[cap-talk] "ACLs don't" paper rejected from Oakland 09

[Toby Murray]

On Thu, 2009-01-29 at 12:19 -0800, Tyler Close wrote:
> On Thu, Jan 29, 2009 at 11:53 AM, David Wagner <daw at cs.berkeley.edu> wrote:
> > I would say that the Oakland conference does not exist to educate the
> > world.  Just because something is not widely known is not sufficient
> > reason for publication in Oakland.
>
> What existing papers could people read and come away with the same
> level of understanding they get from "ACLs don't"? 

I think David has nailed it. "Understanding" is hard to evaluate because
there is nothing tangible (no "work") other than pure ideas. It's much
easier for a reviewer to ask "What work was carried out here?", then "Is
it novel?", "Is it interesting?" and "Is it well-presented?". Answering
these questions for ideas only is much harder, hence an ideas-only paper
will always be much harder to get accepted.

One way to combat this would be to take some of the content from your
webkeys and clickjacking papers that explain solutions to these problems
and incorporate them into the "ACL's Don't" paper. Explain that the
system is implemented and how it solves the Confused Deputy problems in
the traditional ACL model that manifest themselves as CSRF and
Clickjacking etc. today.

While we're on this, I came across the following article today which
describes Google's recent work to combine OpenID with OAuth.

http://www.techcrunch.com/2009/01/29/openid-oauth-two-great-tastes-that-taste-great-together/

>From the article:
> Too often, when a Website wants to import your contacts from another
> Web service, it asks for your login and password credentials. OAuth
> gets around that by sending you back to the original site where you
> login and authorize the one-time transfer of data. It is much more
> secure. And now it works with OpenID.

This situation looks ripe for confused deputies. It might be worth
looking at it in the context of webkeys.

Cheers

Toby