[cap-talk] Horton consequence (was: Re: Loss of control (was: Re: A paper on web-keys))

[Toby Murray]

On Sat, 2008-02-02 at 23:44 -0800, Jed Donnelley wrote:

<lots of stuff on Confused Deputies and Horton>

> As you likely recall, Horton tunnels can keep track
> of the complete delegation path (identity to identity)
> that a particular capability has followed.  The
> particular policy that is used for access through
> these tunnels can in principle be anything based
> on the available information - including the full
> delegation path (such flexibility worries me, and
> now I see another reason why - below).
> 
> What I just realized is that if the policy is based
> only on the last delegatee (i.e. "who" last received
> the capability), or in fact anything but the full
> delegation chain, then it will be subject to the
> Confused Deputy problem.  

<because the last delegatee may end up using some of their ambient
authority (based on their Who) when exercising a delegated capability>

> However, I believe that if the policy in the Horton
> tunnel grants access based on access that would
> only be available to all the delegatees along the
> delegation chain, then the Confused Deputy problem
> can't arise. 

In other words, the delegatee can access the resource designated by the
delegated cap if and only if (iff) all of those in the chain can do so.

This enforces the property that the deputy can access the resource iff
its client can. This is precisely what is required to prevent Confused
Deputy vulnerabilities, because it ensures that the deputy does not
wield authority in excess of that possessed by its client and, hence, is
not inappropriately using its own (private) authority on behalf of its
client.

(See Section 6.1 of
web.comlab.ox.ac.uk/oucl/work/toby.murray/papers/AALPE.pdf
in which this point was made.)