServerCall) (security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingStoreDefault(ctx ipc.ServerCall) (security.Blessings, error) {
 	return s.impl.BlessingStoreDefault(ctx)
 }
 
-func (s implAgentServerStub) BlessingStorePeerBlessings(ctx ipc.ServerCall) (map[security.BlessingPattern]security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingStorePeerBlessings(ctx ipc.ServerCall) (map[security.BlessingPattern]security.Blessings, error) {
 	return s.impl.BlessingStorePeerBlessings(ctx)
 }
 
@@ -477,13 +477,13 @@
 			Name: "Bless",
 			InArgs: []ipc.ArgDesc{
 				{"key", ``},               // []byte
-				{"wit", ``},               // security.WireBlessings
+				{"wit", ``},               // security.Blessings
 				{"extension", ``},         // string
 				{"caveat", ``},            // security.Caveat
 				{"additionalCaveats", ``}, // []security.Caveat
 			},
 			OutArgs: []ipc.ArgDesc{
-				{"", ``}, // security.WireBlessings
+				{"", ``}, // security.Blessings
 			},
 		},
 		{
@@ -493,7 +493,7 @@
 				{"caveats", ``}, // []security.Caveat
 			},
 			OutArgs: []ipc.ArgDesc{
-				{"", ``}, // security.WireBlessings
+				{"", ``}, // security.Blessings
 			},
 		},
 		{
@@ -528,13 +528,13 @@
 				{"name", ``}, // security.BlessingPattern
 			},
 			OutArgs: []ipc.ArgDesc{
-				{"", ``}, // []security.WireBlessings
+				{"", ``}, // []security.Blessings
 			},
 		},
 		{
 			Name: "BlessingsInfo",
 			InArgs: []ipc.ArgDesc{
-				{"blessings", ``}, // security.WireBlessings
+				{"blessings", ``}, // security.Blessings
 			},
 			OutArgs: []ipc.ArgDesc{
 				{"", ``}, // map[string][]security.Caveat
@@ -543,17 +543,17 @@
 		{
 			Name: "AddToRoots",
 			InArgs: []ipc.ArgDesc{
-				{"blessing", ``}, // security.WireBlessings
+				{"blessing", ``}, // security.Blessings
 			},
 		},
 		{
 			Name: "BlessingStoreSet",
 			InArgs: []ipc.ArgDesc{
-				{"blessings", ``}, // security.WireBlessings
+				{"blessings", ``}, // security.Blessings
 				{"forPeers", ``},  // security.BlessingPattern
 			},
 			OutArgs: []ipc.ArgDesc{
-				{"", ``}, // security.WireBlessings
+				{"", ``}, // security.Blessings
 			},
 		},
 		{
@@ -562,25 +562,25 @@
 				{"peerBlessings", ``}, // []string
 			},
 			OutArgs: []ipc.ArgDesc{
-				{"", ``}, // security.WireBlessings
+				{"", ``}, // security.Blessings
 			},
 		},
 		{
 			Name: "BlessingStoreSetDefault",
 			InArgs: []ipc.ArgDesc{
-				{"blessings", ``}, // security.WireBlessings
+				{"blessings", ``}, // security.Blessings
 			},
 		},
 		{
 			Name: "BlessingStoreDefault",
 			OutArgs: []ipc.ArgDesc{
-				{"", ``}, // security.WireBlessings
+				{"", ``}, // security.Blessings
 			},
 		},
 		{
 			Name: "BlessingStorePeerBlessings",
 			OutArgs: []ipc.ArgDesc{
-				{"", ``}, // map[security.BlessingPattern]security.WireBlessings
+				{"", ``}, // map[security.BlessingPattern]security.Blessings
 			},
 		},
 		{
diff --git a/security/blessingstore.go b/security/blessingstore.go
index be511fc..39cb079 100644
--- a/security/blessingstore.go
+++ b/security/blessingstore.go
@@ -1,5 +1,8 @@
 package security
 
+// TODO(ashankar,ataly): This file is a bit of a mess!! Define a serialization
+// format for the blessing store and rewrite this file before release!
+
 import (
 	"bytes"
 	"errors"
@@ -16,32 +19,22 @@
 
 var errStoreAddMismatch = errors.New("blessing's public key does not match store's public key")
 
+// TODO(ashankar,ataly): The only reason that Value is encapsulated in a struct
+// is for backward compatibility.  We should probably restore "oldState" and
+// get rid of this.
 type blessings struct {
-	Value       security.WireBlessings
-	unmarshaled *security.Blessings
+	Value security.Blessings
 }
 
 func (w *blessings) Blessings() security.Blessings {
 	if w == nil {
 		return security.Blessings{}
 	}
-	return *w.unmarshaled
-}
-
-func (w *blessings) Verify() error {
-	if w.unmarshaled != nil {
-		return nil
-	}
-	b, err := security.NewBlessings(w.Value)
-	if err != nil {
-		return err
-	}
-	w.unmarshaled = &b
-	return nil
+	return w.Value
 }
 
 func newWireBlessings(b security.Blessings) *blessings {
-	return &blessings{Value: security.MarshalBlessings(b), unmarshaled: &b}
+	return &blessings{Value: b}
 }
 
 type state struct {
@@ -195,22 +188,24 @@
 	}
 }
 
-// TODO(ataly, ashankar): Get rid of this struct once we have switched all credentials
-// directories to the new serialization format.
+// TODO(ataly, ashankar): Get rid of this struct once we have switched all
+// credentials directories to the new serialization format. Or maybe we should
+// restore this and get rid of "type state". Probably should define the
+// serialization format in VDL!
 type oldState struct {
-	Store   map[security.BlessingPattern]security.WireBlessings
-	Default security.WireBlessings
+	Store   map[security.BlessingPattern]security.Blessings
+	Default security.Blessings
 }
 
