Here are some optional features of a capability system.
I consider some necessary and some counterproductive.
- Rescindable versions of each sort of capability
- A concept of "who" or "principal"
built into the foundation
- A sort of capability that is
sensory,
i.e. manifestly read-only to the foundation.
I think that rescindable versions of capabilities are necessary for solving a large set
of security problems. I think that every capability system that I have seen has good ability to rescind.
Keykos rescinds via features that are present for other reasons.
I think that "principal" is counterproductive in
the foundation.
I think that sensory is strategic but not strictly necessary.
I have heard each of these options proposed as the difference between a
modified and unmodified capability system.