[cap-talk] Confused Deputies in Capability Systems
Toby Murray
toby.murray at comlab.ox.ac.uk
Wed Feb 11 12:37:28 EST 2009
On Wed, 2009-02-11 at 17:21 +0000, Karp, Alan H wrote:
> Toby Murray wrote:
> >
> > Indeed. But the assertion is that in cases where cap systems interface
> > with the outside world that do not use authority-carrying-designations,
> > one may need to build services that map
> > non-authority-carrying-designations to capabilities, thereby leading to
> > potential confused deputies. How to avoid doing so was I believe the
> > question that Marcus was asking?
> >
> The trick is to do the mapping from external designation to capability in the invoking context. Your example did it in the invoked context.
>
Could you elaborate? How would you modify my web-browser-on-a-cap-OS
example to avoid the confused deputy, or as you say "to perform the
mapping [from URLs to capabilities] in the invoking context [i.e. taht
of the web-browser rather than the network service]"?
Cheers
Toby
More information about the cap-talk
mailing list