Hal Finney recently wrote the following claim that is concise and precise:
Therefore ACLs can disallow irrevocable delegation while capabilities (by themselves) cannot.
I take his quote out of context and that may be unfair but it is a nice claim for it seems to require little context. I wrote a chatty reply but I think that a more careful response is needed. An older note on revocation needs to be integrated with this perhaps.

Delegation is when X, with some ability to act by virtue of holding capability C, sends that capability to Y. X has then delegated the ability to Y. In some cases X may undo this delegation by deleting what C refers to, but then X also looses the ability.

When X foresees the contingency of wanting to undo the delegation, X creates some new object which is endowed with C. As X creates the new object, X gains two capabilities d and D which both refer to the new object. Orders to D are immediately relayed to C and produce the same effects and results as the same order on C. The one order on d is to destroy the new object and thus revoke D.

But this merely illustrates X’s option to produce a revocable capability. Hal’s claim is that capability systems are unable to require that any ability delegated by X to Y be revocable.

To require that all abilities that X delegates to Y be revocable, first requires preventing X from sending irrevocable capabilities to Y. In capability systems you do this sort of thing by denying to X a capability via which to send things to Y. Yet we wish to allow X to send revocable abilities to Y. To do this Z, who has the authority to constrain X’s actions, builds a mediator M, such as the Annalist, which will pass on messages to Y but transform all capabilities therein to corresponding revocable capabilities. Z gives a capability for M to X. Z, the creator of M is the one who gains the capability to revoke the invisible mediators that govern signals between the worlds of X and Y. Z must indeed be the authority that originally grants X the ability to communicate with others on the system. All such ability will be in the form of capabilities to mediators that install revocation means on transmitted capabilities.

This is all equivalent to the vats in e-rights systems. If each user were in a vat then capabilities between vats can be revoked by severing the line between them. Crypto is not needed for there are no external wires to expose secrets. The swiss number is unneeded if

This logic is isomorphic a portion of the code in such mechanisms as the pluribus protocol that bridges two capability regimes with a communications channel. The ideas behind such protocols are described here. The crypto code and three site handoff are not required in this application. Indeed the same code may be employed.


With this authority Z is in a position to enable X to do productive work but retroactively ...
Suppose that I am an ordinary subscriber to a capability based service such as Keykos. I decide to hire Sam to write a program which will produce slowly varying data. I want Alice, another subscriber to the service, to be able to see the data but I also want to be able to change my mind in that regard. I invoke the user factory passing a sub bank and sub meter of mine. In return I get circuit keys over which