OCAP and Capability URLs are great tools for short-lived resources. But there's a reason we don't protect long-lived resources with "unguessable" character sequences - and especially not as a core component of an internet standard protocol definition. Because (doh) given enough time hackers have always guessed the damn things. Security through obscurity - just say no. Actually you should probably be saying "hell no".