“Non-Delegatable Authorities in Capability Systems” is a curious paper that raises again something that I had thought was settled. “Authority” is a slippery word. I try and fail to be consistent in using it. In the paper capabilities are referred to with the mass noun “authority” and the authors indeed examine again mechanisms admitting a property of a capability that prevents it from being sent to those to whom you hold capabilities.
The paper brings to mind thoughts I had many years ago when I rejected ideas from Hydra that limited such propagation. I do not now remember the Hydra details. The decision was by no means easy and I have no written record of the reasoning. I do recall some of the considerations however.
Such design decisions always occur in a web of other design decisions and are made before the web is in clear view. After the design is fixed the web of possibilities recedes from view, never having come into full view. Papers such as this are thus useful, if irritating.
I present here a too naïve argument against NDA in the Keykos context. I adopt the simplest axioms for capabilities and message passing that I know:
I have a capability to a mutable object. I trust the object to