[cap-talk] Rights amplification -> Confused deputies

[Jed Donnelley]

cap-talk,

I just thought I'd follow-up on my note about Rights
amplification leading to confused deputies.

At 08:13 AM 2/4/2008, Mark Miller wrote:
>On Feb 3, 2008 10:39 PM, Jed Donnelley <capability at webstart.com> wrote:
> > [...] it seems
> > to me that what people refer to as "rights amplification"
> > poses a risk of producing confused deputies,
>
>Yes. This still needs to be explored in depth.

All you need is a situation where the deputy has
one of the capabilities needed for rights amplification
and the client has the other.  If the client sends
its capability to the deputy in a request for service
and the deputy normally uses the other capability
for such services then it seems clear to me you
have a confused deputy.  This scenario works
whether the deputy had both capabilities to
begin with (true "amplification") or not.

This can of course be a pure object capability
scenario.

I'm just clarifying these situations for my
own thinking and bouncing them off of others
to see if we have a common understanding or
whether I'm missing something.  In my current
frame of mind, it doesn't seem to me that much
more exploration in depth is needed.

--Jed  http://www.webstart.com/jed-signature.html