[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)
Jonathan S. Shapiro
shap at eros-os.com
Tue Feb 5 10:34:47 EST 2008
On Tue, 2008-02-05 at 09:21 +0000, Toby Murray wrote:
> On Mon, 2008-02-04 at 17:00 -0800, Jed Donnelley wrote:
> > Perhaps somebody can suggest how Toby's statement could
> > be reworded to still convey this basic fact and stay
> > withing the definitions that Jonathan seems to be
> > using?
> I think Jonathan would prefer
> In any case in which a service may get more PERMISSION than its client
> gets AUTHORITY from a capability passed to it by its client, the service
> is potentially confusable.
A good try, but that is not it. The problem here is that permission can
be measured on a capability by capability basis, while authority cannot.
Authority results from the interaction of capabilities (note: plural)
After about three seconds thought, how about:
In any case in which a service may get more PERMISSION than its
client gets PERMISSION from a capability passed to it by its client,
the service is potentially confusable.
I think this is closer to what we want, but I confess that it disturbs
me. If this is right (and I think that it probably is, modulo further
refinement), then it follows that the sealer/unseal operation pair
renders a service potentially confusable.
> However, as I see it, the service does have more authority than the
> client, since the client must rely on the service in order to exercise
> its authority granted by the capability, while the service need not rely
> on anyone but itself -- it certainly need not rely on the client.
I said this in another note, but let me repeat it here in the interests
of maintaining discussion coherence.
The problem here is one of analytic detail. If we are prepared to
analyze the behavior of the service (i.e. its program) then it may be
possible to draw sensible distinctions between the authority of the
service and the authority of its client.
But in the absence of such analysis, I believe that we must proceed more
conservatively, and assume that the service obeys the will of its
clients. Under this assumption, and excluding other environmentally
imposed restrictions, the client's authority is presumptively identical
to the service's authority.
More information about the cap-talk