The fact that there are useful statements about keys that are valid at all levels of description {outside the kernel of course} is what makes a system based on capabilities powerful.

In a fundamental sense, there are exactly two ways that a key can be used.

It follows that to precisely define a key one must specify the result of invoking it, and the result of passing it to {all} other keys.

It never matters who uses the key. A key is the same in the hands of any subject.

On the other hand, two keys together can be more powerful than either one separately. {To exercise that power, one key must be passed on an invocation of the other key, or both must be passed on an invocation of a third key.} Example: a domain key and the domain-tool key.