[cap-talk] Confused Deputies in Capability Systems
Rob Meijer
capibara at xs4all.nl
Tue Feb 10 13:08:23 EST 2009
On Tue, February 10, 2009 14:26, Marcus Brinkmann wrote:
> Toby Murray wrote:
>> My argument is that confused deputies can arise whenever a service in an
>> object-capability system similarly fails to perform input validation on
>> the capabilities it is passed (rather than arbitrary strings), in the
>> case that those capabilities are more powerful in its hands than in
>> those of its clients (e.g. via rights-amplification).
>
> It's even simpler. A confused deputy can also arise in capability systems
> if a capability is designated by a symbolic name rather than a capability.
So what you are saying that petnames give rise to confused deputies?
Could you sketch a scenario where petnames usage could result in a
confused deputy? Or have I misunderstood the above statement?
Rob
More information about the cap-talk
mailing list