Purpose of bindForRequest

[Neil Madden]

I’m trying to work out the purpose of the bindForRequest operation described in section IV. B. in the macaroons paper [1]. The paper says:

In particular, an attack is possible if the client accidentally

makes a request to a principal other than the original target

(perhaps by falling prey to phishing). In this case, this other

principal can maliciously re-use any discharge macaroons it

receives to discharge third-party caveats embedded in mac-

aroons for itself, thereby authorizing itself using contextual

caveat discharges from the client. To prevent such malicious

re-use, all discharge macaroons are required to be bound

to the authorizing macaroon before being sent along with

a request to the target. This binding is carried out by the

method M.PrepareForRequest(M), which binds the authoriz-

ing macaroon M to each discharge macaroon M′ ... 

I’ve always assumed that the caveat root key for a 3rd-party caveat should be freshly generated and so unique to a particular authorizing macaroon. Is there a particular reason why you might want to re-use a caveat root key for different caveats? Or is it that you might want to reuse the same key for the same 3rd-party caveat for different authorizing macaroons? (This sounds unnecessarily risky to me).

It also seems strange not to use normal contextual first-party caveats to bind the discharge macaroons to the request - is there a reason why it needs a special mechanism? For example, why not add a 1st-party caveat like “auth_mac_hash = <hash>” to each discharge macaroon?

[1]: https://storage.googleapis.com/pub-tools-public-publication-data/pdf/41892.pdf

Cheers,

Neil