<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3199" name=GENERATOR></HEAD>
<BODY><!-- Converted from text/plain format -->
<P>ross mcginnis wrote:<BR>><BR>> This is the crux of the matter. To
me it appears that *any*<BR>> reference is a cap.<BR><BR>In order to provide
security value, a capability must be unforgeable. Where that is not
possible, we substitute unguessability. A guessable filename cannot be
considered to be unforgeable, making it useless as a capability that is meant to
control even the ability to name the file. <BR><BR>It is quite likely that
I could guess you have a file on your machine named
"/home/ross/Documents/taxnotes.txt". By constructing the name out of whole
cloth, I have obtained the right to name the file without anyone giving it to
me, a violation of capability rules. Hence, a guessable name cannot serve
as a capability, even though knowing the name does give a starting point to
mount an attack.</P>
<P>This discussion is not relevant to your example, where Mallory has the
right to read the letter but not write it. The name of the letter could be
unguessable, but Mallory needs the right to know the name so she can read
it. In an ocap system, a reference to an object conveys the right to use
all the methods of the object. In order to restrict those rights, we set
up a proxy object, a facet, that only forwards a subset of the requests.
In your example, Mallory would only be given the right to name a copy of the
letter that nobody has has permission to write, which corresponds to a read-only
facet of a file.</P>
<P>> The difference between the cases is that the failing system<BR>> used
a reference (a document name) instead of the actual<BR>> document, ie:
references are the cause of confusion.</P>
<P>No, the failure is due to the fact that Mallory designated the letter in a
manner that did not convey her authority to it. It is the separation of
designation from authorization that is the root case of the confused
deputy. The first case that used the actual letter wasn't subject to this
failure because it kept the designation and authorization together.</P>
<P>> References are caps by the general definition of caps.<BR>> (In this
specific case the reference is a document name: it<BR>> is cap because- 1) it
designates an object -ie: the document<BR>> named, 2) it carries an
authorisation due to the fact that<BR>> mere possession of the document-name
allows you to test the<BR>> document in the verifier- this is a definite and
distinct<BR>> derived right! )<BR>><BR>A name plus an intended operation
allows you to test the document in the verifier. The name alone does
not. If an ACL system tells you that the requested operation is
denied, you don't know if it's because you don't have permission or because
there is no file by that name. In this case, the name alone carries no
authority.</P>
<P>________________________<BR>Alan Karp<BR>Principal Scientist<BR>Virus Safe
Computing Initiative<BR>Hewlett-Packard Laboratories<BR>1501 Page Mill
Road<BR>Palo Alto, CA 94304<BR>(650) 857-3967, fax (650) 857-7029<BR><A
href="http://www.hpl.hp.com/personal/Alan_Karp">http://www.hpl.hp.com/personal/Alan_Karp</A><BR> <BR> <BR></P></BODY></HTML>