There is an amusing meme that as one comes to understand category theory, one becomes incapable of explaining it to others. Here is a vague theory to explain such phenomena—a category of confusion.

Anecdote

Beware: “Category” below does not refer directly to category theory.

I use Keykos jargon here to keep myself honest. You do not need to know the meanings of these technical terms for my pedagogical point. I was explaining sensory keys to someone. A critical property of this category of key is that the kernel can look at bits in a key and see directly whether the key is ‘sensory’. I knew this but my correspondent did not. This was a difficult discovery. I realized that what I claimed depended on this and I blurted something like “But when I called it ‘sensory’ didn’t you understand that the kernel could just look and see?”. My correspondent properly responded that the adjective ‘requestor’s’ as in ‘requestor’s key’ was a key category inaccessible to the kernel.

Ouch!
It flashed quickly into my head that there are categories of categories. I was master of both yet unaware that there were categories of categories. My manipulation of these meta categories was reliable but entirely subconscious. My friends who helped invent these ideas were presumably in the same boat as I. As such we were unable to explain in plain English what was going on. In our conversations with each other it was always contextually clear and subconscious which sort of category we were dealing with. It was effortless.

Just now I added “Kernel Category” to the glossary as one category of key categories and marked each technical adjective that applies to a key, whether it was a kernel category; about half were. I know offhand about a dozen other such Keykos obscurities to be repaired.

Most (all?) formal security arguments today assume some form of computational physics which is in place by virtue of some body of code, and certainly some body of hardware. This code is unnamed in the formal theory. The meta theory may refer to it as the ‘TCB’. According to some it is insecure to rely on code outside the TCB. The pejorative language is “relying on third parties”, as if the TCB were always provided by one of the first two parties. I think one could cobble together a security proof for the Keykos factory but it would be opaque for it would obscure the pattern that similar ideas are at work at two different levels. This commonality makes the proof more efficient for understanding.