[cap-talk] "ambient authority" on wiki.erights.org
David-Sarah Hopwood
david-sarah at jacaranda.org
Fri Jun 12 01:14:01 EDT 2009
Karp, Alan H wrote:
> I don't think any of the definitions I've seen so far capture what to me is
> the essential nature of ambient authority, the separation of designation from
> authorization.
I don't think that is essential. Consider a split-capability system, where
permissions are separable from designators, but both need to be included
in a request. Such a system allows unconfusable deputies to be written, and
it does not meet MarkM's definition of an ambient authority system (even
if it is more error-prone than a conventional capability system, and might
be subject to more limited and subtle kinds of confused deputy attacks).
> I think the following captures that point.
>
> "A system in which the submitter of a request does not specify which permissions
> to apply to the request is said to use ambient authorities."
Note that this doesn't require separation of designation from authorization.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list