 // TODO(ataly, ashankar): Get rid of this method once we have switched all
 // credentials directories to the new serialization format.
 func (bs *blessingStore) tryOldFormat() bool {
-	var empty security.WireBlessings
+	var empty security.Blessings
 	if len(bs.state.Store) == 0 {
-		return bs.state.Default == nil || reflect.DeepEqual(bs.state.Default.Value, empty)
+		return bs.state.Default.Value.IsZero() || reflect.DeepEqual(bs.state.Default.Value, empty)
 	}
 	for _, wb := range bs.state.Store {
-		if len(wb.Value.CertificateChains) == 0 {
+		if wb.Value.IsZero() {
 			return true
 		}
 	}
@@ -219,9 +214,6 @@
 
 func (bs *blessingStore) verifyState() error {
 	verifyBlessings := func(wb *blessings, key security.PublicKey) error {
-		if err := wb.Verify(); err != nil {
-			return err
-		}
 		if b := wb.Blessings(); !reflect.DeepEqual(b.PublicKey(), key) {
 			return fmt.Errorf("read Blessings: %v that are not for provided PublicKey: %v", b, key)
 		}
diff --git a/services/identity/auditor/blessing_auditor.go b/services/identity/auditor/blessing_auditor.go
index 631fdbd..045f2bb 100644
--- a/services/identity/auditor/blessing_auditor.go
+++ b/services/identity/auditor/blessing_auditor.go
@@ -103,7 +103,7 @@
 		return d, fmt.Errorf("failed to extract result blessing")
 	}
 	var err error
-	if d.blessings, err = vom.Encode(security.MarshalBlessings(blessings)); err != nil {
+	if d.blessings, err = vom.Encode(blessings); err != nil {
 		return d, err
 	}
 	if d.caveats, err = vom.Encode(caveats); err != nil {
@@ -120,15 +120,10 @@
 		Email:     dbentry.email,
 		Timestamp: dbentry.timestamp,
 	}
-	var wireBlessings security.WireBlessings
-	var err error
-	if err = vom.Decode(dbentry.blessings, &wireBlessings); err != nil {
+	if err := vom.Decode(dbentry.blessings, &b.Blessings); err != nil {
 		return BlessingEntry{DecodeError: fmt.Errorf("failed to decode blessings: %s", err)}
 	}
-	if b.Blessings, err = security.NewBlessings(wireBlessings); err != nil {
-		return BlessingEntry{DecodeError: fmt.Errorf("failed to construct blessings: %s", err)}
-	}
-	if err = vom.Decode(dbentry.caveats, &b.Caveats); err != nil {
+	if err := vom.Decode(dbentry.caveats, &b.Caveats); err != nil {
 		return BlessingEntry{DecodeError: fmt.Errorf("failed to decode caveats: %s", err)}
 	}
 	b.RevocationCaveatID = revocationCaveatID(b.Caveats)
diff --git a/services/identity/blesser/macaroon.go b/services/identity/blesser/macaroon.go
index 4974848..03773c4 100644
--- a/services/identity/blesser/macaroon.go
+++ b/services/identity/blesser/macaroon.go
@@ -23,8 +23,8 @@
 	return identity.MacaroonBlesserServer(&macaroonBlesser{key})
 }
 
-func (b *macaroonBlesser) Bless(ctx ipc.ServerCall, macaroon string) (security.WireBlessings, error) {
-	var empty security.WireBlessings
+func (b *macaroonBlesser) Bless(ctx ipc.ServerCall, macaroon string) (security.Blessings, error) {
+	var empty security.Blessings
 	inputs, err := util.Macaroon(macaroon).Decode(b.key)
 	if err != nil {
 		return empty, err
@@ -42,12 +42,5 @@
 	if len(m.Caveats) == 0 {
 		m.Caveats = []security.Caveat{security.UnconstrainedUse()}
 	}
-	// TODO(ashankar,toddw): After the VDL configuration files have the
-	// scheme to translate between "wire" types and "in-memory" types, this
-	// should just become return ctx.LocalPrincipal().....
-	blessings, err := ctx.LocalPrincipal().Bless(ctx.RemoteBlessings().PublicKey(), ctx.LocalBlessings(), m.Name, m.Caveats[0], m.Caveats[1:]...)
-	if err != nil {
-		return empty, err
-	}
-	return security.MarshalBlessings(blessings), nil
+	return ctx.LocalPrincipal().Bless(ctx.RemoteBlessings().PublicKey(), ctx.LocalBlessings(), m.Name, m.Caveats[0], m.Caveats[1:]...)
 }
diff --git a/services/identity/blesser/macaroon_test.go b/services/identity/blesser/macaroon_test.go
index acbd53b..b0e4e0c 100644
--- a/services/identity/blesser/macaroon_test.go
+++ b/services/identity/blesser/macaroon_test.go
@@ -35,15 +35,11 @@
 		t.Errorf("Bless(...) failed with error: %v, want: %v", err, wantErr)
 	}
 	m = oauth.BlessingMacaroon{Creation: time.Now(), Name: "user", Caveats: []security.Caveat{cOnlyMethodFoo}}
-	result, err := blesser.Bless(context, newMacaroon(t, key, m))
+	b, err := blesser.Bless(context, newMacaroon(t, key, m))
 	if err != nil {
 		t.Errorf("Bless failed: %v", err)
 	}
 
