[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)
Jed Donnelley
capability at webstart.com
Sat Feb 9 02:46:42 EST 2008
At 02:09 PM 2/8/2008, Karp, Alan H wrote:
>Shap wrote:
> >
> > I think this is closer to what we want, but I confess that it disturbs
> > me. If this is right (and I think that it probably is, modulo further
> > refinement), then it follows that the sealer/unseal operation pair
> > renders a service potentially confusable.
> >
>When I first read this statement a few days ago, I quietly nodded in
>agreement. On
>further pondering, I don't think it fits the definition of the
>confused deputy. Alice
>has a sealed box. Bob has the corresponding unsealer. In order to
>exercise the
>authority in the box, Bob must explicitly use the unsealer. In
>other words, Bob is aware
>that he is using an authority that he did not get from Alice. He
>could make a mistake,
>but that's not the same as being a confused deputy.
I agree. I've also been thinking quite a bit about this Confused Deputy topic
lately. While I agree with the sense of Toby's statement that any Rights
Amplification has the potential to produce deputy confusion, as Alan notes
above it seems that in most capability/OO examples the deputy has enough
information to avoid being confused.
Once you get to an ACL sort of mechanism like Horton, then you can
in principle generate some confused deputies where the only way
to get the needed information would be to access the ACL, but
I believe that if the delegations never increase access, then
this problem is naturally avoided.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list