In access list systems, those with responsibility over security issues can read access lists. Lets call this “auditing” here. When capability concepts are brought to the user interface a new problem arises: there is no obvious counterpart to auditing in the capability system.

In the pure capability systems of which I am aware, including KeyKos, a user can deliver a capability leaving no record of that action. I commonly deliver such a capability to a friend assuming that the object which the capability addresses is temporary and that I will remember my action for as long as necessary. This problem is nearly unique to humans for they often delude themselves that they will not forget something.

User environments can be built that attenuate the user’s authority so that authority passed to other users causes a revocation capability to be automatically generated and cataloged.

Saltzer and Schroeder have noted that schemes designed to guard against mistakes can easily lead to misunderstood security properties. Some of the schemes described below are self imposed and thus may be circumvented!

The general schemes used for distribution can be used to provide a barrier between a user and others in the same system. This barrier can subsequently be invoked, iron curtain like, rescinding not only those capabilities directly transferred between users, but also those transferred indirectly over the directly transferred capabilities.

One might establish user groups with arrangements such that links between the groups can be severed, or severed and reattached after one group has been transparently moved to another system. Such arrangements provides, in effect, cleavage planes along which systems can be subdivided.

The user may choose to subject himself to these disciplines to compensate for his own forgetfulness, or the discipline may be imposed from above. While programs do not generally require auditing of their actions for reasons elaborated elsewhere, programs can also be subjected transparently to the following discipline. This provides dynamic auditing of capabilities sent and received by the program.

Most of the schemes described above require a degree of planning. This is mainly because rescindability requires a small amount of overhead which would be very burdensome if universally applied.