[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)

Tue Feb 5 04:57:17 EST 2008

At 01:21 AM 2/5/2008, Toby Murray wrote:
>On Mon, 2008-02-04 at 17:00 -0800, Jed Donnelley wrote:
> > cap-talk,
> >
> > This message is in regard to this dialog:
> >
> > Toby Murray said:
> >  >>>> In any case in which a service may get more authority than its client
> >  >>>> from a capability passed to it by its client, the service 
> is potentially
> >  >>>> confusable.
> >
> > Jonathan Shapiro replied:
> >  >>> Your statement confuses permission with authority. The service did not
> >  >>> get more authority than its client held. The client had sufficient
> >  >>> authority to pass the capability into the service domain. In
> >  >>> consequence, any authority granted thereby to the service already fell
> >  >>> within the client's authority BY DEFINITION.
> >
> > I like the conciseness of Toby's statement and I agree
> > with it.  It seems to me that Toby's statement is one
> > of fact.
>
> > Perhaps somebody can suggest how Toby's statement could
> > be reworded to still convey this basic fact and stay
> > withing the definitions that Jonathan seems to be
> > using?
>
>I think Jonathan would prefer
>
>In any case in which a service may get more PERMISSION than its client
>gets AUTHORITY from a capability passed to it by its client, the service
>is potentially confusable.
>
>Jonathan's point was that the if the service IS confusable, then by
>possessing the capability, the client has the authority to cause the
>service to perform some (unwanted) action on the client's behalf. Hence,
>the client already has the excess authority by merely possessing the
>capability and being able to pass it to the service. Hence, he found it
>strange to argue that the service somehow has MORE authority than the
>client when passed the capability, since the client's authority stems
>from the service's.

Ah, then I think this was the point I noted in the message I
just sent (we seem to be bouncing messages, you must be in
a different time zone Toby, it's almost 02:00 here in California).

>However, as I see it, the service does have more authority than the
>client, since the client must rely on the service in order to exercise
>its authority granted by the capability, while the service need not rely
>on anyone but itself -- it certainly need not rely on the client.

And in particular the server may not yield up all its authority
to the client.  It may not yield up any as I noted in my
"Thank you very much!" example.  It is the situation of
the server receiving the additional authority before acting
on the client's request that creates the potential for a
confused deputy.

>Hence, I still believe my original statement is correct for appropriate
>definitions of "authority" and what constitutes "more authority", both
>of which are ill defined terms at the best of times ;)

I don't know about the definitions being ill defined in a theoretical
sense, but certainly any sort of measurement or practical realization
of how much authority is available is in general un computable.

Whew, I'm glad that I at least think I understand what the issue
is (was?).  Perhaps we can get Jonathan to make the statement in
his own words to see if there is a way of clarifying the
condition under which a confused deputy situation can arise that
makes careful use of the permission/authority distinction.

--Jed  http://www.webstart.com/jed-signature.html 