[cap-talk] "ambient authority" on wiki.erights.org

Sam Mason sam at samason.me.uk
Fri Jun 19 06:21:12 EDT 2009 

On Thu, Jun 18, 2009 at 09:41:54PM +0000, Karp, Alan H wrote:
> Sam Mason wrote:
> > My understanding of ambient authority seem to be predicated on the
> > following:
> >   1) a minimum of three subjects; Ana, Bob and Charlie in this example
> >   2) Ana has a designator D that references an object known to Charlie.
> >      D does not carry authorizing information
> >   3) Ana shares D with Bob
> >   4) Bob asks Charlie to perform some work on the object designated by D
> 
> You have correctly specified the conditions necessary for a confused
> deputy, but that's not the same as defining ambient authorities.
> Confused deputy is a consequence of using ambient authorities, but it
> is not a definition of them.

I remember thinking that I'm having trouble distinguishing between
ambient authority and confused deputies when I was writing it.  I
rationalized it by thinking that the two are very intimately bound
together.  Thinking further, I'm not even sure if it's possible to
usefully distinguish the two.

> >   A system, containing at least three subjects, is said to contain
> >   /Ambient Authority/ when a designator (D) naming an object known to
> >   one subject (C) is shared between two other subjects (A and B) without
> >   accompanying authorizations.
> >
> Here's a counter example to your definition.  Alice runs the following
> program (in no particular language):
> 
>     main(String a, String b){
>        copy(a,b);
> 	 return;
>     function copy(String outName, String inName){
>        File in = new File(inName,'r');
>        File out = new File(outName,'w');
>        out.write(in.read());}
>     }
> 
> Alice has r/w authority to files a.txt and b.txt.  If Alice invokes
> this program as mycopy("a.txt","b.txt") intending to copy the contents
> of a.txt to b.txt, she's in for a surprise.  Alice does not specify
> which of her authorities are to be used because they are ambient.  I
> would say that Alice is the only party involved, but I won't squawk if
> you insist on counting the OS.  However, there is no way of counting
> that gets to three parties.

I'd analyze this in two ways; either as a bug or as mycopy being a
confused deputy as a direct result of the presence of ambient authority.
Lets consider the ambient authority example first.  Subject count is
three; the subjects being Alice the user, the mycopy program and the OS.
The files are objects within the OS and Alice passes two designations to
the mycopy program.  The mycopy program then asks the OS to do things
with the objects using the "wrong" authority.  If we choose to treat
this as a mistake/bug then the fault is with Alice for not knowing which
way around the parameters should go.

-- 
  Sam  http://samason.me.uk/

More information about the cap-talk mailing list