[cap-talk] Loss of control (was: Re: A paper on web-keys)
Sandro Magi
naasking at higherlogics.com
Sat Feb 2 11:05:07 EST 2008
Jed Donnelley wrote:
> At 07:53 PM 2/1/2008, David Hopwood wrote:
>> I don't agree with this argument. If system A has a given set of security
>> mechanisms, and system B has the same mechanisms plus additional ones
>> that only act to deny some requests, then it is not valid to conclude that
>> B is automatically no less secure than A. The reason is that the effects on
>> user behaviour must be taken into account: if users or administrators rely
>> on the existence of the extra checks, but those checks are flawed in any
>> way, then they will end up with weaker security than if they had been
>> required to express a comparable policy using only the mechanisms of A.
>
> I agree with what you say above in the general case.
> However, in this case Bill is referring specifically
> to the confused deputy problem. Since all permissions
> are explicitly delegated as parameters (no separation
> of designation and authority), the confused deputy
> situation can't happen - even if sometimes, perversely,
> the communicated "permission" (reference) yields no
> actual authority.
Unless users and/or developers start relying purely on the ACL and not
capabilities to control access, which I believe is David's point.
Sandro
More information about the cap-talk
mailing list