<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Aptos Mono";
panose-1:2 11 0 9 2 2 2 2 2 4;}
@font-face
{font-family:Roboto;
panose-1:2 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:10.0pt;
font-family:"Aptos",sans-serif;}
span.gmailsignatureprefix
{mso-style-name:gmail_signature_prefix;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:728723053;
mso-list-type:hybrid;
mso-list-template-ids:-1949674176 67698709 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-number-format:alpha-upper;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1370228570;
mso-list-type:hybrid;
mso-list-template-ids:2001636376 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:12.0pt">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">The proposal does claim backwards compatibility, but I wonder if there is a case where that might not be the case.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">Here is an example; please let me know if I’m getting something wrong here:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Assume we have a PEP which implements boxcarring but a (legacy?) PDP which does not.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">When the PDP receives a boxcarred request with an
</span><span style="font-size:12.0pt;font-family:"Aptos Mono"">evaluations</span><span style="font-size:12.0pt"> object, I presume it would ignore that object as an unrecognized key, correct?<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">The PDP would then interpret any remaining elements (</span><span style="font-size:12.0pt;font-family:"Aptos Mono"">subject</span><span style="font-size:12.0pt">,
</span><span style="font-size:12.0pt;font-family:"Aptos Mono"">context</span><span style="font-size:12.0pt">, etc.), as an actual single-valued evaluation request instead of defaults for boxcarred request, possibly returning a result which doesn’t make sense
to the PEP? This would seem to be a break in backward compatibility.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">The converse, where the PEP is legacy and the PDP supports boxcarring should work just fine though.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">Assuming the above scenario is plausible, it does beg the question of how important backward compatibility is at this point in our spec development cycle. In the past, we’ve assumed that we MUST maintain backward
compatibility. If so, then this would perhaps be an argument for the alternate endpoint approach we’ve discussed
</span><span style="font-size:12.0pt;font-family:"Aptos Mono"">/access/v1/authorization<span style="color:red">s</span></span><span style="font-size:12.0pt"> vs.
</span><span style="font-size:12.0pt;font-family:"Aptos Mono"">/access/v1/authorization</span><span style="font-size:12.0pt">).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">Thoughts?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">-Steve<o:p></o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Openid-specs-authzen <openid-specs-authzen-bounces@lists.openid.net> on behalf of Omri Gazitt via Openid-specs-authzen <openid-specs-authzen@lists.openid.net><br>
<b>Date: </b>Wednesday, June 5, 2024 at 22:27<br>
<b>To: </b>AuthZEN Working Group List <openid-specs-authzen@lists.openid.net><br>
<b>Cc: </b>Omri Gazitt <omri@aserto.com><br>
<b>Subject: </b>Re: [Openid-specs-authzen] Boxcarring proposal<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Thanks Andy, Alex & Granville!<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">I agree with the feedback to use a keyed object instead of an array. I made those changes in the
<a href="https://hackmd.io/ri7odOQkQ6yztBQGlXnnKg?both">hackmd file</a>. I also added a brief section on errors.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Please feel free to add comments to the hackmd file, or send them on the mailing list. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">We can discuss the proposal at our next meeting on Tuesday.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Omri.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">On Mon, Jun 3, 2024 at 5:48</span><span style="font-size:12.0pt;font-family:"Arial",sans-serif"> </span><span style="font-size:12.0pt">AM Granville Schmidt via Openid-specs-authzen <<a href="mailto:openid-specs-authzen@lists.openid.net">openid-specs-authzen@lists.openid.net</a>>
wrote:<o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Thank you for writing this first proposal, Omri!<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">I agree with Alex on having the batched response keyed off an identifier. I also have some additional thoughts to share and get feedback on.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Is it the team's preference to have comments added directly to the HackMD document or continue via email?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Cheers,<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"><br clear="all">
<o:p></o:p></span></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Granville Schmidt</span></b><span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">CISSP, CCSP, CSSLP, HCISPP, CIPT, GCPCA</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"><a href="https://www.linkedin.com/in/granvilleschmidt/" target="_blank"><span style="color:#1155CC">https://www.linkedin.com/in/granvilleschmidt/</span></a> <br>
