[cap-talk] Whether principals' authority can increase

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Wed Sep 24 09:19:16 CDT 2008 

At Tue, 23 Sep 2008 19:54:41 +0100,
David-Sarah Hopwood <david.hopwood at industrial-designers.co.uk> wrote:
> 
> Marcus Brinkmann wrote:
> > A system in which principals can only ever diminish their authority
> > and never increase it does not sound too useful to me.
> 
> Authority is defined as the potential permission that a subject could
> obtain by performing any action. So a subject cannot cause its authority
> to increase, since if there is some action that it could perform to
> cause that, the relevant permission should already have been modelled
> as part of its authority.

Sorry, I misspoke.  I meant to say "a system in which a principals
authority can never increase", by whatever action.

> Typically, an application will have a capability to a powerbox by which
> the user can choose to grant it additional permissions. In a conservative
> authority analysis, those are permissions that the application could
> already *potentially* obtain, because it was only by the user's discretion
> that they were withheld.

If a powerbox exists, the user can be a confused deputy.  For example,
a mail reader can request the powerbox to execute an attachment, and
the user may authorize this action against his own interest.

> I hope this makes it clear why typical capability systems do not have
> the problem of usefulness you are concerned about above.  Technically,
> authority does not increase, but any process that having previously
> chosen not to delegate some permission to a subject S, but now chooses
> to do so, can cause the permissions of S to increase.

I do know that capability systems can be designed such that authority
of principals or agents can increase.  My point is that as soon as
such a design is taken under consideration, confused deputy problems
crop up if you want to or not.  You can change who the deputy is and
what the confusion is about, and doing so changes the real risks.
Insofar, the confused deputy analysis can be useful.  However, I
disagree that using capabilities solves the problem of confused
deputies a priori.

More discussion in response to Alan's mail.  Thanks for pointing out
my error.

Thanks,
Marcus

More information about the cap-talk mailing list