[cap-talk] Concening entry "ambient authority" in Wikipedia
Mark Miller
erights at gmail.com
Fri Jun 5 10:50:28 EDT 2009
On Fri, Jun 5, 2009 at 2:13 AM, Matej Kosik <kosik at fiit.stuba.sk> wrote:
> Cannot it simply state that:
>
> "A subsystem is said to have *ambient authority* when, if we want to
> determine its authority, we cannot rely on rules defined by
> object-capability security model."
>
> Does everybody agree?
Hi Matej,
I agree that the current page is not good and needs improving.
However, I strongly object to your suggestion. In light of XSRF and
ClickJacking, the dangers of ambient authority leading to confused
deputies is one of our most power rhetorical tools for criticizing
current access control architectures. If we make a statement like the
above, then the whole issue comes to be dismissed as "Well, we're not
doing object-capabilities, so by definition we have ambient authority.
So what? We already knew we weren't doing object-capabilities."
I would define an ambient authority system as one in which "If a
requesting entity requests an action that it is permitted to perform,
then the action is allowed." By contrast to a designated authority
system, in which "If a requesting entity requests an action that is
permitted by the subset of its permissions that it explicitly brings
to bear on the action, then the action is allowed." This formulation
also has the right paradoxical sense -- one can see why it was so easy
to think that ambient authority was a sensible architecture.
Also, I disagree with your formulation technically. Alan's Client
Utility's split capability architecture separated designation from
authority. But both had to be presented to allow an action. Fred
Spiessens has also pointed out that solving the confused deputy does
not require bundling designation from authority, as long as both need
to be presented to permit an action.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list