Greg:
Let me try to answer your questions as I can. Since you had two essentially separate threads, I'll reply in two notes.
Card Keys:
If you think about it a little more, I think you'll conclude that card keys are actually capabilities that are difficult to copy.
In an ACL system, it is the identity of the user that matters, not some token that they hold. In a card key system, all security is based on a token -- the card key. If you hand me your card key, I can get into the building.
Three points are leading to your confusion (I think):
What's actually going on is that an access control list system has been constructed using a capability system as a primitive mechanism.
Because the unique identity requirement is the exceptional case, EROS
(the operating system we have constructed at Penn) adopts the second
approach.
If you are considering tradeoffs, it is both straightforward and efficient to implement an ACL system on top of a capability system. It is almost impossible and damned inefficient to do the other way around.
Counter-based access control:
It seems that you have identified a problem for which an access control list is the best first-order solution. Capabilities are not necessarily the right solution for all problems. In my opinion, however, they provide the best primitive set for building problem-specific solutions. At the risk of repeating, I can solve the card key problem by building the desired access mechanism on top of capabilities. I can't go the other way around.
Why does this matter?
For some problems, capabilities are a better answer. Delegation, confinement, and the principle of least privilege are all unsolvable using access control lists. Actually, it's been proven mathematically that confinement *cannot* be solved with ACL designs.