[cap-talk] "ambient authority" on wiki.erights.org
David-Sarah Hopwood
david-sarah at jacaranda.org
Fri Jun 19 13:29:21 EDT 2009
Sam Mason wrote:
> On Wed, Jun 17, 2009 at 01:14:01PM -0400, Sandro Magi wrote:
>> I agree with David-Sarah here: this distinction is not convincing, and
>> global variables are also ambient authorities, though not necessarily
>> harmful ones, ie. the number 5, the immutable string "foo", etc.
>
> Yes, it also seems instructive to note that otherwise mundane immutable
> strings can convey authority when they happen to contain things like
> password capabilities.
>
> My understanding of ambient authority seem to be predicated on the
> following:
>
> 1) a minimum of three subjects; Ana, Bob and Charlie in this example
>
> 2) Ana has a designator D that references an object known to Charlie.
> D does not carry authorizing information
>
> 3) Ana shares D with Bob
>
> 4) Bob asks Charlie to perform some work on the object designated by D
Ana is not essential:
1) a minimum of two subjects; Bob and Charlie in this example.
2) Bob has a designator D that references an object known to Charlie.
D does not carry authorizing information.
3) Bob asks Charlie to perform some work on the object designated by D.
The system applies Charlie's permissions to these operations.
That is, it doesn't matter where Bob got D; Bob could just as well
have made it up, or got it from Charlie. In the typical case
of a confused deputy attack, D comes from an attacker, but an
attacker is not necessary for the definition of ambient authority.
It is also not necessary, in order for Charlie to be an accidentally
confused deputy.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list