[cap-talk] the "flaw" of separating designation from authority

Karp, Alan H alan.karp at hp.com
Wed Oct 25 16:13:34 CDT 2006 

Fred Spiessens wrote:
> 
>   Interesting, Client Utility may have discovered another kind of  
> flaw, or maybe a variant of the confused deputy problem (as I  
> understand it), that shows designation and authority really have to  
> be combined. I would like to understand that flaw then.
> Let me repeat, just to be clear, that I did not propose an  
> alternative for capabilities. I only want to question the reason why  
> capabilities can avoid confused deputies: I think it is not the  
> combination of authority with designation, but the fact that (all)  
> permissions are "portable".
> 
Your example

	MyFileSystem.writeFile(fileID: 12345  certificate: Fcert data:
"XYZ").

shows only one file.  What if the method that implements writeFile
invokes another method that takes two arguments, the second being a log
file? Someone could build a system that correctly did

	MyFileSystem.logWriteFile(fileID: 12345 certificate: Fcert1
data: "XYZ"
			  	        fileID: 67890 certificate:
Fcert2)

In this case, Fcert1 is provided by the invoker of writeFile and Fcert2
by the invoker of logWriteFile and the system knows which cert to apply
to which argument.  However, someone could also build a system that
incorrectly did

	MyFileSystem.logWriteFile(fileID: 12345 fileID: 67890 data:
"XYZ"
				        certificates: Fcert1, Fcert2)

Now, the invoker of writeFile could specify fileID 67890 as an argument,
and the log file will be corrupted.  That's the mistake we made in
Client Utility.  Of course, the problem with the latter is that we lost
track of which argument each certificate refers to.

_________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories 
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/
  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 423 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20061025/1d833896/attachment.vcf

More information about the cap-talk mailing list