A standard problem in distributed capabilities is the confinement 
problem. Once you have given someone a capability, you cannot prevent 
them from giving it to someone else. TCPA and Palladium provide a 
mechanism by which this can be solved. The protocol is left as an 
exercise for the reader, but it involves a private key closely held by 
the TCPA/Palladium hardware, a nonce, and, of course, the capability 
(or, more precisely, its Swiss number).