Giter Site home page Giter Site logo

Comments (4)

tiziano88 avatar tiziano88 commented on August 11, 2024

Thanks, this is useful context. I think modelling the association to a principal via an interface with the extra Identify() method is quite dangerous in Go though, since anything that implements that method implicitly implements the interface. So, for instance, a "malicious" wrapper may not only implement EmitStatement, but also Identify so that it returns some other principal, which would allow it to impersonate something else. The top-level can still override that (and hopefully it does), but it's risky because if it forgets, then the impersonated principal will be used.

I guess another option is to instead use a method that accepts an object that implements EmitStatement, and then an explicit principal as another parameter. Then this method will only be usable by the top-level, so there is no risk of impersonation.

But let me know if there is something else I'm missing.

from transparent-release.

aferr avatar aferr commented on August 11, 2024

I don't actually think any of these choices defend against a malicious wrapper. Even if you just pass a principal as another argument, the text that a malicious wrapper emits in the body could be wrong. The point of separating it this way is to just let the consumer of the wrapper set the names of the principals separately from the bodies for convenience, not to defend against a malicious wrapper (I don't really think that's possible). So since none of these choices are indistinguishable in terms of defending against malicious wrappers, I am inclined to leave it as-is.

from transparent-release.

tiziano88 avatar tiziano88 commented on August 11, 2024

Even if you just pass a principal as another argument, the text that a malicious wrapper emits in the body could be wrong.

Yes, but at least (thanks to authorization logic) it would not affect others that don't already trust that principal, right? That to me seems quite desirable. Then again, of course all of this ends up compiled into a single binary, so it's hard to really say that someone trusts one wrapper and not another, but at least conceptually I think it makes sense.

from transparent-release.

aferr avatar aferr commented on August 11, 2024

Closing because we're not doing this

from transparent-release.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.