It appears that Meadowcap makes a very common mistake.
The implementation relies on signature schemes again. Consider Alfie and Betty, each holding a key pair. Alfie can mint a new capability for Betty by signing his own capability together with her public key.
By using “her public key” the system makes tracking trivial. In a system that better protects privacy, each capability should be tied to a unique key pair created for just that purpose. I would change that text to say
The implementation relies on signature schemes again. Consider Alfie and Betty, each able to create many key pairs. Alfie can mint a new capability for Betty by signing his own capability together with a public key Betty has created for this purpose…