I need to ramble about ‘natural persons’ (“people” here) and security. Most capability design has been satisfied to lump people into the category of objects.
I want to address here some perceived differences between people and objects to see what software mechanisms may be needed to address the problems of unknown motives of individual people.
Also these attributes of people may sometimes be seen to apply to the objects that people, as programmers, write.
Jacob evidently has access to the map, perhaps itself logged. Jacob may decide to give Arthur access but will probably want to protect his own skin by wrapping any computer authority he gives to Arthur. If some agent disappears then the logs will be consulted by someone not otherwise named here. There is an incentive not to have known the cover of that agent.
Arthur has his own reputation to protect. If he gets logged authority to read the map from Jacob, that means that Jacob held that authority and could have used it to frame Arthur. (Jacob may be the mole.)
We assume here then that each person has individual secure access to ‘the computer’ by mechanisms we will not further discuss except to say that that person will be able to wield capabilities therein. Access to people within the agency via computer is by trustworthy names which map to capabilities. Access between people may itself be wrapped, each in his own membrane.
This page is meant to stimulate designs. I propose some assumptions merely to limit scope: