W3C home > Mailing lists > Public > public-credentials@w3.org > September 2022

Re: Funded Deployments of Verifiable Credentials - framework for meta-credentials

From: Steve Magennis <steve.e.magennis@gmail.com>
Date: Thu, 8 Sep 2022 02:12:31 -0700
Message-ID: <CAHM8=uuuYtjBudBMk_kRk=BVkqLUf969zwOgewstR7u3kzHm0g@mail.gmail.com>
To: David Chadwick <d.w.chadwick@truetrust.co.uk>
Cc: Alan Karp <alanhkarp@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
>> the deputy has capabilities to fill and sign a check and the invoker
only has one of them, but asks the deputy to do both

 I thought the confused deputy template implies that the invoker and deputy
have the same permissions but those of the deputy exceed those of the
invoker. In other words: the invoker is authorized to issue a check up to
$X but the deputy has the ability to authorize a check for $X+ AND nothing
is done to limit the deputy based on the limits of the invoker

On Thu, Sep 8, 2022, 12:10 AM David Chadwick <d.w.chadwick@truetrust.co.uk>

> On 07/09/2022 23:34, Alan Karp wrote:
> On Wed, Sep 7, 2022 at 11:08 AM David Chadwick <
> d.w.chadwick@truetrust.co.uk> wrote:
>> As I understand confused deputy, the deputy is not only using the
>> credential passed to it, but also its own credentials as well, to do
>> whatever was requested of it.
> The essence of the confused deputy is that the invoker designates the
> thing to work on while the deputy uses its own permission for the access.
> So is this not a restatement of what I originally said?
>   In the canonical example, the deputy gets invoked with a string
> designating a file to write.  The deputy then opens the file, which results
> in an open file handle with write permission if the deputy has that
> permission even if the invoker does not.
> So why could this not happen with capabilities? It seems to me as if the
> deputy is using its own capability to open the file, regardless of whether
> the invoker has that privilege or not.
> That's what comes from separating designation from authorization.  Note
> that this attack would fail if the invoker had to provide an open file
> handle, which does combine designation and authorization.
>  Yes we agree on this.
> So this situation could also happen with capabilities if the recipient
>> uses its own capabilities as well as those passed to it, e.g. the deputy is
>> asked to fill and sign a check. The deputy has the capability to fill the
>> check, and is passed the signing capability.
> That's not a confused deputy.
> Its a bad example, I agree. So lets just consider the write to a file
> example. Are you saying that neither party can write to a file without the
> help of the other one or are you are saying that the deputy has all the
> permissions to write to a file regardless of which permission the invoker
> has. In the latter case the check example would be changed to: the deputy
> has capabilities to fill and sign a check and the invoker only has one of
> them, but asks the deputy to do both.
> Kind regards
> David
Received on Thursday, 8 September 2022 09:12:55 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 8 September 2022 09:12:56 UTC