Here are some optional features of a capability system.
I consider some necessary and some counterproductive.
- Rescindable versions of each sort of capability
- A concept of “who” or “principal” built into the foundation
- A sort of capability that is sensory, i.e. manifestly read-only to the foundation.
I think that rescindable versions of capabilities are necessary for solving a large set of security problems.
I think that every capability system that I have seen has good ability to rescind.
Keykos rescinds via features that are present for other reasons.
I think that “principal” is counterproductive in the foundation.
I think that sensory is strategic but not strictly necessary.
I have heard each of these options proposed as the difference between a modified and unmodified capability system.