[cap-talk] Loss of control (was: Re: A paper on web-keys)

Mark Miller erights at gmail.com
Fri Feb 1 12:14:53 EST 2008


On Feb 1, 2008 8:46 AM, Karp, Alan H <alan.karp at hp.com> wrote:
> MarkM wrote:
> >
> > I don't understand. What use would you make of client-side
> > authentication? Would the use you have in mind be vulnerable to
> > confused deputy problems?
> >
> Hey, I said "might" :)  Actually, I was thinking along the lines of an
> additional, non-ocap check.  (You know how much I like to cross levels of
> abstraction.)  For example, "This capability can only be used by clients in
> my domain."  How that might be implemented is left as an exercise for the
> reader.

I'm not concerned with how it's implemented. I'm concerned that by
adding this ACL check, you now have a classic "hybrid capability
systems". To the degree that you depend on this ACL check for access
control, you have all the classic ACL problems, including confused
deputy. As I've said before, it might be a good strategy in some
contexts to create such mixed systems as a legacy bridge. But Waterken
does not yet have an ACL legacy we need to bridge.

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM


More information about the cap-talk mailing list