[cap-talk] Horton and reacting without confusing [deputies] (was: Re: Bee Eyes)

[Jed Donnelley]

At 12:00 PM 2/2/2009, Mark Miller wrote:

>If you use the NBAC (autheNtication-Based Access Control) check to 
>reduce rights, whether by ACLs or Horton, you can still get a confused deputy.

I just want to refresh my memory a bit and be clear about the 
above.  While it's certainly true that with Horton as with ACLs it is 
possible to create confused deputies, I believe we agreed that if one 
follows a policy with Horton delegations of not increasing access 
through delegations, then Horton is safe from confused deputies.

If the above isn't true, then perhaps I can find a pointer to the 
relevant part of the past discussion.  If the above is true, then it 
seems to me that this rather modest and reasonable policy 
(delegations never increase access) can be followed and our 
capability-based access control systems can be safe from confused 
deputies - even if they use Horton to track responsibility for 
delegations - whether simply for auditing or even for reactive 
controls - whether for emergencies or not (referring to:

>...Ocap best practice can further be modelled by setting knob #1 to 
>only using Horton's NBAC check for reactive control in emergency 
>situations, like war with Canada, but otherwise trying to stay safe 
>using only proactive ZBAC controls.

).  I don't consider reductions in access (e.g. when an person leaves 
an organization) an "emergency", and do hope that capability-based 
mechanisms like Horton can be used for such "reactive" cases without 
causing other sorts of problems - like confused deputies.

--Jed  http://www.webstart.com/jed-signature.html