Tyler, there are two basic and fundamental flaws in your argument about delegation. You state:
> The creator of an object receives the only capability for
> that object.
It is clear from context (your subsequent use of the pronoun "she" in reference to the creator) that by "creator" you mean a principal rather than a program. Your statement is therefore contrafactual for partitioned capability systems, and at best half true for encrypted capability systems (in that programs also receive the capability, and for that matter receive it before the principal does).
The balance of your argument proceeds to make many tacit assumptions about the principal's ability to correctly understand the behavior of the programs that they execute. These assumptions are unsupported by mathematics, and are contradicted by empirical observation in current systems. I am prepared to believe that this can be addressed by better system design, but the argument as given doesn't hold until such a design has been tested.
Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595