[cap-talk] Loss of control (was: Re: A paper on web-keys)

Jed Donnelley jed at nersc.gov
Fri Feb 1 21:30:12 EST 2008


On 2/1/2008 5:52 PM, Bill Frantz wrote:
> erights at gmail.com (Mark Miller) on Friday, February 1, 2008 wrote:
> 
>> On Feb 1, 2008 8:46 AM, Karp, Alan H <alan.karp at hp.com> wrote:
>>> MarkM wrote:
>>>> I don't understand. What use would you make of client-side
>>>> authentication? Would the use you have in mind be vulnerable to
>>>> confused deputy problems?
>>>>
>>> Hey, I said "might" :)  Actually, I was thinking along the lines of an
>>> additional, non-ocap check.  (You know how much I like to cross levels of
>>> abstraction.)  For example, "This capability can only be used by clients in
>>> my domain."  How that might be implemented is left as an exercise for the
>>> reader.
>> I'm not concerned with how it's implemented. I'm concerned that by
>> adding this ACL check, you now have a classic "hybrid capability
>> systems". To the degree that you depend on this ACL check for access
>> control, you have all the classic ACL problems, including confused
>> deputy. As I've said before, it might be a good strategy in some
>> contexts to create such mixed systems as a legacy bridge. But Waterken
>> does not yet have an ACL legacy we need to bridge.
> 
> I don't see how it is vulnerable to confused deputy.  The check that
> Alan was suggesting is only an additional reason to deny a request. 
> You still need the capability (web key) to access a resource, so the
> capability model protections are still in force.

In that sense it seems a bit like Horton - though in my opinion
not with as clearly defined a PDP.

--Jed  http://www.webstart.com/jed/



More information about the cap-talk mailing list