We scratched out heads and could find no principled answers to these questions. Often the right answer is you find out the properties from where-ever you got the capability. Often that won’t work. There is the primitive DISCRIM object. That primitive objects packs several related functions. There were theoretical reasons why programs might be denied access to DISCRIM but they did not arise in practice. In practice most caps to segments (files) had a segment keeper you could ask. If segment is fraudulent (claims to be a plain segment but is not) then you can still write programs to access that segment safely.
For some situations if the supplier of a cap says that this is a zot then you can ask the zot creator: “Did you make this?”. Creators are generally in a position to answer such questions reliably and efficiently. In short, the answer to your question is distributed.
A complexity is that some segments have keepers and for portions of those segments, accessing that portion suspends accessor and gives control to the keeper who may be in a position to reify that portion. Your program is transparently served and while the keeper learns that you accessed the portion.
The real kernel allocates 5 bits in the cap to a ‘type’ that informs informs the kernel whenever the kernel considers a cap. There are more kernel types than DISCRIM lets on lest synthetic kernel keys be revealed.