[cap-talk] (no subject)

ross mcginnis ross_mcginnis at hotmail.com
Sat Feb 2 17:12:45 EST 2008 

> From: alan.karp at hp.com
> To: cap-talk at mail.eros-os.org
> Date: Wed, 30 Jan 2008 00:48:27 +0000
> Subject: Re: [cap-talk] (no subject)
>
> ross mcginnis wrote:
>>
>> Comparing the above cap cases with indentity based control- 4
>> possible access cases for using indentity based control:
> (snip)
>> 3) is perfect
>> 4) is perfect
>>
> They are not perfect if users can share credentials, which is a serious problem for ACL systems.
>

Hello Alan,
Thanks for replying.  May I use this opportunity for me to ask a question which I have been wanting to ask someone for a long-time, but have been too embarrassed to raise. Before I state my case I would like to explain that I'm just a hobby programmer (my actual job is fruit picking- a job about as far removed from computers as you can get) so I acknowledge that my thinking is almost certainly wrong.  I would really appreciate it if someone here points out where the following argument is wrong.

Confused Deputy : Caps v's Identity access control-
The way I've often seen the confused deputy problem presented draws the conclusion that the deputy is confused due to an inherent limitation within any identity based access control mechanism.
But the confused deputy problem already implicitly uses a capability control mechanism along with an identity based access control mechanism.  The capability controls used are password caps, ie: the file system uses visible publicly transferrable references - it names the files. The identity controls used are ACLs, ie: each file lists those users/groups/others that can access it.
In the confused deputy problem it appears to me that it is not the authority by identity part that fails but rather the authority by caps.  ie: People are blaming the wrong access mechanism for the failure- the identity bit works fine, it is the way that the caps are handled that causes the problem.
I say this because -as regularly pointed out- that if the user was required to pass the complier an object-cap then the problem would never occur.  ie: if the user was forced to upgrade the file-name (a password cap) to a file-descriptor (an object cap) by calling open("filename", tags) themselves and handed the deputy the resulting file-descriptor then the deputy would never be confused. 

Thus it appears to me that the deputy's confusion it is due to the fact that the user passes a password-cap instead of an object-cap, it is not a failing of the identity access control per se.

Where is my reasoning wrong here?
(sorry for asking something which I'm sure should seem pretty obvious and trivial, but I really am perplexed.)

thanks 
ross

PS: please note that I'm not saying that ACL's have no problems attached at all, it is just that in this case it is not the identity access control that is causing the problem but the caps.
_________________________________________________________________
Your Future Starts Here. Dream it? Then be it! Find it at www.seek.com.au
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Ahet%3Ask%3Anine%3A0%3Ahot%3Atext&_t=764565661&_r=OCT07_endtext_Future&_m=EXT

More information about the cap-talk mailing list