[cap-talk] Loss of control (was: Re: A paper on web-keys)
Mark Miller
erights at gmail.com
Sun Feb 3 00:14:33 EST 2008
On Feb 2, 2008 4:58 PM, David Hopwood
<david.hopwood at industrial-designers.co.uk> wrote:
> Alan Karp had written:
> > [...] Actually, I was thinking along the lines of an additional, non-ocap
> > check. [...] For example, "This capability can only be used by clients in
> > my domain."
>
> [...] As I replied to Sandro, the main
> issue is that:
>
> "If the domain restriction [mentioned by Alan Karp] prevents any attacks,
> then confused deputies in the domain become possible vectors for those
> attacks."
>
> Conversely, if there are no attacks prevented by the domain restriction,
> then it is providing no security benefit.
This puts the point more clearly than I've ever been able to. Thanks!
But the issue isn't specific to hybrid vs ocaps. It can arise in pure
ocap systems when doing rights amplification or IBAC. For example, it
can arise in Horton when Who attribution is used to deny access. The
stance we suggest in the Horton paper is that Who attribution should
only be used reactively -- to shut off further access in reaction to
past abuse. Confused deputies do indeed become possible vectors for
circumventing such reactive denial of access -- but only at the cost
of tarnishing the reputation of that deputy's Who, leading to
eventually denying access to those confusable deputies as well.
Similarly, if Alan's additional non-ocap domain check exists only to
be used reactively, then I think it may be as benign as the
reactive-only use of Horton. I am now confused about how different
Horton actually is different from a hybrid ocap system such as Alan
suggested. What am I missing?
> Does this clarify the issue sufficiently? If it doesn't, I will try to come
> up with a more concrete example.
Concrete examples always help. I suspect they'd help a lot here. ;)
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list