[cap-talk] Heresy: Confused Deputies do NOT Justify Capabilities
Jed Donnelley
capability at webstart.com
Sat Aug 30 20:06:28 CDT 2008
At 09:03 AM 8/22/2008, Jonathan S. Shapiro wrote:
>In a note on coyotos-dev, Charlie Landau recently wrote:
>
> > That's not sufficient to avoid the confused deputy problem.
>
>This note is not a response to him. It's a response to the statement per
>se: confused deputies do not justify capability-based systems.
>
>The underlying problem of a confused deputy is an API problem. The
>deputy acts at different moments with different authorities, and it
>needs to keep them separated. Capabilities provide ONE solution to this,
>because they incorporate explicit designation of authority into every
>operation.
>
>But the reason they solve the problem is not because they are
>capabilities per se. The reason they solve the problem is that the API
>of a capability system uses explicit designation.
>
>An alternative design, involving explicit user identity or other
>authority-encapsulating objects, and having the ability to designate the
>appropriate authority object with each operation, could solve the
>confused deputy problem equally well. It might not solve other problems,
>but it would solve confused deputy.
I agree with the above proposition. However, I consider such mechanisms,
"user" identity based systems that provide the ability to designate
[delegate?] the appropriate authority object with each operation,
to be 'capability' systems.
Consider for example the mechanism described in:
http://www.webstart.com/jed/papers/Managing-Domains/#s10
While the principle involved is a "process" identity, I believe
this ACL based mechanism is essentially "isomorphic" to a
capability mechanism. Each process has it's own authorities
and each has the ability to communicate such authorities
in messages.
If one bundles a set of processes (active objects) together
under a single "principle" but still allows communication
of authorities in messages I believe the resulting system
is still equivalent to a capability system except that
control is more gross with multiple active objects (processes)
falling within the same "domain" (as I would term it).
For me any access control scheme in which individual
active objects (processes) can exert individual
authorities and can communicate them in messages is
a "capability" system. I don't know any system that
can address the Confused Deputy problem without these
essential properties.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list