[cap-talk] Confused Deputies in Capability Systems
marcus.brinkmann at ruhr-uni-bochum.de
Tue Feb 10 08:26:15 EST 2009
Toby Murray wrote:
> My argument is that confused deputies can arise whenever a service in an
> object-capability system similarly fails to perform input validation on
> the capabilities it is passed (rather than arbitrary strings), in the
> case that those capabilities are more powerful in its hands than in
> those of its clients (e.g. via rights-amplification).
It's even simpler. A confused deputy can also arise in capability systems
if a capability is designated by a symbolic name rather than a capability.
Any service that translates names to capabilities can potentially have a
confused deputy problem. The capability community has not yet demonstrated
that they can build interesting real world systems that do not rely on such
services. The underlying assumption is that you can always use capabilities
for everything. Don't get me wrong: I know that capability theory covers many
interesting scenarios in isolation. But applying those principles to a whole
system that is used by real people is a different problem.
More information about the cap-talk