[cap-talk] Loss of control (was: Re: A paper on web-keys)

David Hopwood david.hopwood at industrial-designers.co.uk
Sat Feb 2 19:58:23 EST 2008 

Alan Karp had written:
 > [...]  Actually, I was thinking along the lines of an additional, non-ocap
 > check. [...] For example, "This capability can only be used by clients in
 > my domain."

Jed Donnelley wrote:
> At 08:05 AM 2/2/2008, Sandro Magi wrote:
>> Jed Donnelley wrote:
>>> At 07:53 PM 2/1/2008, David Hopwood wrote:
>>>> I don't agree with this argument. If system A has a given set of security
>>>> mechanisms, and system B has the same mechanisms plus additional ones
>>>> that only act to deny some requests, then it is not valid to conclude that
>>>> B is automatically no less secure than A. The reason is that the 
>>>> effects on user behaviour must be taken into account: if users or
>>>> administrators rely on the existence of the extra checks, but those checks
>>>> are flawed in any way, then they will end up with weaker security than if
>>>> they had been required to express a comparable policy using only the
>>>> mechanisms of A.
>>>
>>> I agree with what you say above in the general case.
>>> However, in this case Bill is referring specifically
>>> to the confused deputy problem.  Since all permissions
>>> are explicitly delegated as parameters (no separation
>>> of designation and authority), the confused deputy
>>> situation can't happen - even if sometimes, perversely,
>>> the communicated "permission" (reference) yields no
>>> actual authority.
>>
>> Unless users and/or developers start relying purely on the ACL and not
>> capabilities to control access, which I believe is David's point.
> 
[...]
> What I thought David was getting at is the oft repeated
> concern that if people can't get their job done by
> delegating fine grained access (e.g. capabilities), then
> they will resort to grosser grained access, like sharing
> credentials (e.g. passwords) between people.

No, that is true, but it wasn't my point. As I replied to Sandro, the main
issue is that:

   "If the domain restriction [mentioned by Alan Karp] prevents any attacks,
    then confused deputies in the domain become possible vectors for those
    attacks."

Conversely, if there are no attacks prevented by the domain restriction,
then it is providing no security benefit.

Does this clarify the issue sufficiently? If it doesn't, I will try to come
up with a more concrete example.

-- 
David Hopwood

More information about the cap-talk mailing list