[cap-talk] Heresy: Confused Deputies do NOT Justify Capabilities
Jonathan S. Shapiro
shap at eros-os.com
Fri Aug 22 11:03:02 CDT 2008
In a note on coyotos-dev, Charlie Landau recently wrote:
> That's not sufficient to avoid the confused deputy problem.
This note is not a response to him. It's a response to the statement per
se: confused deputies do not justify capability-based systems.
The underlying problem of a confused deputy is an API problem. The
deputy acts at different moments with different authorities, and it
needs to keep them separated. Capabilities provide ONE solution to this,
because they incorporate explicit designation of authority into every
operation.
But the reason they solve the problem is not because they are
capabilities per se. The reason they solve the problem is that the API
of a capability system uses explicit designation.
An alternative design, involving explicit user identity or other
authority-encapsulating objects, and having the ability to designate the
appropriate authority object with each operation, could solve the
confused deputy problem equally well. It might not solve other problems,
but it would solve confused deputy.
shap
More information about the cap-talk
mailing list