Conclusion

Identity-based access controls, and related schemes, are too coarse-grained for
the requirements of modern collaborative systems. Capabilities offer the hope
of fixing what otherwise appears to be a hopeless problem.
Furthermore, capabilities make some security options quite simple that would
otherwise be hopelessly unwieldy.
For those interested in further exploration and experimentation, I would skip
the operating system approach.
The language-based approach offers three viable alternatives, Caja, which
should be in wide use by the time this paper is published, E, which is mature
and functional, but not very much used, and Joe-E. Caja and Joe-E share
the advantage that they are based on existing languages (Javascript and Java
respectively) and so do not present a steep learning curve. E, on the other
hand, has a number of interesting features, such as built-in support for writing
distributed systems and an interesting and useful distributed message ordering
paradigm.
For distributed systems, Waterken implements a web-based approach, and,
as mentioned above, E has support at the language level.
In all cases, it makes sense to exploit the natural link between capabilities
and objects by using a language designed to handle capabilities inherently, thu