[Openid-specs-authzen] Introduction and few questions / ideas

[Gerry Gebel]

Hi Monika

For some reason, your message was not delivered to the email list, so I am
including it below and offer an initial response here.


   - The AuthZEN spec is agnostic to whether it's a machine or human
   interaction
   - There is an open issue, #55, that addresses signing options for the
   request/response. We did not have time to discuss it on the call this week
   but will be doing that in the near future - please join the working group
   calls or add a comment to the issue
   - A discovery option is included in the latest working draft and some of
   the PDP implementations already support it, as shown in the latest interop
   demo. See section 11 - https://openid.github.io/authzen/

Regards,
Gerry

Date: Wed, 25 Jun 2025 18:17:30 +0000
Subject: Introduction and few questions / ideas
Hi,

I am Monika Avalur working as a product manager in IAM space in CyberArk. I
have been assigned to this working group and have been going through the
specs for AuthZen.


   - I wanted to understand if this protocol would mostly be a M2M based
   protocol? What if we have a use case for a human identity where we want to
   launch a browser to get a user consent or perform some user-based actions
   on the PEP endpoint?



   - Also from security perspective do we plan on defining E2E or
   cert-based signing options as well?



   - Would be providing discovery options similar to OIDC/SAML. i.e., how
   would the PDP know which PEP endpoint to call?



Thanks & Regards,
Monika
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250625/1e72db64/attachment.htm>