[cap-talk] Confused Deputies in Capability Systems

Karp, Alan H alan.karp at hp.com
Wed Feb 11 12:21:17 EST 2009

Toby Murray wrote:
> Indeed. But the assertion is that in cases where cap systems interface
> with the outside world that do not use authority-carrying-designations,
> one may need to build services that map
> non-authority-carrying-designations to capabilities, thereby leading to
> potential confused deputies. How to avoid doing so was I believe the
> question that Marcus was asking?
The trick is to do the mapping from external designation to capability in the invoking context.  Your example did it in the invoked context. 

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

More information about the cap-talk mailing list