I added a concrete example to the capability page.

author: IkiWiki <ikiwiki.info> 2019-01-26 10:06:17 -0500
committer: Samuel Thibault <samuel.thibault@ens-lyon.org> 2019-01-26 21:41:27 +0100
commit: 56e4ff87fcdcba7208fcd0ac6d04a57088efac61 (patch)
tree: 50c3120e38a23f5d463c837c6de27e3d47fe39f9
parent: 66eff6899fabf929cd057b10777c7801e5602c5e (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/capability.mdwn b/capability.mdwn
index 0ebe5cd4..32a9b68f 100644
--- a/capability.mdwn
+++ b/capability.mdwn
@@ -28,6 +28,16 @@ sent a string to identify the file to B, the identifier lacks a
 than A intended.  By ensuring that [[designation]] and [[authorization]] are
 always bound together, these problems are avoided.
 
+If you found the above example a little too abstract, then consider the example
+found on the [[wikipedia|https://en.wikipedia.org/wiki/Confused_deputy_problem]]
+page.  Suppose a trusted server runs a compilation process, bills clients for
+using the service, and stores billing information in the "bills.txt" file. The
+compilation server needs clients to provide the name of the input and output
+files to compile the program.  Suppose a client calls the compilation server
+and specifies the output file as the "billing.txt" file.  The server compiles
+the program, and then overwrites the billing information.  Now the server does
+not know who to bill for the use of its services.
+
 Capability-based system architectures strive to meet the *principle of least
 privilege* ({{$wikipedia_polp}}).
author	IkiWiki <ikiwiki.info>	2019-01-26 10:06:17 -0500
committer	Samuel Thibault <samuel.thibault@ens-lyon.org>	2019-01-26 21:41:27 +0100
commit	56e4ff87fcdcba7208fcd0ac6d04a57088efac61 (patch)
tree	50c3120e38a23f5d463c837c6de27e3d47fe39f9
parent	66eff6899fabf929cd057b10777c7801e5602c5e (diff)