By the way -- to avoid confusion between "proxies used to wrap unrestricted objects in order to make them into secure objects" and "proxies used to reduce the interface of an existing secure object", let's call the first "proxy" (as has been used in the "rexec vs. proxy" discussion so far), and call the second a "facet" (which is the term commonly used when capabilities people talk about reducing an interface). We often talk about providing, say, a "read-only facet" on an object.
Hm, I'm not sure I understand the difference between the two definitions you give. What does "making something into a secure object" mean if not "reducing its interface"? And what is the fundamental difference between a secure object and an insecure one? In my world view there's a gradual difference. The only truly secure object is None. :-)
--Guido van Rossum (home page: http://www.python.org/%7Eguido/)