"Capability Myths Demolished" (at srl.cs.jhu.edu ) explains the differences between various access control models that have come to be known as "capability systems", and sets the record straight about the properties widely attributed to the Capability Security Model.
This paper was rejected by the referees of Usenix Security 2003 (See www.eros-os.org ). The answer to these objections was an invited paper: Paradigm Regained.
See original on c2.com