-	b, err := security.NewBlessings(result)
-	if err != nil {
-		t.Fatalf("Unable to decode response into a security.Blessings object: %v", err)
-	}
 	if !reflect.DeepEqual(b.PublicKey(), user.PublicKey()) {
 		t.Errorf("Received blessing for public key %v. Client:%v, Blesser:%v", b.PublicKey(), user.PublicKey(), provider.PublicKey())
 	}
diff --git a/services/identity/blesser/oauth.go b/services/identity/blesser/oauth.go
index 405ef59..c98ad62 100644
--- a/services/identity/blesser/oauth.go
+++ b/services/identity/blesser/oauth.go
@@ -58,8 +58,8 @@
 	})
 }
 
-func (b *oauthBlesser) BlessUsingAccessToken(ctx ipc.ServerCall, accessToken string) (security.WireBlessings, string, error) {
-	var noblessings security.WireBlessings
+func (b *oauthBlesser) BlessUsingAccessToken(ctx ipc.ServerCall, accessToken string) (security.Blessings, string, error) {
+	var noblessings security.Blessings
 	email, clientName, err := b.oauthProvider.GetEmailAndClientName(accessToken, b.accessTokenClients)
 	if err != nil {
 		return noblessings, "", err
@@ -67,8 +67,8 @@
 	return b.bless(ctx, email, clientName)
 }
 
-func (b *oauthBlesser) bless(ctx ipc.ServerCall, email, clientName string) (security.WireBlessings, string, error) {
-	var noblessings security.WireBlessings
+func (b *oauthBlesser) bless(ctx ipc.ServerCall, email, clientName string) (security.Blessings, string, error) {
+	var noblessings security.Blessings
 	self := ctx.LocalPrincipal()
 	if self == nil {
 		return noblessings, "", fmt.Errorf("server error: no authentication happened")
@@ -97,5 +97,5 @@
 	if err != nil {
 		return noblessings, "", err
 	}
-	return security.MarshalBlessings(blessing), extension, nil
+	return blessing, extension, nil
 }
diff --git a/services/identity/blesser/oauth_test.go b/services/identity/blesser/oauth_test.go
index 9add34d..c173d8e 100644
--- a/services/identity/blesser/oauth_test.go
+++ b/services/identity/blesser/oauth_test.go
@@ -24,7 +24,7 @@
 		BlessingDuration: time.Hour,
 	})
 
-	result, extension, err := blesser.BlessUsingAccessToken(context, "test-access-token")
+	b, extension, err := blesser.BlessUsingAccessToken(context, "test-access-token")
 	if err != nil {
 		t.Errorf("BlessUsingAccessToken failed: %v", err)
 	}
@@ -34,10 +34,6 @@
 		t.Errorf("got extension: %s, want: %s", extension, wantExtension)
 	}
 
-	b, err := security.NewBlessings(result)
-	if err != nil {
-		t.Fatalf("Unable to decode response into a security.Blessings object: %v", err)
-	}
 	if !reflect.DeepEqual(b.PublicKey(), user.PublicKey()) {
 		t.Errorf("Received blessing for public key %v. Client:%v, Blesser:%v", b.PublicKey(), user.PublicKey(), provider.PublicKey())
 	}
diff --git a/services/identity/handlers/blessing_root.go b/services/identity/handlers/blessing_root.go
index 723818f..3853478 100644
--- a/services/identity/handlers/blessing_root.go
+++ b/services/identity/handlers/blessing_root.go
@@ -8,6 +8,7 @@
 
 	"v.io/core/veyron/services/identity/util"
 	"v.io/v23/security"
+	"v.io/v23/vom"
 )
 
 // BlessingRoot is an http.Handler implementation that renders the server's
@@ -56,7 +57,11 @@
 	//
 	// Once this issue is resolved, delete the following line and uncomment
 	// the block below it.
-	der := security.MarshalBlessings(b.P.BlessingStore().Default()).CertificateChains[0][0].PublicKey
+	der, err := rootPublicKey(b.P.BlessingStore().Default())
+	if err != nil {
+		util.HTTPServerError(w, err)
+		return
+	}
 	//der, err := b.P.PublicKey().MarshalBinary()
 	//if err != nil {
 	//	util.HTTPServerError(w, err)
@@ -81,3 +86,17 @@
 	w.Header().Set("Content-Type", "application/json")
 	w.Write(res)
 }
+
+// Circuitious route to obtain the certificate chain because the use
+// of security.MarshalBlessings is discouraged.
+func rootPublicKey(b security.Blessings) ([]byte, error) {
+	data, err := vom.Encode(b)
+	if err != nil {
+		return nil, fmt.Errorf("malformed Blessings: %v", err)
+	}
+	var wire security.WireBlessings
+	if err := vom.Decode(data, &wire); err != nil {
+		return nil, fmt.Errorf("malformed WireBlessings: %v", err)
+	}
+	return wire.CertificateChains[0][0].PublicKey, nil
+}
diff --git a/services/identity/identity.vdl.go b/services/identity/identity.vdl.go
index 87d885c..3cca02f 100644
--- a/services/identity/identity.vdl.go
+++ b/services/identity/identity.vdl.go
@@ -33,7 +33,7 @@
 type OAuthBlesserClientMethods interface {
 	// BlessUsingAccessToken uses the provided access token to obtain the email
 	// address and returns a blessing along with the email address.
-	BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessing security.WireBlessings, email string, err error)
+	BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessing security.Blessings, email string, err error)
 }
 
