[cap-talk] Another "core" principle

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Sun Dec 24 18:38:46 CST 2006 

David Hopwood wrote:
> Jed at Webstart wrote:
> 
>>In the message above you seem to suggest that if a revocation
>>happens and it stops somebody from doing their work, that's
>>OK.  If the revocation is as intended and the person should no
>>longer have access, then of course it is more than OK, it's
>>what should happen.
>>
>>However, in the case we've been discussing (
>>
>>1.  Alice -> Bob -> Carol -> Dave  ("->" indicates delegates to),
>>
>>2.  Bob's access is revoked,
>>
>>3.  Carol is introduced to Alice and Alice decides that Carol
>>should be trusted with the authority delegated to her from
>>Alice via Bob.
>>
>>) this is not the intent and I regard it as very far from OK.
>>Because of #3 both Carol and Dave should continue to be
>>able to exercise the authority granted to them from Alice
>>by Bob.
> 
> But should Carol continue to have access *via the same reference as before*?
> I claim not: indeed, I think it is essential to security (and intended by
> Alice) that Carol should lose access via that reference.
> 
> While it may be seen as convenient that Carol continues to have access via
> the same reference, this is absolutely the wrong thing from the point of view
> of preventing confused deputy attacks. Bob (for example) may still be in a
> position to provoke Carol into using that reference in a way that is no longer
> intended, after the revocation.
> 
> (Note that Carol is a process, not a human user, and therefore is fundamentally
> incapable of understanding the reasons why it may have been requested to
> perform any given operation. This is also true if Carol happens to be a
> "user agent" process. The only way we can avoid confused deputy attacks is to
> ensure that processes do not need any intelligence to determine when they can
> use a particular reference.

After reading some other posts in this very large thread, I see that some other
participants may have been intending "Alice", "Bob" and "Carol" to refer to
principals that would normally correspond to human users. Regardless, I think
that the above argument stands, since:

 - principals that correspond to human users are not distinguished from principals
   that don't, in most cap systems,

 - humans can be vulnerable to confused deputy attacks, too.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list