W3C home > Mailing lists > Public > public-credentials@w3.org > September 2022

Re: Funded Deployments of Verifiable Credentials - framework for meta-credentials

From: Alan Karp <alanhkarp@gmail.com>
Date: Thu, 8 Sep 2022 09:30:36 -0700
Message-ID: <CANpA1Z3xNc++yn==-QNndNDqD6Uex_2Lf9rVN78iJNWdWWfZ2Q@mail.gmail.com>
To: David Chadwick <d.w.chadwick@truetrust.co.uk>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
On Thu, Sep 8, 2022 at 12:06 AM David Chadwick <d.w.chadwick@truetrust.co.uk>
wrote:

On 07/09/2022 23:34, Alan Karp wrote:
>
> On Wed, Sep 7, 2022 at 11:08 AM David Chadwick <
> d.w.chadwick@truetrust.co.uk> wrote:
>
>> As I understand confused deputy, the deputy is not only using the
>> credential passed to it, but also its own credentials as well, to do
>> whatever was requested of it.
>>
> The essence of the confused deputy is that the invoker designates the
> thing to work on while the deputy uses its own permission for the access.
>
> So is this not a restatement of what I originally said?
>
Not quite.  You used the word "credential," which implies that it is more
than simply the designation of the resource to be acted on.

>   In the canonical example, the deputy gets invoked with a string
> designating a file to write.  The deputy then opens the file, which results
> in an open file handle with write permission if the deputy has that
> permission even if the invoker does not.
>
> So why could this not happen with capabilities? It seems to me as if the
> deputy is using its own capability to open the file, regardless of whether
> the invoker has that privilege or not.
>
> That is possible, but it is an avoidable error.  The deputy should use the
capability provided by the invoker.  The error is not avoidable without
capabilities; the deputy has no choice but to use its own permissions.

>
>
That's what comes from separating designation from authorization.  Note
> that this attack would fail if the invoker had to provide an open file
> handle, which does combine designation and authorization.
>
>  Yes we agree on this.
>
> So this situation could also happen with capabilities if the recipient
>> uses its own capabilities as well as those passed to it, e.g. the deputy is
>> asked to fill and sign a check. The deputy has the capability to fill the
>> check, and is passed the signing capability.
>>
> That's not a confused deputy.
>
> Its a bad example, I agree. So lets just consider the write to a file
> example. Are you saying that neither party can write to a file without the
> help of the other one or are you are saying that the deputy has all the
> permissions to write to a file regardless of which permission the invoker
> has. In the latter case the check example would be changed to: the deputy
> has capabilities to fill and sign a check and the invoker only has one of
> them, but asks the deputy to do both.
>
 Yes.   Any time the invoker designates something, and the invoked uses its
own permissions you have the potential for a confused deputy.

--------------
Alan Karp


On Thu, Sep 8, 2022 at 12:06 AM David Chadwick <d.w.chadwick@truetrust.co.uk>
wrote:

>
> On 07/09/2022 23:34, Alan Karp wrote:
>
> On Wed, Sep 7, 2022 at 11:08 AM David Chadwick <
> d.w.chadwick@truetrust.co.uk> wrote:
>
>> As I understand confused deputy, the deputy is not only using the
>> credential passed to it, but also its own credentials as well, to do
>> whatever was requested of it.
>>
> The essence of the confused deputy is that the invoker designates the
> thing to work on while the deputy uses its own permission for the access.
>
> So is this not a restatement of what I originally said?
>
>
>   In the canonical example, the deputy gets invoked with a string
> designating a file to write.  The deputy then opens the file, which results
> in an open file handle with write permission if the deputy has that
> permission even if the invoker does not.
>
> So why could this not happen with capabilities? It seems to me as if the
> deputy is using its own capability to open the file, regardless of whether
> the invoker has that privilege or not.
>
>
> That's what comes from separating designation from authorization.  Note
> that this attack would fail if the invoker had to provide an open file
> handle, which does combine designation and authorization.
>
>  Yes we agree on this.
>
> So this situation could also happen with capabilities if the recipient
>> uses its own capabilities as well as those passed to it, e.g. the deputy is
>> asked to fill and sign a check. The deputy has the capability to fill the
>> check, and is passed the signing capability.
>>
> That's not a confused deputy.
>
> Its a bad example, I agree. So lets just consider the write to a file
> example. Are you saying that neither party can write to a file without the
> help of the other one or are you are saying that the deputy has all the
> permissions to write to a file regardless of which permission the invoker
> has. In the latter case the check example would be changed to: the deputy
> has capabilities to fill and sign a check and the invoker only has one of
> them, but asks the deputy to do both.
>
> Kind regards
>
> David
>
Received on Thursday, 8 September 2022 16:31:02 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 8 September 2022 16:31:03 UTC