[cap-talk] Heresy: Confused Deputies do NOT Justify Capabilities
David Mercer
radix42 at gmail.com
Fri Aug 22 11:58:49 CDT 2008
On Fri, Aug 22, 2008 at 9:03 AM, Jonathan S. Shapiro <shap at eros-os.com> wrote:
> In a note on coyotos-dev, Charlie Landau recently wrote:
>
>> That's not sufficient to avoid the confused deputy problem.
>
> This note is not a response to him. It's a response to the statement per
> se: confused deputies do not justify capability-based systems.
>
> The underlying problem of a confused deputy is an API problem. The
> deputy acts at different moments with different authorities, and it
> needs to keep them separated. Capabilities provide ONE solution to this,
> because they incorporate explicit designation of authority into every
> operation.
>
> But the reason they solve the problem is not because they are
> capabilities per se. The reason they solve the problem is that the API
> of a capability system uses explicit designation.
>
> An alternative design, involving explicit user identity or other
> authority-encapsulating objects, and having the ability to designate the
> appropriate authority object with each operation, could solve the
> confused deputy problem equally well. It might not solve other problems,
> but it would solve confused deputy.
I agree with the basic premise, but have some reservations as to it's
operational safety. If such authority designation objects are
required with each call without a default authority object,
programmers will almost find it unduly inconvenient, and not wish to
use such a system. If there is a default authority object, through
either laziness or accidentally overlooking the need to switch
permissions, the types of violations of POLA currently present is
(nearly all) ACL systems would occur. It is the need to supply two
references, to the object being invoked and the authority object that
goes against natural programmer laziness. Having to think about which
authority object is appropriate to an individual call is an even
greater cognitive burden. Of course capabilites get around this by
there being only one reference needed, and the fact that that
reference automatically carries the needed authority, and hopefully no
more. The burden of deciding which authorities are needed for a
particular call are factored out and need only be made once, instead
of with each invocation.
So in theory, yes, it can be done. But in practice I think that it
would end up being done poorly.
-David Mercer
Tucson, AZ
More information about the cap-talk
mailing list