 // OAuthBlesserClientStub adds universal methods to OAuthBlesserClientMethods.
@@ -65,7 +65,7 @@
 	return v23.GetClient(ctx)
 }
 
-func (c implOAuthBlesserClientStub) BlessUsingAccessToken(ctx *context.T, i0 string, opts ...ipc.CallOpt) (o0 security.WireBlessings, o1 string, err error) {
+func (c implOAuthBlesserClientStub) BlessUsingAccessToken(ctx *context.T, i0 string, opts ...ipc.CallOpt) (o0 security.Blessings, o1 string, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessUsingAccessToken", []interface{}{i0}, opts...); err != nil {
 		return
@@ -93,7 +93,7 @@
 type OAuthBlesserServerMethods interface {
 	// BlessUsingAccessToken uses the provided access token to obtain the email
 	// address and returns a blessing along with the email address.
-	BlessUsingAccessToken(ctx ipc.ServerCall, token string) (blessing security.WireBlessings, email string, err error)
+	BlessUsingAccessToken(ctx ipc.ServerCall, token string) (blessing security.Blessings, email string, err error)
 }
 
 // OAuthBlesserServerStubMethods is the server interface containing
@@ -131,7 +131,7 @@
 	gs   *ipc.GlobState
 }
 
-func (s implOAuthBlesserServerStub) BlessUsingAccessToken(ctx ipc.ServerCall, i0 string) (security.WireBlessings, string, error) {
+func (s implOAuthBlesserServerStub) BlessUsingAccessToken(ctx ipc.ServerCall, i0 string) (security.Blessings, string, error) {
 	return s.impl.BlessUsingAccessToken(ctx, i0)
 }
 
@@ -159,7 +159,7 @@
 				{"token", ``}, // string
 			},
 			OutArgs: []ipc.ArgDesc{
-				{"blessing", ``}, // security.WireBlessings
+				{"blessing", ``}, // security.Blessings
 				{"email", ``},    // string
 			},
 		},
@@ -173,7 +173,7 @@
 type MacaroonBlesserClientMethods interface {
 	// Bless uses the provided macaroon (which contains email and caveats)
 	// to return a blessing for the client.
-	Bless(ctx *context.T, macaroon string, opts ...ipc.CallOpt) (blessing security.WireBlessings, err error)
+	Bless(ctx *context.T, macaroon string, opts ...ipc.CallOpt) (blessing security.Blessings, err error)
 }
 
 // MacaroonBlesserClientStub adds universal methods to MacaroonBlesserClientMethods.
@@ -205,7 +205,7 @@
 	return v23.GetClient(ctx)
 }
 
-func (c implMacaroonBlesserClientStub) Bless(ctx *context.T, i0 string, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implMacaroonBlesserClientStub) Bless(ctx *context.T, i0 string, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
 	var call ipc.ClientCall
 	if call, err = c.c(ctx).StartCall(ctx, c.name, "Bless", []interface{}{i0}, opts...); err != nil {
 		return
@@ -221,7 +221,7 @@
 type MacaroonBlesserServerMethods interface {
 	// Bless uses the provided macaroon (which contains email and caveats)
 	// to return a blessing for the client.
-	Bless(ctx ipc.ServerCall, macaroon string) (blessing security.WireBlessings, err error)
+	Bless(ctx ipc.ServerCall, macaroon string) (blessing security.Blessings, err error)
 }
 
 // MacaroonBlesserServerStubMethods is the server interface containing
@@ -259,7 +259,7 @@
 	gs   *ipc.GlobState
 }
 
-func (s implMacaroonBlesserServerStub) Bless(ctx ipc.ServerCall, i0 string) (security.WireBlessings, error) {
+func (s implMacaroonBlesserServerStub) Bless(ctx ipc.ServerCall, i0 string) (security.Blessings, error) {
 	return s.impl.Bless(ctx, i0)
 }
 
@@ -287,7 +287,7 @@
 				{"macaroon", ``}, // string
 			},
 			OutArgs: []ipc.ArgDesc{
-				{"blessing", ``}, // security.WireBlessings
+				{"blessing", ``}, // security.Blessings
 			},
 		},
 	},
diff --git a/services/mgmt/application/impl/impl_test.go b/services/mgmt/application/impl/impl_test.go
index da555e6..54b734a 100644
--- a/services/mgmt/application/impl/impl_test.go
+++ b/services/mgmt/application/impl/impl_test.go
@@ -21,7 +21,7 @@
 	"v.io/core/veyron/services/mgmt/repository"
 )
 
-func newPublisherSignature(t *testing.T, ctx *context.T, msg []byte) (security.WireBlessings, security.Signature) {
+func newPublisherSignature(t *testing.T, ctx *context.T, msg []byte) (security.Blessings, security.Signature) {
 	// Generate publisher blessings
 	p := v23.GetPrincipal(ctx)
 	b, err := p.BlessSelf("publisher")
@@ -32,7 +32,7 @@
 	if err != nil {
 		t.Fatal(err)
 	}
-	return security.MarshalBlessings(b), sig
+	return b, sig
 }
 
