[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)
Jonathan S. Shapiro
shap at eros-os.com
Mon Feb 11 08:46:46 EST 2008
On Fri, 2008-02-08 at 22:09 +0000, Karp, Alan H wrote:
> Shap wrote:
> >
> > I think this is closer to what we want, but I confess that it disturbs
> > me. If this is right (and I think that it probably is, modulo further
> > refinement), then it follows that the sealer/unseal operation pair
> > renders a service potentially confusable.
> >
> When I first read this statement a few days ago, I quietly nodded in agreement. On
> further pondering, I don't think it fits the definition of the confused deputy. Alice
> has a sealed box. Bob has the corresponding unsealer. In order to exercise the
> authority in the box, Bob must explicitly use the unsealer.
I don't know if the deputy is confused or not in this scenario. The
statement was made that rights amplificationas a capability traverses
from client to services inherently leads to confusion of the service.
Unseal is a rights amplification operation, so it made sense to ask
whether it leads to confusion.
The fact that the service must unseal explicitly certainly helps matters
a lot.
shap
More information about the cap-talk
mailing list