OCAP is what the ActivityPub folks want to use to add permissions and access controls to ActivityPub because they (finally) recognise that these concepts are important in decentralised social networking. And because they refuse to use any technology which I came up with. In this spirit it is claimed that Access Control Lists are flawed and OCAP fixes all these flaws. It does not. It merely creates a new and different set of flaws. Access control lists are used by every major operating system to protect files. There are good reasons why this is the case.
Hubzilla has an "Access Token" feature which resembles the way OCAP works. Resources are protected only by a random string or key. I've never promoted this feature because it doesn't do what most of us want, which is to share things with specific people (access control lists). Instead it is described as a way to protect something by giving people "keys" or "tickets" to access something. You can't actually control who uses that key or ticket. Anybody can use them and access your stuff if the key/ticket is published somewhere (or hacked). That's why I don't particularly care for this technology. It's a solution which doesn't really fit the problem we're trying to solve and protecting your keys/tickets from getting into the wrong hands is quite a challenge. People don't know whether or not a link is a link to a private thing, and if they share them online all of a sudden everybody using Google or Facebook now have access to your private thing.
Oh and to use it in this space you *still* need an access control list because you need a place to define who you should give keys/tickets to. So you end up with all the flaws of both solutions.
Anyway, this doesn't matter to me. I'm happy to work with any technology that these folks dream up if it can be coerced to solve my problems. I already have much better solutions to these problems (and have had for nearly a decade) so I'm not in any hurry.
Re: OStatus - it isn't dead. It still has more people using it than use Zot networks. I'm not supporting it in Zap, but I'm not supporting any insecure or spammy or non-nomadic protocols in Zap. ActivityPub is still an insecure, spammy, and non-nomadic protocol at this point in time. So is Diaspora. So is OStatus.