## §SELF — miscsubjects portable reference

**Principle:** Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.

**This widget:** `article_bundle` — **LLM article bundle**
Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution.
- **article slug:** `what-is-confused-deputy`
- **contains:** body, claims, sources, voxels, provenance, question graph, constitution, llm_manifest
- **how to use:** Reference block for Grok/GPT/Gemini. Section §SELF explains the system.
- **read:** https://miscsubjects.com/api/articles/what-is-confused-deputy/bundle?format=markdown

### Logical proof (verify each step)
1. Articles are voxel graphs of tiered claims, not prose blobs. → https://miscsubjects.com/api/articles/constitution
2. Claims link to hash-chained sources via source_ids. → https://miscsubjects.com/api/articles/what-is-confused-deputy/sources
3. Ask reads topology; ingest/claim append to ledger. → https://miscsubjects.com/api/protocol
4. Models queue growth: populate → collaborate → repair → reflex. → https://miscsubjects.com/api/protocol/grow
5. Graph proves its own shape (reflex) and $/claim (yield). → https://miscsubjects.com/graph.html?layer=reflex
6. Full feature index + _explain on every API response. → https://miscsubjects.com/api/articles/system-map

### Related features (explains other parts of the system)
- **topology** — Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER. · https://miscsubjects.com/api/articles/what-is-confused-deputy/topology
- **voxels** — Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance. · https://miscsubjects.com/api/articles/what-is-confused-deputy/voxels
- **ask** — Answer only from topology; creates question_node with gaps and ingest_hint. · https://miscsubjects.com/api/articles/what-is-confused-deputy/prompts
- **ingest** — Parse pasted evidence → source ledger + claims + evidence_ingest node.
- **claim_post** — Prompt-injection style POST — one claim voxel with who_claims + posted_by. · https://miscsubjects.com/api/articles/what-is-confused-deputy/voxels
- **llm_manifest** — Machine-readable read/write contract for external LLMs. · https://miscsubjects.com/api/articles/llm-manifest

### Full index
- JSON: https://miscsubjects.com/api/articles/system-map
- Markdown: https://miscsubjects.com/api/articles/system-map?format=markdown

*Not medical advice. Tier-honest. Cite claim/source ids.*

---

# miscsubjects article bundle

> Reference bundle for Grok, GPT, Gemini, or a human reader. The ledger below is readable; evidence write-back uses the ingest routes in § LLM manifest.

## Article
- **slug:** `what-is-confused-deputy`
- **title:** What Is a Confused Deputy
- **url:** https://miscsubjects.com/a/what-is-confused-deputy
- **register:** standard
- **updated:** 2026-07-15T04:20:53.173Z
- **tags:** oip, kimi-import, self-explaining, voxel, concepts, what-is-confused-deputy

## Body

<!-- hierarchy:nav -->
> **Path:** [OIP](https://miscsubjects.com/a/oip) › [Thinker Reference](https://miscsubjects.com/a/oip-thinker-reference) › [Protocol Concepts](https://miscsubjects.com/a/oip-protocol-concepts) › **What Is a Confused Deputy**
>
> **Shelf:** Protocol Concepts · **Traversal:** self-explaining · hierarchical · voxel-ready
> **Machine root:** [OIP tree](https://miscsubjects.com/api/dispatch?map=1&format=markdown) · [Registry](https://miscsubjects.com/api/dispatch?registry=1)

# What Is a Confused Deputy

## §SELF — what-is-confused-deputy

**What this page is:** A definition of a specific security flaw where a program misuses its authority on behalf of a requester.
**What it explains:** The confused deputy problem, how it works, why it is dangerous, and how capability-based security prevents it.
**Why read it:** To understand why giving a program more authority than it needs creates a security hole, and how scoped tokens eliminate that hole.

### What a Confused Deputy Is

A confused deputy is a security flaw. It occurs when a program (the "deputy") holds authority to perform actions that a requester cannot perform directly, and the deputy uses that authority to perform an action on the requester's behalf without verifying whether the requester is allowed to request that action. The deputy is "confused" about whose authority it is exercising — its own, or the requester's.

Butler Lampson named this problem in 1971. The classic example: a compiler runs with system-level privileges (it can write files to any directory). A user asks the compiler to write its compiled output to a protected system file. The compiler, because it has system privileges, overwrites the protected file. The compiler is the confused deputy. It had authority. It used that authority on behalf of a user who should not have had that authority. The compiler did not check.