 // TestInterface tests that the implementation correctly implements
diff --git a/services/mgmt/device/impl/app_service.go b/services/mgmt/device/impl/app_service.go
index 3653c4f..22eabb1 100644
--- a/services/mgmt/device/impl/app_service.go
+++ b/services/mgmt/device/impl/app_service.go
@@ -398,11 +398,7 @@
 	if err := mkdir(pkgDir); err != nil {
 		return "", verror.New(ErrOperationFailed, nil)
 	}
-	publisher, err := security.NewBlessings(envelope.Publisher)
-	if err != nil {
-		vlog.Errorf("Failed to parse publisher blessings:%v", err)
-		return versionDir, verror.New(ErrOperationFailed, nil)
-	}
+	publisher := envelope.Publisher
 	// TODO(caprita): Share binaries if already existing locally.
 	if err := downloadBinary(ctx, publisher, &envelope.Binary, versionDir, "bin"); err != nil {
 		return versionDir, err
diff --git a/services/mgmt/device/impl/device_service.go b/services/mgmt/device/impl/device_service.go
index 25d5d32..1344bb8 100644
--- a/services/mgmt/device/impl/device_service.go
+++ b/services/mgmt/device/impl/device_service.go
@@ -453,12 +453,7 @@
 			return err
 		}
 	} else {
-		publisher, err := security.NewBlessings(envelope.Publisher)
-		if err != nil {
-			vlog.Errorf("Failed to parse publisher blessings:%v", err)
-			return verror.New(ErrOperationFailed, nil)
-		}
-		if err := downloadBinary(ctx, publisher, &envelope.Binary, workspace, "deviced"); err != nil {
+		if err := downloadBinary(ctx, envelope.Publisher, &envelope.Binary, workspace, "deviced"); err != nil {
 			return err
 		}
 	}
diff --git a/services/mgmt/device/impl/impl_test.go b/services/mgmt/device/impl/impl_test.go
index a8ff696..db91252 100644
--- a/services/mgmt/device/impl/impl_test.go
+++ b/services/mgmt/device/impl/impl_test.go
@@ -1675,7 +1675,7 @@
 			File:      naming.Join(binaryVON, "testbinary"),
 			Signature: *sig,
 		},
-		Publisher: security.MarshalBlessings(publisher),
+		Publisher: publisher,
 		Packages: map[string]application.SignedFile{
 			"pkg": application.SignedFile{
 				File:      pkgVON,
diff --git a/services/mgmt/lib/fs/simplestore.go b/services/mgmt/lib/fs/simplestore.go
index a6be49a..a61b989 100644
--- a/services/mgmt/lib/fs/simplestore.go
+++ b/services/mgmt/lib/fs/simplestore.go
@@ -6,15 +6,18 @@
 	"fmt"
 	"io/ioutil"
 	"os"
+	"reflect"
 	"sort"
 	"strings"
 	"sync"
 
 	"v.io/core/veyron/services/mgmt/profile"
 
+	"v.io/v23/security"
 	"v.io/v23/services/mgmt/application"
 	"v.io/v23/services/security/access"
 	"v.io/v23/verror"
+	"v.io/v23/vom"
 )
 
 // TODO(rjkroege@google.com) Switch Memstore to the mid-August 2014
@@ -55,11 +58,79 @@
 
 var keyExists = struct{}{}
 
+// TODO(ashankar,rjkroege): Once we switch from gob to vom, this hack won't be
+// necessary (will be able to Put/Get application.Envelope without translating
+// to this applicationEnvelope type). But in the mean time, required because
+// security.Blessings is not gob-encodeable (and gob doesn't have the ability
+// to convert between native and wire types like security.Blessings ->
+// security.WireBlessings)
+//
+// This mirrors application.Envelope with the type of "Publsher" changed to
+// security.WireBlessings.
+//
+// See https://vanadium-review.googlesource.com/6300
+type applicationEnvelope struct {
+	Title     string
+	Args      []string
+	Binary    application.SignedFile
+	Publisher security.WireBlessings
+	Env       []string
+	Packages  application.Packages
+}
+
+func translateToGobEncodeable(in interface{}) interface{} {
+	env, ok := in.(application.Envelope)
+	if !ok {
+		return in
+	}
+	return applicationEnvelope{
+		Title:     env.Title,
+		Args:      env.Args,
+		Binary:    env.Binary,
+		Publisher: security.MarshalBlessings(env.Publisher),
+		Env:       env.Env,
+		Packages:  env.Packages,
+	}
+}
+
+func translateFromGobEncodeable(in interface{}) (interface{}, error) {
+	env, ok := in.(applicationEnvelope)
+	if !ok {
+		return in, nil
+	}
+	// Have to roundtrip through vom to convert from WireBlessings to Blessings.
+	// This may seem silly, but this whole translation business is silly too :)
+	// and will go away once we switch this package to using 'vom' instead of 'gob'.
+	// So for now, live with the funkiness.
+	bytes, err := vom.Encode(env.Publisher)
+	if err != nil {
+		return nil, err
+	}
+	var publisher security.Blessings
+	if err := vom.Decode(bytes, &publisher); err != nil {
+		return nil, err
+	}
+	return application.Envelope{
+		Title:     env.Title,
+		Args:      env.Args,
+		Binary:    env.Binary,
+		Publisher: publisher,
+		Env:       env.Env,
+		Packages:  env.Packages,
+	}, nil
+}
+
 // The implementation of set requires gob instead of json.
 func init() {
 	gob.Register(profile.Specification{})
-	gob.Register(application.Envelope{})
+	gob.Register(applicationEnvelope{})
 	gob.Register(access.TaggedACLMap{})
+	// Ensure that no fields have been added to application.Envelope,
+	// because if so, then applicationEnvelope defined in this package
+	// needs to change
+	if n := reflect.TypeOf(application.Envelope{}).NumField(); n != 6 {
+		panic(fmt.Sprintf("It appears that fields have been added to or removed from application.Envelope before the hack in this file around gob-encodeability was removed. Please also update applicationEnvelope, translateToGobEncodeable and translateToGobDecodeable in this file"))
+	}
 }
 
