No Actions specify more than one object, but "capabilities" in authorization field is plural.

[alanhkarp]

A capability designates the object and the permission being authorized on that object. The method in the descriptor field specifies a single operation, and all allowed Actions take a single argument. Hence, there should be only one capability in the authorization field.

The kid field allows for only a single key, but it should be possible to issue each capability to a different key. As long as only one capability can be specified, a single key suffices.

Also, since the capability necessarily designates the object, it can be used in place of the objectId in the descriptor. Each capability should authorize a single permission, so the capability can also be used instead of the method field in the descriptor field.