Protection in capability-based operating systems is comsidered. The concept of a conditional capability, which is a generalization of a conventional capability, is proposed. The conditional capability can only be exercised when certain conditions relating to the context of its use are satisfied. It is shown that such capabilities form a basis upon which features such as domains of protection, revocation, and type extension can be built. The implementation of these features can be isolated into sepuate modules thus leaving the basic protection module uncluttered and simplifying the overall structure of the system.