Dave Wagner spoke about Object Capabilities for Security at the 2006 “ACM SIGPLAN Workshop on Programming Languages and Analysis for Security”. I find the slides and accompanying text very good and very clear. Subsequent e-mail began a discussion on the material.

Responding to the question about possible communication paths with less than full ability to convey capabilities and information I note that the Keykos kernel had such logic for cases where Bob was a kernel object, such as a node and the capability that Alice held was a fetch key. That capability could transfer no capabilities to Bob, the node.

Much more generally if Alice had been instantiated by a factory then Alice might hold capabilities to any number of Bobs but such capabilities were pre-vetted by the factory to eliminate exporting of information by Alice either by virtue of the nature of the Bob, or by the nature of the capability thereto.

Other unimplemented schemes, such as the fort, would analogously prevent Alice from depending upon external mutable or ephemeral things even while allowing exporting of outgoing signals.

This does not imply that your questioner’s concerns were met however.