We recast here the story of The
Confused Deputy into a modern setting.
Suppose that I trust Whit Diffie to write Java code that wields my signing
key.
Diffie’s code:
- reads my secret signing key from disk,
- reads a data base that I write that lists legitimate payees and payment
flow limitations for each,
- updates on stable storage how much has been paid to particular payees,
- It reads a batch of checks to be signed,
- signs them,
- writes the signed checks to a place on the disk specified by a less trusted
bill paying application program
- appends a record of those checks to my historical check journal.
I have Diffie’s public key.
I shall initially ignore questions of:
- protecting my secret key on the disk,
- situating trusted code to ensure that extraordinary checks require individual approval,
- Preventing Diffie’s code from exporting my secret key.
The Plan
I arrange that code signed by Diffie’s key can read
-
my secret key, (In a persistent system an instance of Diffie’s code would just know my secret key.)
- payee data base,
- the cumulative payments,
- the unsigned checks.
The code must be able to write:
- The signed checks,
- the check log.
I think that the Netscape technology supports these narrow authorities.
I arrange that BPS (the Bill Paying Software) be able to invoke an instance of Diffie’s code.
When BPS invokes Diffie’s code it passes the name of the file where the signed checks are to be written.
When Diffie’s code returns BPS sends off the signed checks to the payees.