[cap-talk] Confused Deputies in Capability Systems - not
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Thu Feb 26 11:36:18 EST 2009
Thanks, Jed, for picking this up and summarizing the status of the discussion.
I think your approach of picking more up to date examples of confused
deputies is the right one to illuminate the discussion, where looking at
capability systems, which lack, if by their genuine properties or by
definition, confused deputies, is not instructive.
I think it is important to be brief, so I will jump right to the point that I
think illustrates best where I am coming from.
The key insight in understanding how capability systems eliminate the confused
deputy problem is that as a precondition, all actors in the system must be
subjected to the same capability regime. Alice can only send a capability to
Bob if Alice and Bob agree on a system that provides that capability with an
authority. Otherwise, the capability itself can not be transfered at all or
is just a meaningless lump of data.
Capabilities can only survive in an isolated, homogeneous environment. I
think that this is a serious limitation, which in my opinion severely
restricts the applicability of capability theory.
Of course, it is possible to be more or less optimistic about the reach of a
particular capability regime. My personal estimation is that the safe bubbles
within you can enforce a single capability regime are overall pretty small,
roughly the size of a single application.
In any case, unless you believe that all interacting systems can be subjected
to the same (world-wide?) capability system, there are going to be interfaces
where the confused deputy problem probably can crop up. That's why I think
that the capability community has essentially defined the problem away by a
sheer act of imagination: Either by limiting imagination to a single
subsystem, or by expanding imagination to include everything there is to be
within the subsystem.
This is not meant to be all negative: It's a good thing if you can push some
of the problems out of an isolated subsystem into the interaction between such
subsystems. That by itself can be a useful design tool. But all problems it
does not solve, and we still need solutions for the interactions between bubbles.
Thanks,
Marcus
More information about the cap-talk
mailing list