0) Soda/floor5/*

1) Consider the partition function to be Soda/floor5. Alice gives Bob access to Soda/floor 5/thermostat and Soda/floor5/lock, Bob gives access to Chris to Soda/floor5/thermostat. Chris can see the lock permission too even though he cannot use it because it is in the same partition.

2) Revocation relies on non-inclusion proofs. Access to an entity is invalidated if the *revocation commitment* has been published, and so to prevent revocation, one must publish a non-inclusion proof for the revocation commitment.