[cap-talk] Loss of control (was: Re: A paper on web-keys)

Bill Frantz frantz at pwpconsult.com
Fri Feb 1 20:52:50 EST 2008 

erights at gmail.com (Mark Miller) on Friday, February 1, 2008 wrote:

>On Feb 1, 2008 8:46 AM, Karp, Alan H <alan.karp at hp.com> wrote:
>> MarkM wrote:
>> >
>> > I don't understand. What use would you make of client-side
>> > authentication? Would the use you have in mind be vulnerable to
>> > confused deputy problems?
>> >
>> Hey, I said "might" :)  Actually, I was thinking along the lines of an
>> additional, non-ocap check.  (You know how much I like to cross levels of
>> abstraction.)  For example, "This capability can only be used by clients in
>> my domain."  How that might be implemented is left as an exercise for the
>> reader.
>
>I'm not concerned with how it's implemented. I'm concerned that by
>adding this ACL check, you now have a classic "hybrid capability
>systems". To the degree that you depend on this ACL check for access
>control, you have all the classic ACL problems, including confused
>deputy. As I've said before, it might be a good strategy in some
>contexts to create such mixed systems as a legacy bridge. But Waterken
>does not yet have an ACL legacy we need to bridge.

I don't see how it is vulnerable to confused deputy.  The check that
Alan was suggesting is only an additional reason to deny a request. 
You still need the capability (web key) to access a resource, so the
capability model protections are still in force.

This kind of check might make an easy way of enforcing a policy of,
"Only available inside the firewall".  You would issue client-side
certificates to all the users inside the firewall and ...  (As a
practical matter, IP address checking on requests might be an even
better engineering solution to implementing this policy.)

While we can describe how to implement this policy in a pure
capability system, by confining outward communication, this approach
might be easier to implement and review.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"We used to quip that "password" is the most common
408-356-8506       | password. Now it's 'password1.' Who said users haven't
www.periwinkle.com | learned anything about security?" -- Bruce Schneier

More information about the cap-talk mailing list