[cap-talk] Confused Deputies in Capability Systems
Toby Murray
toby.murray at comlab.ox.ac.uk
Sat Feb 7 09:03:25 EST 2009
On Fri, 2009-02-06 at 22:08 +0000, Karp, Alan H wrote:
> Toby Murray wrote:
> >
> > The last discussion raised point (1) -- that confused deputies
> > necessarily can perform actions that their clients cannot. I'm adding
> > point (2) -- that these actions are performed "incorrectly" only (in
> > fact, I'd say *by definition*) because either the service has failed to
> > perform input validation or because it shouldn't be responding to a
> > particular client -- the client shouldn't have gotten access to the
> > service.
> >
> It's a bug if the service honors a request made with a forged authorization. It's a bug if the service uses its own rights incorrectly on behalf of a legitimate request, such as writing the wrong file. Neither of these is a confused deputy.
Why?
I want a formal distinction, not a fuzzy one.
Cheers
Toby
More information about the cap-talk
mailing list