Trust negotiation supports authentication and access control across multiple security domains by allowing parties to use non-forgeable digital credentials to establish trust. By their nature trust negotiation systems are used in environments that are not always reliable. In particular, it is important not only to protect negotiations against malicious attacks, but also against failures and crashes of the parties or of the communication means. To address the problem of failures and crashes, we propose an efficient and secure recovery mechanism. The mechanism includes two recovery protocols, one for each of the two main negotiation phases. In fact, because of the requirements that both services and credentials have to be protected on the basis of the associated disclosure policies, most approaches distinguish between a phase of disclosure policy evaluation from a phase devoted to actual credentials exchange. We prove that the protocols, besides being efficient, are secure with respect to integrity, and confidentiality and are idempotent. To the best of our knowledge, this is the first effort for achieving robustness and fault tolerance of trust negotiation systems.