Based　on　the　in-depth　progress　on　research　of　the　security　and　trust　in　a　single　information　system,　and　the　increasing　requirements　in　interconnection　between　different　information　systems,　this　paper　proposes　a　trusted　interconnection　model.　Through　establishes　identity　mapping　and　collision　detection　mechanism　in　system　boundary,　it　can　complete　the　identity　conversion　when　cross-system　access　occurs.　After　the　conversion,　access　decision　is　still　based　on　the　system＇s　own　security　policy.　So,　this　model　can　make　the　interconnection　between　different　systems,　at　the　same　time,　it　can　ensure　the　security　of　the　original　system　will　not　be　destroyed.　In　addition,　this　paper　gives　a　formal　proof　of　this　trusted　interconnection　model,　and　demonstrates　its　safety.