 // NewMemstore persists the Memstore to os.TempDir() if no file is
@@ -311,6 +382,10 @@
 	} else {
 		o.Value = bv
 	}
+	var err error
+	if o.Value, err = translateFromGobEncodeable(o.Value); err != nil {
+		return nil, err
+	}
 	return o, nil
 }
 
@@ -321,7 +396,10 @@
 		return nil, verror.New(ErrNotInMemStore, nil, o.path)
 	}
 
-	o.Value = bv
+	var err error
+	if o.Value, err = translateFromGobEncodeable(bv); err != nil {
+		return nil, err
+	}
 	return o, nil
 }
 
@@ -337,8 +415,9 @@
 	if !o.ms.locked {
 		return nil, verror.New(ErrWithoutTransaction, nil, "Put()")
 	}
+	envelope = translateToGobEncodeable(envelope)
 	switch v := envelope.(type) {
-	case application.Envelope, profile.Specification, access.TaggedACLMap:
+	case applicationEnvelope, profile.Specification, access.TaggedACLMap:
 		o.ms.puts[o.path] = v
 		delete(o.ms.removes, o.path)
 		o.Value = o.path
diff --git a/services/wsprd/account/account.go b/services/wsprd/account/account.go
index d81fad2..35e50bf 100644
--- a/services/wsprd/account/account.go
+++ b/services/wsprd/account/account.go
@@ -15,14 +15,14 @@
 )
 
 type BlesserService interface {
-	BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessingObj security.WireBlessings, account string, err error)
+	BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessingObj security.Blessings, account string, err error)
 }
 
 type bs struct {
 	name string
 }
 
-func (s *bs) BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessingObj security.WireBlessings, account string, err error) {
+func (s *bs) BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessingObj security.Blessings, account string, err error) {
 	client := v23.GetClient(ctx)
 	var call ipc.ClientCall
 	if call, err = client.StartCall(ctx, s.name, "BlessUsingAccessToken", []interface{}{token}, opts...); err != nil {
@@ -30,7 +30,7 @@
 	}
 	var email string
 	if err := call.Finish(&blessingObj, &email); err != nil {
-		return security.WireBlessings{}, "", err
+		return security.Blessings{}, "", err
 	}
 	serverBlessings, _ := call.RemoteBlessings()
 	return blessingObj, accountName(serverBlessings, email), nil
@@ -63,14 +63,9 @@
 		return "", fmt.Errorf("Error getting blessing for access token: %v", err)
 	}
 
-	accountBlessings, err := security.NewBlessings(blessings)
-	if err != nil {
-		return "", fmt.Errorf("Error creating blessings from wire data: %v", err)
-	}
-
-	// Add accountBlessings to principalManager under the provided
+	// Add blessings to principalManager under the provided
 	// account.
-	if err := am.principalManager.AddAccount(account, accountBlessings); err != nil {
+	if err := am.principalManager.AddAccount(account, blessings); err != nil {
 		return "", fmt.Errorf("Error adding account: %v", err)
 	}
 
diff --git a/services/wsprd/browspr/browspr_account_test.go b/services/wsprd/browspr/browspr_account_test.go
index e0d128c..8142fd2 100644
--- a/services/wsprd/browspr/browspr_account_test.go
+++ b/services/wsprd/browspr/browspr_account_test.go
@@ -28,15 +28,14 @@
 	}
 }
 
-func (m *mockBlesserService) BlessUsingAccessToken(c *context.T, accessToken string, co ...ipc.CallOpt) (security.WireBlessings, string, error) {
-	var empty security.WireBlessings
+func (m *mockBlesserService) BlessUsingAccessToken(c *context.T, accessToken string, co ...ipc.CallOpt) (security.Blessings, string, error) {
 	m.count++
 	name := fmt.Sprintf("%s%s%d", topLevelName, security.ChainSeparator, m.count)
 	blessing, err := m.p.BlessSelf(name)
 	if err != nil {
-		return empty, "", err
+		return blessing, "", err
 	}
-	return security.MarshalBlessings(blessing), name, nil
+	return blessing, name, nil
 }
 
 func setup(t *testing.T) (*Browspr, func()) {
diff --git a/services/wsprd/principal/principal.go b/services/wsprd/principal/principal.go
index cf46168..d26d42c 100644
--- a/services/wsprd/principal/principal.go
+++ b/services/wsprd/principal/principal.go
@@ -63,7 +63,7 @@
 
 	// A set of accounts that maps from an account name to the Blessings associated
 	// with the account.
-	Accounts map[string]security.WireBlessings
+	Accounts map[string]security.Blessings
 }
 
 const pkgPath = "v.io/core/veyron/services/wsprd/principal"
@@ -139,7 +139,7 @@
 	result := &PrincipalManager{
 		state: persistentState{
 			Origins:  map[string]permissions{},
-			Accounts: map[string]security.WireBlessings{},
+			Accounts: map[string]security.Blessings{},
 		},
 		root:       root,
 		serializer: serializer,
@@ -199,11 +199,11 @@
 	if !found {
 		return nil, verror.New(verror.ErrNoExist, nil, origin)
 	}
-	wireBlessings, found := i.state.Accounts[perm.Account]
+	blessings, found := i.state.Accounts[perm.Account]
 	if !found {
 		return nil, verror.New(errUnknownAccount, nil, perm.Account)
 	}
-	return i.createPrincipal(origin, wireBlessings, perm.Caveats)
+	return i.createPrincipal(origin, blessings, perm.Caveats)
 }
 
