[cap-talk] Confused Deputies in Capability Systems
Sandro Magi
naasking at higherlogics.com
Fri Feb 6 11:53:33 EST 2009
Toby Murray wrote:
> Capabilities do carry an implicit authorisation, the question is,
> however, from whom (is that authorisation).
I think the first question to ask is: why should it matter?
>> Isn't the router amplifying a credential to a stream to access the
>> protected network?
>
> No it's handing out IP addresses and manipulating internal firewall
> rules.
How is this an object-capability system? The example in the paper
explicitly calls it a password capability, which is not an
object-capability. A password capability is an identity token of sorts,
in which case you've turned your service into an ACL system with the
same possibility for confused deputies, and must therefore vet the
arguments.
Depending on the implementation, the credential may also be an unsealer,
in which case it is a rights amplification.
Sandro
More information about the cap-talk
mailing list