[cap-talk] Confused Deputies arising from object capabilities
Jed Donnelley
capability at webstart.com
Sun Feb 3 12:48:38 EST 2008
At 03:13 PM 2/2/2008, Karp, Alan H wrote:
>ross mcginnis wrote:
> >
> > Confused Deputy : Caps v's Identity access control-
>
>The essence of the confused deputy is the separation of designation
>and authorization. Whether or not the file names are unguessable
>(making them password caps) is irrelevant.
I agree. However, with regard to:
>... Because capabilities necessarily combine designation with
>authorization, the problem cannot arise...
I don't agree - unless I misunderstand your meaning.
I believe Horton is a pure object capability mechanism,
but as I discussed in:
http://www.eros-os.org/pipermail/cap-talk/2008-February/009721.html
it seems quite easy to choose access control policies
to impose inside Horton tunnels that will result
Confused Deputies. I argue there that any policy
that doesn't restrict access for a delegatee to be
less than or equal to the minimum access for any
delegatee along the delegation chain will result
in the potential for Confused Deputies.
While such policies might be natural for a Horton
implementation, to me this is a somewhat surprising
and disappointing result. I'm quite interested to
hear the take of others on this - both whether it
is correct and how it fits with other similar
thoughts - e.g. as Toby notes his paper or others
that may have stated similar results.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list