Re: Open Review of the CORS Specification from Doug Schepers on 2009-10-13 (public-webapps@w3.org from October to December 2009)

From: Doug Schepers <schepers@w3.org>
Date: Tue, 13 Oct 2009 15:28:26 -0400
To: "Mark S. Miller" <erights@google.com>
CC: public-webapps <public-webapps@w3.org>, "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>
Message-ID: <4AD4D4DA.1040307@w3.org>

Hi, Mark-

Mark S. Miller wrote (on 10/13/09 3:08 PM):
>
> Diagrams would be an excellent idea! The previous attempts I am aware
> of at diagramming confused deputy vulnerabilities and related issues
> are
>
> * The diagrams at<http://www.erights.org/elib/capability/deputy.html>
> and<http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf>  may help explain the
> nature of confused deputy but may not be what you're looking for.
> YMMV.
> * Most relevant are the many diagrams in section 8.1 of Fred's thesis
> <http://www.evoluware.eu/fsp_thesis.pdf>.
> * Figures 1 and 2 from Fred Spiessens'  "The Oz-E Project: Design
> Guidelines for a Secure Multiparadigm Programming Language"
> <http://www.info.ucl.ac.be/%7Efsp/oze.pdf>. (Much of the rest of that
> paper appears elsewhere in Fred's thesis, but not these diagrams.)
> * Ihab's diagrams at
> <http://www.eros-os.org/pipermail/cap-talk/2009-June/012872.html>
> illustrating issues with Adam's example (see the enclosing thread).
> * Table 2 of Tyler's "ACLs don't"
> <http://waterken.sourceforge.net/aclsdont/current.pdf>. The issue
> Tyler raises in that paper, of delaying the access check till after
> the crucial information has been lost, may well be diagrammable in
> terms of dynamics of such access matrices.
>
> Once we have good ways of diagramming the general confused deputy
> issue, we can try illustrating Tyler's CORS counter-example with these
> diagrams.
>
> I wish you great luck with this diagramming effort. Good diagrams for
> helping illustrate this problem would be great. As you say elsewhere
> in this thread, it is hard to explain this well in words, especially
> when communicating between access control paradigms where the words
> may have subtly different meaning.

I'll see what I can do, starting from these diagrams.  No promises on 
when I will be able to do it, but I will do what I can.  I welcome 
advice or help from anyone interested in this.


> Because email arguments have their own rhythm to them, and because the
> many good responses to my previous messages all deserve careful
> replies, I need to mention that I'm about to be traveling for two
> weeks on a family issue, and may be too busy to give this thread the
> attention it well deserves until I get back. I will try to find time
> for some responses. But given the stakes I would rather post careful
> responses after annoying delays (sorry) than to post sloppy responses
> quickly. If things go well I will be back in time for TPAC.

Understood.  I hope things go well for you.  Thanks for helping shepherd 
this discussion.

Regards-
-Doug Schepers
W3C Team Contact, SVG and WebApps WGs

Received on Tuesday, 13 October 2009 19:28:31 UTC