[cap-talk] Loss of control (was: Re: A paper on web-keys)
Jed Donnelley
jed at nersc.gov
Fri Feb 1 21:30:12 EST 2008
On 2/1/2008 5:52 PM, Bill Frantz wrote:
> erights at gmail.com (Mark Miller) on Friday, February 1, 2008 wrote:
>
>> On Feb 1, 2008 8:46 AM, Karp, Alan H <alan.karp at hp.com> wrote:
>>> MarkM wrote:
>>>> I don't understand. What use would you make of client-side
>>>> authentication? Would the use you have in mind be vulnerable to
>>>> confused deputy problems?
>>>>
>>> Hey, I said "might" :) Actually, I was thinking along the lines of an
>>> additional, non-ocap check. (You know how much I like to cross levels of
>>> abstraction.) For example, "This capability can only be used by clients in
>>> my domain." How that might be implemented is left as an exercise for the
>>> reader.
>> I'm not concerned with how it's implemented. I'm concerned that by
>> adding this ACL check, you now have a classic "hybrid capability
>> systems". To the degree that you depend on this ACL check for access
>> control, you have all the classic ACL problems, including confused
>> deputy. As I've said before, it might be a good strategy in some
>> contexts to create such mixed systems as a legacy bridge. But Waterken
>> does not yet have an ACL legacy we need to bridge.
>
> I don't see how it is vulnerable to confused deputy. The check that
> Alan was suggesting is only an additional reason to deny a request.
> You still need the capability (web key) to access a resource, so the
> capability model protections are still in force.
In that sense it seems a bit like Horton - though in my opinion
not with as clearly defined a PDP.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list