The nameserver is not necessarily trusted by C. If C wants to send the capability to B (which it must, to get the mapping hierarchy right), then it must be as a reply message. Thus B must send the request to C, as C is the trusted system server, not A (which B doesn't trust that much). The required protocol is pretty much enforced from start to end given the border conditions (trust parameters).
There are two ways how B could get its capability. Either B asks C to give them, or A asks C to send one (of the capabilities it has from C) to B.
Both operations work out of the box. A and B do not trust each other and C do not need a cmp().
Bernhard