[cap-talk] Confused deputies in hybrid systems

[David Hopwood]

Karp, Alan H wrote:
> Toby Murray wrote:
>> Bob delegates it to some service that IS in the domain. The
>> service may incorrectly use this capability on Bob's behalf, since the
>> capability is more powerful in the hands of the service than it is in Bob's.
>>
>> This service is potentially confusable.

Yes.

> In other words, such a capability can't be allowed to re-enter the domain,
> even as a parameter.

No, it can be allowed to re-enter; it just can't then be used to access
anything that should not be accessible from outside the domain. If the
ACL (or whatever determines the additional policy check) changes so that
the designated object(s) should now be accessible from outside the domain,
that capability becomes usable again.

For example, in the case of HP's financial results, a capability to access
them would start working once the results have been made public, regardless
of the delegation chain. Being able to reify authorities to access something
at some time in the future, is generally useful and important.

-- 
David Hopwood