“The protocol that adds accountability to capabilities without sacrificing safety”
The paper addresses a longstanding criticism of object-capability (OCap) systems: that their anonymous, bearer-right model makes it impossible to determine who to blame when something goes wrong. ACL systems track identity but sacrifice proactive safety; capability systems provide proactive safety but lack reactive accountability. Miller, Donnelley, and Karp propose Horton — Higher-Order Responsibility Tracking of Objects in Networks — a protocol layer that can be interposed between existing OCap application objects to add identity-based tracking and accountability without modifying the objects or their underlying capability foundations.
Proactive and reactive security are complementary, not competing. The paper frames two approaches to protecting users from harmful programs: proactive control (preventing bad things or limiting damage) and reactive control (identifying who to blame and suspending their access). ACL systems support reactive control directly by tagging actions with user identity, but are weak at proactive control because programs inherit all of their user’s privileges. Capability systems provide strong proactive control through least authority, but their anonymous bearer-right model appears to make reactive control impossible.
Horton refutes the accountability criticism of capabilities. Among historical criticisms of OCap systems, the inability to record who to blame for which action was the one remaining unrefuted objection. Horton demonstrates that identity-based tracking can be added to capability systems as a protocol layer — interposed between existing objects without modifying them — thereby combining proactive safety with reactive accountability.
Responsibility delegation requires coupling authority with accountability. The paper’s central thesis: delegation is fundamental to human society, and digital systems must support not just delegation of authority (capability systems) and not just assignment of responsibility (identity systems), but delegation of responsibility — authority coupled with accountability for its use. Horton makes this coupling explicit at the protocol level.
The protocol uses proxy/stub pairs to track identity across capability boundaries. Horton introduces Carol (an intermediary) between Alice and Bob. When Alice delegates a capability to Bob through Carol, Horton wraps the capability in a proxy that records Bob’s identity when exercised. The stub at the receiving end ensures the exercised capability carries accountability metadata. Neither Alice’s nor Bob’s existing code needs modification.
Bootstrapping relies on inductive trust relationships. Every secure protocol faces two cases: establishing an initial secure relationship between unconnected parties (base case) and bootstrapping new relationships from existing secure ones (inductive case). Horton handles the inductive case through sealed/unsealed gift-wrapping — new accountability relationships are established through existing trusted connections, extending the accountability chain without requiring a central authority.
Identity is represented through sealer/unsealer pairs, not central registries. Rather than relying on a certificate authority or identity provider, Horton uses the sealer/unsealer cryptographic pattern native to OCap systems. This preserves the decentralized character of capability-based authority while adding the identity layer needed for accountability.
Horton is a layer, not a replacement. The protocol sits on top of existing OCap foundations. This architectural choice is load-bearing: it means systems can gain accountability incrementally, adding Horton to specific delegation paths that need tracking without imposing it everywhere. The capability substrate retains its properties unchanged.
“There are two approaches to protect users from the harm programs can cause, proactive control and reactive control. Proactive controls help prevent bad things from happening, or limit the damage when they do. But when repeated abuse occurs, we need some workable notion of ‘who’ to blame, so we can reactively suspend the responsible party’s access.”
“Because ocaps operate on an anonymous ‘bearer right’ basis, they seem to make reactive control impossible. Indeed, although many historical criticisms of ocaps have since been refuted, a remaining unrefuted criticism is that they cannot record who to blame for which action. This lack has led some to forego the benefits of ocaps.”
“Horton can be interposed between existing ocap-based application objects, without modifying either these objects or their underlying ocap foundations. Horton supports identity-based tracking and control for delegating responsibility with authority. Horton thereby refutes this criticism of the ocap paradigm.”
“Delegation is fundamental to human society. If digital systems are to mediate ever more of our interactions, we must be able to delegate responsibility within them. While some systems support the controlled delegation of authority, and other systems support assignment of responsibility, today we have no means for delegating responsibility, that is, delegating authority coupled with assigning responsibility for using that authority.”
“Every protocol which builds secure relationships must face two issues: 1) the base case, building an initial secure relationship between players not yet connected by this protocol, and 2) the inductive case, in which a new secure relationship is bootstrapped from earlier assumed-secure relationships.”
Horton provided the missing accountability mechanism for the object-capability paradigm, resolving the most persistent criticism that had led some system designers to reject capabilities in favor of ACL-based approaches. The protocol influenced Miller’s subsequent work on robust openness (the 2019 ActivityPub talk recapitulates Horton as the accountability layer enabling open social systems). The Horton architecture — accountability as a layer atop authorization — directly informs approaches to agent delegation where principals need to track how delegated authority is exercised without requiring agents to operate under ambient identity systems.