[cap-talk] Confused Deputies in Capability Systems
toby.murray at comlab.ox.ac.uk
Wed Feb 11 12:37:28 EST 2009
On Wed, 2009-02-11 at 17:21 +0000, Karp, Alan H wrote:
> Toby Murray wrote:
> > Indeed. But the assertion is that in cases where cap systems interface
> > with the outside world that do not use authority-carrying-designations,
> > one may need to build services that map
> > non-authority-carrying-designations to capabilities, thereby leading to
> > potential confused deputies. How to avoid doing so was I believe the
> > question that Marcus was asking?
> The trick is to do the mapping from external designation to capability in the invoking context. Your example did it in the invoked context.
Could you elaborate? How would you modify my web-browser-on-a-cap-OS
example to avoid the confused deputy, or as you say "to perform the
mapping [from URLs to capabilities] in the invoking context [i.e. taht
of the web-browser rather than the network service]"?
More information about the cap-talk