[cap-talk] Confused Deputies in Capability Systems
Dave Chizmadia - Gmail
davechiz at gmail.com
Wed Feb 11 09:05:24 EST 2009
Bill Frantz wrote
> Marcus Brinkmann wrote
>> It's even simpler. A confused deputy can also arise in
>> capability systems if a capability is designated by a
>> symbolic name rather than a capability. Any service that
>> translates names to capabilities can potentially have a
>> confused deputy problem.
>
> I am truly confused. How does translating a name, such as
> clist item[5], into a capability introduce the problem of
> using the wrong subject to check the authority, which is
> the essence of confused deputy?
>
> Marcus and Toby see this as obvious, and I don't see it at
> all, so, "What we have here is a failure to communicate."
I think that the main source of confusion is differing
assumptions about the namespace scope. A confused deputy only
arises in a multi-actor namespace where some of the actors
are mutually suspicious. In a single-actor namespace, there
be no deputy to be confused.
-DMC
More information about the cap-talk
mailing list