 // OriginHasAccount returns true iff the origin has been associated with
@@ -242,21 +242,20 @@
 	i.mu.Lock()
 	defer i.mu.Unlock()
 
-	wireBlessings, found := i.state.Accounts[account]
+	blessings, found := i.state.Accounts[account]
 	if !found {
 		return security.Blessings{}, verror.New(errUnknownAccount, nil, account)
 	}
-	return security.NewBlessings(wireBlessings)
+	return blessings, nil
 }
 
 // AddAccount associates the provided Blessing with the provided account.
 func (i *PrincipalManager) AddAccount(account string, blessings security.Blessings) error {
-	wireBlessings := security.MarshalBlessings(blessings)
 	i.mu.Lock()
 	defer i.mu.Unlock()
 
 	old, existed := i.state.Accounts[account]
-	i.state.Accounts[account] = wireBlessings
+	i.state.Accounts[account] = blessings
 
 	if err := i.save(); err != nil {
 		delete(i.state.Accounts, account)
@@ -294,17 +293,12 @@
 	return nil
 }
 
-func (i *PrincipalManager) createPrincipal(origin string, wireBlessings security.WireBlessings, caveats []security.Caveat) (security.Principal, error) {
+func (i *PrincipalManager) createPrincipal(origin string, withBlessings security.Blessings, caveats []security.Caveat) (security.Principal, error) {
 	ret, err := vsecurity.NewPrincipal()
 	if err != nil {
 		return nil, verror.New(errFailedToCreatePrincipal, nil, err)
 	}
 
-	withBlessings, err := security.NewBlessings(wireBlessings)
-	if err != nil {
-		return nil, verror.New(errFailedToConstructBlessings, nil, err)
-	}
-
 	if len(caveats) == 0 {
 		caveats = append(caveats, security.UnconstrainedUse())
 	}
diff --git a/services/wsprd/principal/principal_test.go b/services/wsprd/principal/principal_test.go
index 328e14f..3863f7f 100644
--- a/services/wsprd/principal/principal_test.go
+++ b/services/wsprd/principal/principal_test.go
@@ -67,21 +67,15 @@
 		return err
 	}
 
-	if encoder.Encode(security.MarshalBlessings(bOrigin)); err != nil {
+	if encoder.Encode(bOrigin); err != nil {
 		return err
 	}
-	var wire security.WireBlessings
 	decoder, err := vom.NewDecoder(buf)
-
 	if err != nil {
 		return err
 	}
-
-	if err := decoder.Decode(&wire); err != nil {
-		return err
-	}
-	decoded, err := security.NewBlessings(wire)
-	if err != nil {
+	var decoded security.Blessings
+	if err := decoder.Decode(&decoded); err != nil {
 		return err
 	}
 	if !reflect.DeepEqual(decoded, bOrigin) {
diff --git a/tools/application/impl.go b/tools/application/impl.go
index 7c16597..5100c5b 100644
--- a/tools/application/impl.go
+++ b/tools/application/impl.go
@@ -8,15 +8,71 @@
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"reflect"
 	"strings"
 	"time"
 
 	"v.io/core/veyron/services/mgmt/repository"
 	"v.io/v23/context"
+	"v.io/v23/security"
 	"v.io/v23/services/mgmt/application"
+	"v.io/v23/vom"
 	"v.io/x/lib/cmdline"
 )
 
+// TODO(ashankar): application.Envelope is no longer JSON friendly
+// (after https://vanadium-review.googlesource.com/#/c/6300/).
+//
+// This mirrored structure is required in order to work around that
+// problem. Figure out what we want to do.
+type appenv struct {
+	Title     string
+	Args      []string
+	Binary    application.SignedFile
+	Publisher security.WireBlessings
+	Env       []string
+	Packages  application.Packages
+}
+
+func (a *appenv) Load(env application.Envelope) {
+	a.Title = env.Title
+	a.Args = env.Args
+	a.Binary = env.Binary
+	a.Publisher = security.MarshalBlessings(env.Publisher)
+	a.Env = env.Env
+	a.Packages = env.Packages
+}
+
+func (a *appenv) Store() (application.Envelope, error) {
+	// Have to roundtrip through vom to convert from WireBlessings to Blessings.
+	// This may seem silly, but this whole appenv type is silly too :).
+	// Figure out how to get rid of it.
+	bytes, err := vom.Encode(a.Publisher)
+	if err != nil {
+		return application.Envelope{}, err
+	}
+	var publisher security.Blessings
+	if err := vom.Decode(bytes, &publisher); err != nil {
+		return application.Envelope{}, err
+	}
+	return application.Envelope{
+		Title:     a.Title,
+		Args:      a.Args,
+		Binary:    a.Binary,
+		Publisher: publisher,
+		Env:       a.Env,
+		Packages:  a.Packages,
+	}, nil
+}
+
+func init() {
+	// Ensure that no fields have been added to application.Envelope,
+	// because if so, then appenv needs to change.
+	if n := reflect.TypeOf(application.Envelope{}).NumField(); n != 6 {
+		panic(fmt.Sprintf("It appears that fields have been added to or removed from application.Envelope before the hack in this file around json-encodeability was removed. Please also update appenv, appenv.Load and appenv.Store in this file"))
+	}
+}
+
 func getEnvelopeJSON(app repository.ApplicationClientMethods, profiles string) ([]byte, error) {
 	ctx, cancel := context.WithTimeout(gctx, time.Minute)
 	defer cancel()
@@ -24,7 +80,9 @@
 	if err != nil {
 		return nil, err
 	}
-	j, err := json.MarshalIndent(env, "", "  ")
+	var appenv appenv
+	appenv.Load(env)
+	j, err := json.MarshalIndent(appenv, "", "  ")
 	if err != nil {
 		return nil, fmt.Errorf("MarshalIndent(%v) failed: %v", env, err)
 	}
@@ -32,10 +90,14 @@
 }
 
 func putEnvelopeJSON(app repository.ApplicationClientMethods, profiles string, j []byte) error {
-	var env application.Envelope
-	if err := json.Unmarshal(j, &env); err != nil {
+	var appenv appenv
+	if err := json.Unmarshal(j, &appenv); err != nil {
 		return fmt.Errorf("Unmarshal(%v) failed: %v", string(j), err)
 	}
+	env, err := appenv.Store()
+	if err != nil {
+		return err
+	}
 	ctx, cancel := context.WithTimeout(gctx, time.Minute)
 	defer cancel()
 	if err := app.Put(ctx, strings.Split(profiles, ","), env); err != nil {
diff --git a/tools/mgmt/device/impl/local_install_test.go b/tools/mgmt/device/impl/local_install_test.go
index e713fae..4889e62 100644
--- a/tools/mgmt/device/impl/local_install_test.go
+++ b/tools/mgmt/device/impl/local_install_test.go
@@ -84,7 +84,7 @@
 		stderr.Reset()
 	}
 	emptySig := security.Signature{}
-	emptyBlessings := security.WireBlessings{}
+	emptyBlessings := security.Blessings{}
 	cfg := device.Config{"someflag": "somevalue"}
 
 	testPackagesDir, err := ioutil.TempDir("", "testdir")
diff --git a/tools/principal/bless.go b/tools/principal/bless.go
index 4ef0f0b..64df2a9 100644
--- a/tools/principal/bless.go
+++ b/tools/principal/bless.go
@@ -30,18 +30,13 @@
 	ctx, cancel := context.WithTimeout(ctx, time.Minute)
 	defer cancel()
 
-	var reply security.WireBlessings
 	// Authorize the server by its public key (obtained from macaroonChan).
 	// Must skip authorization during name resolution because the identity
 	// service is not a trusted root yet.
-	reply, err = identity.MacaroonBlesserClient(service).Bless(ctx, macaroon, options.SkipResolveAuthorization{}, options.ServerPublicKey{rootKey})
+	blessings, err := identity.MacaroonBlesserClient(service).Bless(ctx, macaroon, options.SkipResolveAuthorization{}, options.ServerPublicKey{rootKey})
 	if err != nil {
 		return security.Blessings{}, fmt.Errorf("failed to get blessing from %q: %v", service, err)
 	}
-	blessings, err := security.NewBlessings(reply)
-	if err != nil {
-		return security.Blessings{}, fmt.Errorf("failed to construct Blessings object from response: %v", err)
-	}
 	return blessings, nil
 }
 
diff --git a/tools/principal/main.go b/tools/principal/main.go
index 61561a4..f28f783 100644
--- a/tools/principal/main.go
+++ b/tools/principal/main.go
@@ -99,7 +99,10 @@
 			if err != nil {
 				return fmt.Errorf("failed to decode provided blessings: %v", err)
 			}
-			wire := security.MarshalBlessings(blessings)
+			wire, err := blessings2wire(blessings)
+			if err != nil {
+				return fmt.Errorf("failed to decode certificate chains: %v", err)
+			}
 			fmt.Printf("Blessings          : %v\n", blessings)
 			fmt.Printf("PublicKey          : %v\n", blessings.PublicKey())
 			fmt.Printf("Certificate chains : %d\n", len(wire.CertificateChains))
@@ -744,18 +747,16 @@
 }
 
 func decodeBlessings(fname string) (security.Blessings, error) {
-	var wire security.WireBlessings
-	if err := decode(fname, &wire); err != nil {
-		return security.Blessings{}, err
-	}
-	return security.NewBlessings(wire)
+	var b security.Blessings
+	err := decode(fname, &b)
+	return b, err
 }
 
 func dumpBlessings(blessings security.Blessings) error {
 	if blessings.IsZero() {
 		return fmt.Errorf("no blessings found")
 	}
-	str, err := base64VomEncode(security.MarshalBlessings(blessings))
+	str, err := base64VomEncode(blessings)
 	if err != nil {
 		return fmt.Errorf("base64-VOM encoding failed: %v", err)
 	}
@@ -937,3 +938,16 @@
 	}
 	return caveats, nil
 }
+
+// Circuitous route to get to the certificate chains.
+// See comments on why security.MarshalBlessings is discouraged.
+// Though, a better alternative is worth looking into.
+func blessings2wire(b security.Blessings) (security.WireBlessings, error) {
+	var wire security.WireBlessings
+	data, err := vom.Encode(b)
+	if err != nil {
+		return wire, err
+	}
+	err = vom.Decode(data, &wire)
+	return wire, err
+}