Confusing The Deputy (was: Split Capabilities: Making Capabilities Scale)

[Jonathan S. Shapiro]

> A particular threat occurs for proxies, those deputies that can be
confused
> because they have more authority than the client on whose behalf they act.

This is one of the compelling examples for why authority should be
designated with each operation. When a proxy has ambient authority, it is
very easy for the application software to become broken over time due to
maintainance errors. Similar effects have been observed with setuid/setruid
in sensitive UNIX applications.

> ...the proxy can maintain a separate key
> ring representing the authority for each client.

This is better than ambient authority, but will still suffer from
maintainance related failures. Also, note that the cost of proxy just
tripled, as the proxy must now do

    set effective key ring
    perform operations
    set generic key ring

around the proxy operations. It may be that designating the capability in
the first place is in practice more efficient, but I'm not sure of that.

shap