[cap-talk] Confused deputies in hybrid systems (was: Loss of control)
Toby Murray
toby.murray at comlab.ox.ac.uk
Mon Feb 4 03:19:24 EST 2008
On Mon, 2008-02-04 at 06:11 +0000, Karp, Alan H wrote:
> David Hopwood wrote:
> >
> > Alice creates a document which contains FooCo proprietary
> information,
> > and puts it on the web server marked as only readable by FooCo
> logins.
> > She also writes an email about the collaborative project, which is
> > mostly fine for BarCo employees to read, but also contains a YURL to
> > the document. She reasons (incorrectly, but plausibly), that it is
> > okay to send this email to the list because the login check will
> only
> > allow the document to be accessed by FooCo employees.
> >
>
> The check that I proposed cut off access if the invoker wasn't in my
> domain. (Note that I never suggested that the check could add
> privileges, as in some of the discussion on this thread.)
> I'm having trouble seeing how a strict reduction of authority can lead
> to a confused deputy.
Suppose I'm in the domain and, hence, can use the capability. I delegate
it to Bob who isn't in the domain -- he can't use it since he's not in
the domain.
Bob delegates it to some service that IS in the domain. The service may
incorrectly use this capability on Bob's behalf, since the capability is
more powerful in the hands of the service than it is in Bob's.
This service is potentially confusable.
In any case in which a service may get more authority than its client
from a capability passed to it by its client, the service is potentially
confusable.
Cheers
Toby
More information about the cap-talk
mailing list