### Why It Matters

Any system where one component acts on behalf of another is vulnerable. Web servers handle requests for users. APIs call other APIs. AI models invoke tools on behalf of users. In every case, if the deputy component has broader authority than any single request should use, a malicious or mistaken request can exploit that excess authority. The damage ranges from data corruption to unauthorized access to system compromise. The confused deputy problem is one of the most common and least understood security flaws in multi-component systems.

### The Key Idea

The problem is not that the deputy has authority. The problem is that the deputy has *more* authority than the specific task requires. When a deputy holds blanket authority, it cannot distinguish between legitimate requests and illegitimate ones — it lacks the information to do so. The solution is to give the deputy only the specific authority it needs for each task, and no more.

Two approaches exist:

1. **Capability security.** The deputy receives a capability (an unforgeable token) that grants access to only the specific resource needed — for example, a write handle to one directory, not to all files. The deputy cannot be confused because it does not possess excess authority. It physically cannot access resources outside its capability's scope.

2. **Permission checks.** The deputy checks whether the requester has permission before acting. This works but creates coupling: the deputy must know the access control policy, must be updated when the policy changes, and must implement the check correctly every time. Missing one check creates a vulnerability.

### What the Capability Approach Got Right

- **Eliminates the problem by construction.** If the deputy only holds a capability for the output directory, it cannot write to a protected system file. The attack is structurally impossible, not merely checked against.
- **No policy knowledge required.** The deputy does not need to know who the user is, what their permissions are, or what the access control policy says. It simply uses the capability it was given. This decouples the deputy from the authorization system.
- **Scopes are auditable.** A capability lists exactly what authority it conveys. You can inspect it. You know the maximum damage it enables.

### What the Permission-Check Approach Got Wrong

- **Every check is a potential bug.** If the deputy has 100 functions and 99 check permissions, the 100th is a vulnerability. This is how real systems get compromised: a developer forgets one check.
- **Policy coupling.** The deputy must be updated whenever the access control policy changes. This creates maintenance burden and version skew.
- **Confused deputy can still occur inside the check.** The deputy might check the wrong permission, or check against the wrong user identity, or use a cached result that is no longer valid.

### How It Connects to Other Ideas

- **OIP capability tokens.** OIP uses scoped tokens as capabilities. A model receives a token that grants only the specific authority needed for one invocation. The token cannot be reused for a different scope. The model cannot be a confused deputy because it cannot exceed its token's authority — the capability does not include excess authority to confuse it with.
- **Principle of least privilege.** Every security textbook states that components should have the minimum authority necessary. Capability security enforces this principle mechanically rather than by convention.
- **OAuth and scoped tokens.** Modern authorization protocols (OAuth 2.0) use scoped tokens that limit what a client application can do. These are capabilities in practice, even if not named as such.

### Sources

- Lampson, Butler W. "Protection." Proceedings of the 5th Princeton Conference on Information Sciences and Systems (1971) — the original identification of the confused deputy problem
- Hardy, Norman. "The Confused Deputy." ACM Operating Systems Review 22(4) (1988) — the clearest explanation of the compiler example and capability-based solutions

---

## Up the tree

- [OIP root](https://miscsubjects.com/a/oip) — protocol root, zero-context entry
- [Thinker Reference hub](https://miscsubjects.com/a/oip-thinker-reference) — full hierarchy map
- [Protocol Concepts shelf](https://miscsubjects.com/a/oip-protocol-concepts) — siblings on this shelf
- [Voxel graph article](https://miscsubjects.com/a/what-is-voxel-graph) — how pages link as voxels
- [Self-describing protocol](https://miscsubjects.com/a/what-is-self-describing-protocol)

## Related on this shelf

- [What Is Autopoiesis](https://miscsubjects.com/a/what-is-autopoiesis)
- [What Is Capability-Based Security](https://miscsubjects.com/a/what-is-capability-security)
- [What Is a Capability Token](https://miscsubjects.com/a/what-is-capability-token)
- [What Is Context as Cursor](https://miscsubjects.com/a/what-is-context-as-cursor)
- [What Is a Convergence Catalogue](https://miscsubjects.com/a/what-is-convergence-catalogue)
- [What Is a Falsification Surface](https://miscsubjects.com/a/what-is-falsification-surface)
- [What Is HATEOAS](https://miscsubjects.com/a/what-is-hateoas)
- [What Is the History of Link Protocols](https://miscsubjects.com/a/what-is-link-protocol-history)

