The authority of user mode programs in most operating systems
is ambient.
The program need not and cannot name the specific authority that
justifies the operations that it takes to
sense or modify the world around it.
This is the architectural property that leads to the problem
of the confused deputy.
The Unix system call "setuid" partially overcomes this problem
in allowing the program to distinguish two categories of
ambient authority.
In a capability based system each operation that relies on authority
specifically, and naturally designates that specific authority
as it names the part of the world to be sensed or modified.
This is because the capability both identifies that part and
conveys the required authority over that part.