Most systems have [[ACL]] security model, which is based on having a specific identity with specific permissions.
ACL is non-granular, so you can’t give very specific permissions, meaning you end up giving programs far too many permissions.
We make each capability discrete and selective.
When logging into a platform, you get an initial set of capabilities, and each capability can be selectively forwarded.
Elixir has a design pattern called an actor, which can be compared to an object from OOP but with some differences.
Actors maintain a queue of messages that they act on.
Combining these, if an actor has a reference to an actor, it can call its methods. If it doesn’t, it cannot. Enforced at language level.
[[Spritely]] has made [[Goblins]] which implements these behaviours. It has strong guarantees for remote capabilities, but can currently be broken locally.