+1-740-701-3514</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black;border:solid windowtext 1.0pt;padding:0in"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1030" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> <span style="border:solid windowtext 1.0pt;padding:0in"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1029" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span> <span style="border:solid windowtext 1.0pt;padding:0in"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1028" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span> <span style="border:solid windowtext 1.0pt;padding:0in"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1027" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;border:solid windowtext 1.0pt;padding:0in"><img border="0" width="96" height="96" style="width:1.0in;height:1.0in" id="_x0000_i1026" src="cid:~WRD0000.jpg" alt="Image removed by sender. Certified Information Privacy Technologist (CIPT) | Intellectual Point"></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">On Mon, Jun 3, 2024 at 3:38</span><span style="font-size:12.0pt;font-family:"Arial",sans-serif"> </span><span style="font-size:12.0pt">AM Alex Olivier via Openid-specs-authzen <<a href="mailto:openid-specs-authzen@lists.openid.net" target="_blank">openid-specs-authzen@lists.openid.net</a>>
wrote:<o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">This is looking good to me.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">The one area I have run into with the type-array response approach is around ordering. I am assuming that the response array is required to be the same length and order as the input values. This is implicitly
putting the responsibility of the PDP to fit that contract and so would be called out in the spec explicitly.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">From my own experience, having this batch response being keyed off some identifier (resource ID/action?) passed in the input makes it easier to handle on the client side as you can just 'pluck' the value from
the response rather than have to iterate through the array to find the matching entity (though the SDK layer can do this).<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">On Sat, 1 Jun 2024 at 02:21, Omri Gazitt via Openid-specs-authzen <<a href="mailto:openid-specs-authzen@lists.openid.net" target="_blank">openid-specs-authzen@lists.openid.net</a>> wrote:<o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Hi folks!<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">I had a chance to write up the boxcarring proposal that we batted around during Identiverse. It's in
<a href="https://hackmd.io/ri7odOQkQ6yztBQGlXnnKg" target="_blank">HackMD</a>. Comments welcome!<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">The proposal is meant to be backwards-compatible with the current single-decision evaluation API, but could also be bound to the /access/v1/evaluations (note plural) endpoint.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt">Omri.<br clear="all">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span class="gmailsignatureprefix"><span style="font-size:12.0pt">--
</span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="padding:5.0pt 5.0pt 5.0pt 5.0pt;overflow:hidden">
<p style="margin:0in"><span style="font-family:"Tahoma",sans-serif;color:#222222"><a href="http://www.aserto.com/" target="_blank"><span style="color:#222222;text-decoration:none"><span style="color:blue;border:solid windowtext 1.0pt;padding:0in"><img border="0" width="96" height="35" style="width:1.0in;height:.3645in" id="_x0000_i1025" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span></span></a><o:p></o:p></span></p>
</td>
<td style="padding:5.0pt 5.0pt 5.0pt 5.0pt;overflow:hidden">
<p style="margin:0in"><b><span style="font-size:10.0pt;font-family:Roboto;color:black">Omri Gazitt</span></b><span style="font-family:"Arial",sans-serif;color:black">
</span><b><span style="font-size:10.0pt;font-family:Roboto;color:black">| </span>
</b><span style="font-size:10.0pt;font-family:Roboto;color:black">CEO</span><span style="font-family:"Tahoma",sans-serif;color:#222222"><o:p></o:p></span></p>
<p style="margin:0in"><span style="font-size:10.0pt;font-family:Roboto;color:black"><a href="http://www.aserto.com/" target="_blank">Aserto</a> Inc.</span><span style="font-family:"Arial",sans-serif;color:#222222">
</span><b><span style="font-size:10.0pt;font-family:Roboto;color:black">| </span>
</b><span style="font-size:10.0pt;font-family:Roboto;color:black">(425) 765-0079</span><span style="font-family:"Tahoma",sans-serif;color:#222222"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt">-- <br>
Openid-specs-authzen mailing list<br>
<a href="mailto:Openid-specs-authzen@lists.openid.net" target="_blank">Openid-specs-authzen@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-authzen" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</a><o:p></o:p></span></p>
</blockquote>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt">-- <br>
Openid-specs-authzen mailing list<br>
<a href="mailto:Openid-specs-authzen@lists.openid.net" target="_blank">Openid-specs-authzen@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-authzen" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</a><o:p></o:p></span></p>
</blockquote>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt">-- <br>
Openid-specs-authzen mailing list<br>
<a href="mailto:Openid-specs-authzen@lists.openid.net" target="_blank">Openid-specs-authzen@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-authzen" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</a><o:p></o:p></span></p>
</blockquote>
</div>
</div>
</div>
</div>
</body>
</html>