On 3/30/23 05:58, Robert Haas wrote: > On Fri, Mar 24, 2023 at 5:47 PM Jacob Champion <jchamp...@timescale.com> > wrote: >> Okay, but this is walking back from the network example you just >> described upthread. Do you still consider that in scope, or...? > > Sorry, I don't know which example you mean.
The symmetrical proxy situation you described, where all the proxies are mutually trusting. While it's easier to secure that setup than the asymmetrical ones, it's also not a localhost-only situation anymore, and the moment you open up to other machines is where I think your characterization runs into trouble. > I guess I wouldn't have a problem blaming the DBA here, but you seem > to be telling me that the security literature has settled on another > kind of approach, and I'm not in a position to dispute that. It still > feels weird to me, though. If it helps, [1] is a paper that helped me wrap my head around some of it. It's focused on capability systems and an academic audience, but the "Avoiding Confused Deputy Problems" section starting on page 11 is a good place to jump to for the purposes of this discussion. --Jacob [1] https://srl.cs.jhu.edu/pubs/SRL2003-02.pdf
