[cap-talk] "ambient authority" on wiki.erights.org
David-Sarah Hopwood
david-sarah at jacaranda.org
Fri Jun 12 00:58:26 EDT 2009
Mark Miller wrote:
> On Thu, Jun 11, 2009 at 9:47 AM, David-Sarah Hopwood <
> david-sarah at jacaranda.org> wrote:
>
>> It also doesn't really capture the fact that it is characteristic
>> of ambient authority that requests refer to objects by forgeable names.
>
> If by "characteristic" you mean "typical but not necessary", then yes. But
> do note that it is not a necessary property. If we take the original
> confused deputy example and substitute unforgeable opaque authority-free
> file designators for the file names, we still have ambient authority leading
> to confused deputy.
I'm confused as to how these designators could be all of
{unforgeable, authority-free, needed for the request to succeed}.
If they are unforgeable, then you can limit who has access to them.
In that case, if the designator is needed in order for the request
to succeed, then it is authority-bearing.
Such a designator is a reified permission. If we have reified
permissions that can be communicated between processes, that is
sufficient to allow an unconfusable deputy to be written (even if
they are not object capabilities).
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list