I like to be flexible with policies, so while I think "capabilities" should be the core model, using ACL mechanisms under the hood is valid. If the capability mechanism is very minimal, people can build mechanisms and policies on top that are specialized for different use cases. It's not about "capabilities vs. ACLs"; it's "use the right tool for the job".

So while resource revocation in general is a hard problem, anyone can come up and implement their clever scheme in my imagined world.