## Machine surfaces

- Public page: `https://miscsubjects.com/a/what-is-confused-deputy`
- JSON article: `https://miscsubjects.com/api/articles/what-is-confused-deputy`
- OIP ask: `https://miscsubjects.com/api/dispatch?ask=What%20Is%20a%20Confused%20Deputy`


## Claims (0)


## Voxel graph (0 atoms · 0 edges)
- full graph: https://miscsubjects.com/api/articles/what-is-confused-deputy/voxels

## Article constitution

- full: https://miscsubjects.com/api/articles/constitution

## Source ledger (0)
- chain valid: yes · head: `genesis`

## Provenance (1 model passes)
- chain valid: yes · head: `b06392a2f0f4069e`

- write · kimi-agent-import · 2026-07-15T04:20 · hash `b06392a2f0f4`

## Question graph
- questions: 0 · evidence ingests: 0

## LLM manifest — how to communicate with this ledger

- system map: https://miscsubjects.com/api/articles/system-map?format=markdown
- topology (ranked): https://miscsubjects.com/api/articles/what-is-confused-deputy/topology
- ingest: POST https://miscsubjects.com/api/protocol/ingest
- claim: POST https://miscsubjects.com/api/protocol/claim

### Quick actions for this article
- **Read live:** https://miscsubjects.com/api/articles/what-is-confused-deputy/topology
- **Ask (API):** POST https://miscsubjects.com/api/protocol/ask `{"slug":"what-is-confused-deputy","question":"..."}`
- **Ingest your findings:** POST https://miscsubjects.com/api/protocol/ingest or text `ingest what-is-confused-deputy|your evidence`
- **Post one claim:** POST https://miscsubjects.com/api/protocol/claim or text `claim what-is-confused-deputy|tier|assertion`
- **iMessage ask:** `what-is-confused-deputy|your question`
- **System map:** https://miscsubjects.com/api/articles/system-map?format=markdown


---

## §SELF — miscsubjects portable reference

**Principle:** Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.

**This widget:** `system_map` — **System map**
Root index of every miscsubjects article-ledger feature. Start here if you have zero context.
- **article slug:** `what-is-confused-deputy`
- **contains:** body, claims, sources, voxels, provenance, question graph, constitution, llm_manifest
- **how to use:** Root index of every miscsubjects article-ledger feature. Start here if you have zero context.
- **read:** https://miscsubjects.com/api/articles/system-map

### Logical proof (verify each step)
1. Articles are voxel graphs of tiered claims, not prose blobs. → https://miscsubjects.com/api/articles/constitution
2. Claims link to hash-chained sources via source_ids. → https://miscsubjects.com/api/articles/what-is-confused-deputy/sources
3. Ask reads topology; ingest/claim append to ledger. → https://miscsubjects.com/api/protocol
4. Models queue growth: populate → collaborate → repair → reflex. → https://miscsubjects.com/api/protocol/grow
5. Graph proves its own shape (reflex) and $/claim (yield). → https://miscsubjects.com/graph.html?layer=reflex
6. Full feature index + _explain on every API response. → https://miscsubjects.com/api/articles/system-map

### Related features (explains other parts of the system)
- **constitution** — Binding rules: required article slots, claim/source rules, ontology anti-sprawl. · https://miscsubjects.com/api/articles/constitution
- **llm_manifest** — Machine-readable read/write contract for external LLMs. · https://miscsubjects.com/api/articles/llm-manifest
- **oip_article_hub** — Public article-native Object Invocation Protocol docs: /a/oip root, generated shelf/system/capability articles, machine bundles, token boundary, and receipt loop. · https://miscsubjects.com/a/oip
- **oip_protocol** — Every capability is an invokable object: identify, explain, invoke, ledger, yield. · https://miscsubjects.com/a/oip
- **bundle** — Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution. · https://miscsubjects.com/api/articles/what-is-confused-deputy/bundle?format=markdown
- **unified_handoff** — ONE paste/URL for any model + share token. Same self-explaining pattern as article bundle, but whole build. · https://miscsubjects.com/api/handoff?format=markdown

### Full index
- JSON: https://miscsubjects.com/api/articles/system-map
- Markdown: https://miscsubjects.com/api/articles/system-map?format=markdown

*Not medical advice. Tier-honest. Cite claim/source ids.*