This note is to explore more thoroughly the ideas I first noted here. That explanation assumes too much familiarity with capability patterns, and also is vague on some points that have interesting and useful variations.

I explore an interesting trust complexity gamut with the dramatis personæ given above.

- R is aware of Q but not P. R’s needs are satisfied by the yield of Q’s factory which invoked P’s factory when the q for R was produced. The p inside q is unknown to R. This is indeed the normal and standard pattern for complex objects.
- R is aware of P and wants a p in some initialized state that requires clever initial invocations of p. Q’s factory buys a new p from P’s factory performs the special initialization of p and passes a boxed version of p back to R who invoked Q’s factory. If it is agreed that there is some property of a q that will continue to apply despite arbitrary invocations of p, then the box can be used later to convince others that p still has the property.
- If there is an algorithm to test a p, by invocations thereof, whether p has some persistent property, then Q program can apply this algorithm on a used p to vouch for a p that has been accessible to untrusted actors. Some behaviors will require algorithms that have exclusive access to p during the test. Q would have to acquire exclusive rights in some maner.