[cap-talk] Confused Deputies in Capability Systems
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Thu Feb 12 19:07:10 EST 2009
Bill Frantz wrote:
> marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on Tuesday, February 10, 2009 wrote:
>
>> It's even simpler. A confused deputy can also arise in capability systems
>> if a capability is designated by a symbolic name rather than a capability.
>> Any service that translates names to capabilities can potentially have a
>> confused deputy problem.
>
> I am truly confused. How does translating a name, such as clist item[5],
> into a capability introduce the problem of using the wrong subject to check
> the authority, which is the essence of confused deputy?
>
> Marcus and Toby see this as obvious, and I don't see it at all, so, "What
> we have here is a failure to communicate."
I wrote my mail before I read and understood the explanations of what others
mean by a confused deputy. If you take the following two statements:
1. A confused deputy situation arises if a designation is passed between
principles and changes associated authority in transit.
2. A capability system always combines designation and authorization.
Then I concede that it follows logically that a confused deputy situation can
never arise in such capability systems. However, this just defines the
problem away. The real question is if we can avoid using other designations
beside capabilities in system design. I think the answer to that is no, we
can not avoid that. Seems pretty obvious to me, given that capabilities are
not universal in the sense that raw data is.
Thanks,
Marcus
More information about the cap-talk
mailing list