I think that Susan had come to Tymshare, (or perhaps Key Logic) before she wrote on Keykos.

Here is how I recall the episode at Key Logic in 1987 that you refer to.

The team of about 5 people came for a week. Initially they were skeptical that an assembly language program could be evaluated. We read the Orange book as you describe as being oriented towards Multics and concomitantly towards Unix which took much structure from Multics. The TSCEC team viewed the Orange book from a high level and after we had described our architecture, they showed us how to interpret the Orange book requirements in our framework. With that orientation it became fairly clear that we could meet the requirements, and several demands that were omitted from the Orange book as well because such demands appeared infeasible. One such demand was resistance to viruses.

Over all they were enthusiastic about Keykos. I don’t remember the precise terminology but I think that the only reason they did not recommend the highest level evaluation was that such evaluation require having been written by pre cleared people.

I think that the Boebert confusion was due to the normal assumption that who ever produces functionality for a capability system (code) does so by producing an object that obeys that code, along with the initial capabilities of that object. This allows the producer to include capabilities to export the secrets that the object deals with. This was seen as a problem in Keykos fairly early and the Factory codified our solution. With the factory the provider of the program is not the provider of the initial capabilities. The factory affords confinement. The object that gets to see the secrets has no capabilities to send data, except back to the agent that provided the secrets.