[cap-talk] Confused Deputies in Capability Systems
erights at gmail.com
Tue Feb 10 13:34:27 EST 2009
On Tue, Feb 10, 2009 at 10:08 AM, Rob Meijer <capibara at xs4all.nl> wrote:
> On Tue, February 10, 2009 14:26, Marcus Brinkmann wrote:
> > Toby Murray wrote:
> >> My argument is that confused deputies can arise whenever a service in an
> >> object-capability system similarly fails to perform input validation on
> >> the capabilities it is passed (rather than arbitrary strings), in the
> >> case that those capabilities are more powerful in its hands than in
> >> those of its clients (e.g. via rights-amplification).
> > It's even simpler. A confused deputy can also arise in capability
> > if a capability is designated by a symbolic name rather than a
> So what you are saying that petnames give rise to confused deputies?
> Could you sketch a scenario where petnames usage could result in a
> confused deputy? Or have I misunderstood the above statement?
Or similarly a lambda-name, aka, a c-list index. *All* object-capability
systems use such indexes to indicate which of their capabilities are to be
used. If these introduce confused deputies, then we're sunk. Fortunately, I
don't think they do.
I think we're missing some crucial distinctions. I don't yet know what those
are, but I think the questions being raised in this thread are the right
ones for uncovering these.
Text by me above is hereby placed in the public domain
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk