[cap-talk] Confused deputies in hybrid systems

Jed Donnelley jed at nersc.gov
Mon Feb 4 17:30:22 EST 2008 

On 2/4/2008 1:59 PM, David Hopwood wrote:
> Karp, Alan H wrote:
>> Toby Murray wrote:
>>> Bob delegates it to some service that IS in the domain. The
>>> service may incorrectly use this capability on Bob's behalf, since the
>>> capability is more powerful in the hands of the service than it is in Bob's.
>>>
>>> This service is potentially confusable.
> 
> Yes.
> 
>> In other words, such a capability can't be allowed to re-enter the domain,
>> even as a parameter.
> 
> No, it can be allowed to re-enter; it just can't then be used to access
> anything that should not be accessible from outside the domain. If the
> ACL (or whatever determines the additional policy check) changes so that
> the designated object(s) should now be accessible from outside the domain,
> that capability becomes usable again.
> 
> For example, in the case of HP's financial results, a capability to access
> them would start working once the results have been made public, regardless
> of the delegation chain. Being able to reify authorities to access something
> at some time in the future, is generally useful and important.

All of which I agree with, including the point about
being able reifying authorities to access something
in the future being useful and important - though I
might use a term like "reconstitute" for 'reify'.
The meaning I think is clear - to allow additional
authority through invocations on an existing capability
in response to a changing situation (e.g. Joe is
back on the executive board, Mary now has secret
clearance).

However, Toby hadn't seen the above when he wrote:

On 2/4/2008 9:02 AM, Toby Murray wrote:
...
 > So we have the Horton PDP implement two restrictions:
 >
 >  - block the invocation of caps marked for use in the domain if they are
 > used by someone outside of the domain
 >  - deny anyone  outside the domain to delegate these caps back into the
 > domain

As DavidH pointed out above, neither of the restrictions
above are necessary, so I don't believe the comments below
are justified:

 > Wouldn't it be easier to start with the caps IN the domain and have
 > Horton just enforce that they cannot be delegated outside the domain?
 >
 > Imposing limits on who may delegate a capability to whom may be less
 > susceptible to confused deputy vulnerabilities, than imposing
 > restrictions on who may invoke a capability.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list