[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)

Toby Murray toby.murray at comlab.ox.ac.uk
Tue Feb 5 05:23:27 EST 2008 

Actually, I think I may have got confused earlier on ;)

On Tue, 2008-02-05 at 01:57 -0800, Jed Donnelley wrote:
> (we seem to be bouncing messages, you must be in
> a different time zone Toby, it's almost 02:00 here in California).

It's about 10:30am in Oxford (and far too cold for any sun loving
Australian ;)

> Whew, I'm glad that I at least think I understand what the issue
> is (was?).

Actually, I may have been mistaken earlier. Hopefully I won't confuse
things further in trying to clarify my position, which I stated
incorrectly before.

The essence of the confused deputy problem is that the server is granted
more permission than the client, but the client can cause the server to
(incorrectly) exercise its permission on behalf of the client.

Suppose the client has sa capability that in the server's hands, allows
the server to directly perform some action that the client cannot
directly perform (i.e. grants the server more permission than it does
the client).

The server is now potentially confusable, depending on how it has been
coded.

Suppose this extra permission granted to the server should not be used
on the client's behalf.
If in delegating the capability to the server, the client may cause the
server to use this extra permission on the client's behalf, then the
server has become a confused deputy.

This applies equally to authority, but now we have to be more careful.

Suppose the client has a capability that in the server's hands, allows
the server to cause some action to occur that the client cannot cause
with the same capability WITHOUT DELEGATING IT TO THE SERVER. (This last
part is the important part, because if the server is confusable, then by
definition the client may be able to cause the server to cause this
other action on the client's behalf, in which case the client can
(indirectly) cause the action and it is part of its authority.) 

The server is now potentially confusable, depending on how it has been
coded.

If this action that the server can cause is not permitted to be caused
by the client and if by delegating the capability to the server, the
client can cause the server to cause this action  to occur, then the
sever has become a confused deputy.

I think that's right now. Do you agree?

>   Perhaps we can get Jonathan to make the statement in
> his own words to see if there is a way of clarifying the
> condition under which a confused deputy situation can arise that
> makes careful use of the permission/authority distinction.

Indeed.

More information about the cap-talk mailing list