The fundamental insight is that references to things should be accomplished thru capabilities, and only thru capabilities. Classically capabilities have been protected purely by hardware mechanisms (no code could access the bits that comprise the capability) or limiting the code with such access to a small fixed set within the “Trusted Computer Base”.

Distributed computing uses data channels to move “computing signals” from one part of the world to another. When these channels carry signals between buildings or even rooms they are implemented by diverse and unknown organizations. Such channels are, by themselves, too complicated and unreliable to be at the foundation of an information service unless steps are taken to build reliable systems upon unreliable ones.

Internet and other communications technologies provide a considerable degree of alternate routing to alleviate failures of individual components. Checksums can protect data from inadvertent modification. Message authentication codes (secure hashes such as MD5 or SHA together with shared secrets) can even protect against malicious modification of transmitted data (modification designed to deceive the receiver of the data). Encryption can provide secrecy by preventing the reading of the computing signals. (With extra care encryption can provide authentication, but that is not as easy as it first seems.) The above mechanisms are broadly understood. Technical and political details once limited the deployment of encryption.

Even when one small group or even one individual is responsible for making various conceptual parts of a service work, it has proven wise to employ techniques to categorically limit signals between these parts in order to limit buggy signals that damage other parts. From the effects of these bogus signals it is often hard to deduce the source of the signal. Many software reliability problems are of this form.

Division of responsibility for providing information services may not be divided along machine boundaries. The software within a machine will usually comprise so many parts that protection within the machine is practically necessary. In a distributed system, signals will move thru data channels to other machines. The above mechanisms can ensure that the right signal gets to the right machine but we must also ensure that that signal gets to the right compartment in the right machine. We introduce some forms of “Remote Object References” here to achieve this end. Such a reference is a direct analog to the capability and indeed it can be made to appear identical to most programs designed to wield capabilities. We thus gain transparent distribution while retaining capability security.

CORBA proposes a framework in which messages can carry references to things while these messages are addressed via just the same sort of references. CORBA carries along with it enough extra baggage to daunt the causal designer (such as me).