[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)

Toby Murray toby.murray at comlab.ox.ac.uk
Tue Feb 5 04:21:34 EST 2008 

On Mon, 2008-02-04 at 17:00 -0800, Jed Donnelley wrote:
> cap-talk,
> 
> This message is in regard to this dialog:
> 
> Toby Murray said:
>  >>>> In any case in which a service may get more authority than its client
>  >>>> from a capability passed to it by its client, the service is potentially
>  >>>> confusable.
> 
> Jonathan Shapiro replied:
>  >>> Your statement confuses permission with authority. The service did not
>  >>> get more authority than its client held. The client had sufficient
>  >>> authority to pass the capability into the service domain. In
>  >>> consequence, any authority granted thereby to the service already fell
>  >>> within the client's authority BY DEFINITION.
> 
> I like the conciseness of Toby's statement and I agree
> with it.  It seems to me that Toby's statement is one
> of fact.  

> Perhaps somebody can suggest how Toby's statement could
> be reworded to still convey this basic fact and stay
> withing the definitions that Jonathan seems to be
> using?

I think Jonathan would prefer

In any case in which a service may get more PERMISSION than its client
gets AUTHORITY from a capability passed to it by its client, the service
is potentially confusable.

Jonathan's point was that the if the service IS confusable, then by
possessing the capability, the client has the authority to cause the
service to perform some (unwanted) action on the client's behalf. Hence,
the client already has the excess authority by merely possessing the
capability and being able to pass it to the service. Hence, he found it
strange to argue that the service somehow has MORE authority than the
client when passed the capability, since the client's authority stems
from the service's.

However, as I see it, the service does have more authority than the
client, since the client must rely on the service in order to exercise
its authority granted by the capability, while the service need not rely
on anyone but itself -- it certainly need not rely on the client.

Hence, I still believe my original statement is correct for appropriate
definitions of "authority" and what constitutes "more authority", both
of which are ill defined terms at the best of times ;)

More information about the cap-talk mailing list