I don't think outbound transitive closure is what we need for
permission delegation. Rather, it's inbound transitive closure. I
might not link from my blog to my livejournal account, but if my
livejournal links to my blog it is giving permission to my blog. Check
out the "trustsme" api that I made up and see if you agree.