Gutenberg is a port-based operating system being designed to study protection issues in distributed systems. All shared resources are viewed as protected objects and hence can be assessed only via specific operations defined on them. Processes communicate and access objects through the use of ports. Each port is associated with an abstract data type operation and can be created by a process only if the process has the capability to execute the operation on the type. Thus, a port represents the privilege of the port's client process to request a service. Capabilities to create ports for requesting operations are contained in a capability directory, which is navigated by processes to gain these capabilities. Privilege transfer is a means of providing servers access to the resources they need to perform their services. In Gutenberg, privilege transfer is accomplished by allowing access to subdirectories of the capability directory and by passing capabilities, including port access capabilities, to processes via ports. It should be possible to revoke transferred privileges when breaches of trust are detected or suspected, when a period of time has passed beyond which the distributor of a privilege does not want the privilege shared, or when an error has been detected.