Hi, Mark- Mark S. Miller wrote (on 10/13/09 3:08 PM):
Diagrams would be an excellent idea! The previous attempts I am aware of at diagramming confused deputy vulnerabilities and related issues are * The diagrams at<http://www.erights.org/elib/capability/deputy.html> and<http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf> may help explain the nature of confused deputy but may not be what you're looking for. YMMV. * Most relevant are the many diagrams in section 8.1 of Fred's thesis <http://www.evoluware.eu/fsp_thesis.pdf>. * Figures 1 and 2 from Fred Spiessens' "The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language" <http://www.info.ucl.ac.be/%7Efsp/oze.pdf>. (Much of the rest of that paper appears elsewhere in Fred's thesis, but not these diagrams.) * Ihab's diagrams at <http://www.eros-os.org/pipermail/cap-talk/2009-June/012872.html> illustrating issues with Adam's example (see the enclosing thread). * Table 2 of Tyler's "ACLs don't" <http://waterken.sourceforge.net/aclsdont/current.pdf>. The issue Tyler raises in that paper, of delaying the access check till after the crucial information has been lost, may well be diagrammable in terms of dynamics of such access matrices. Once we have good ways of diagramming the general confused deputy issue, we can try illustrating Tyler's CORS counter-example with these diagrams. I wish you great luck with this diagramming effort. Good diagrams for helping illustrate this problem would be great. As you say elsewhere in this thread, it is hard to explain this well in words, especially when communicating between access control paradigms where the words may have subtly different meaning.
I'll see what I can do, starting from these diagrams. No promises on when I will be able to do it, but I will do what I can. I welcome advice or help from anyone interested in this.
Because email arguments have their own rhythm to them, and because the many good responses to my previous messages all deserve careful replies, I need to mention that I'm about to be traveling for two weeks on a family issue, and may be too busy to give this thread the attention it well deserves until I get back. I will try to find time for some responses. But given the stakes I would rather post careful responses after annoying delays (sorry) than to post sloppy responses quickly. If things go well I will be back in time for TPAC.
Understood. I hope things go well for you. Thanks for helping shepherd this discussion.
Regards- -Doug Schepers W3C Team Contact, SVG and WebApps WGs
