The authority of user mode programs in most operating systems
is ambient.
The program need not and cannot name the specific authority that
justifies the operations that it takes in order to sense or modify the world around it.
This is the architectural property that leads to the problem
of the confused deputy.
The Unix system call “setuid” partially overcomes this problem
in allowing the program to distinguish two categories of ambient authority.
In a capability system, naming the authority and naming the part of the world to be accessed are unified.
The capability both designates and authorizes.