Insight gained from reading a paper titled "ACLs don't" that is really obvious in retrospect:
the confused deputy problem happens exactly because authority-based systems care about the authority of whoever directly performs an operation, and that intuition/model breaks when there's a *delegation*, i.e. with deputies.
It would be possible to deal with simple delegation, but it won't work when there are multiple levels of it or when there are complex delegation graphs.
This is beautiful and I've never thought about this before:
the convention we have in Unix to pass pre-opened stdin/stdout/stderr fds is not just a nice way to tell the program where to read its input from and output its result/logs to; it is exactly how capability passing should work in a capability-based system. This also is another reason why accepting an -o option (for "output file") is a bad idea.
OMG! I already knew CSRF is also a Confused Deputy problem, but I didn't realize that CSRF-protection tokens are a way of introducing capability-based secutiry into the play. And again once you realize it it makes so much sense.
Damn, this paper is pure gold.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!