<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Amazon Ember Heavy";
panose-1:2 11 8 3 2 2 4 2 2 4;}
@font-face
{font-family:"Amazon Ember Light";
panose-1:2 11 4 3 2 2 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
p.ms-outlook-mobile-reference-message, li.ms-outlook-mobile-reference-message, div.ms-outlook-mobile-reference-message
{mso-style-name:ms-outlook-mobile-reference-message;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:138041522;
mso-list-template-ids:-750490528;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1634943747;
mso-list-template-ids:-135084090;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="FR-CA" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">FYI<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Amazon Ember Heavy",sans-serif;mso-ligatures:standardcontextual">Jean-François “<span style="color:#E97132">Jeff</span>” Lombardo</span></b><span style="mso-ligatures:standardcontextual"> </span><span style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;mso-ligatures:standardcontextual">|<span style="color:gray">
</span><span style="color:#E97132">Amazon Web Services</span></span><span style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:#E97132"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:4.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray;mso-ligatures:standardcontextual"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray;mso-ligatures:standardcontextual">Architecte Principal de Solutions, Spécialiste de Sécurité<br>
Principal Solution Architect, Security Specialist<br>
Montréal, Canada<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray;mso-ligatures:standardcontextual">Commentaires à propos de notre échange?
</span></i><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray;mso-ligatures:standardcontextual">Exprimez-vous
</span></i><span style="mso-ligatures:standardcontextual"><a href="https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:#467886">ici</span></i></a></span><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray;mso-ligatures:standardcontextual">.<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:4.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray;mso-ligatures:standardcontextual"><o:p> </o:p></span></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray;mso-ligatures:standardcontextual">Thoughts on our interaction? Provide feedback
</span></i><span style="mso-ligatures:standardcontextual"><a href="https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:#467886">here</span></i></a></span><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Amazon Ember Light",sans-serif;color:gray;mso-ligatures:standardcontextual">.<o:p></o:p></span></i></p>
</div>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Yaron Sheffer <yaronf.ietf@gmail.com>
<br>
<b>Sent:</b> October 19, 2025 5:51 AM<br>
<b>To:</b> LUCIA CABANILLAS RODRIGUEZ <lucia.cabanillasrodriguez@telefonica.com>; wimse@ietf.org<br>
<b>Subject:</b> [EXT] [WIMSE] Re: [Wimse] Authorization - some ideas<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr style="height:15.25pt">
<td width="1123" valign="top" style="width:842.35pt;border:solid #ED7D31 1.5pt;padding:0cm 5.4pt 0cm 5.4pt;height:15.25pt">
<p><strong><span style="font-family:"Aptos",sans-serif;color:black;background:#FFFF99">CAUTION</span></strong><span style="color:black;background:#FFFF99">: This email originated from outside of the organization. Do not click links or open attachments unless
you can confirm the sender and know the content is safe.</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr style="height:15.25pt">
<td width="1123" valign="top" style="width:842.35pt;border:solid #ED7D31 1.5pt;padding:0cm 5.4pt 0cm 5.4pt;height:15.25pt">
<p><strong><span style="font-family:"Aptos",sans-serif;color:black;background:#FFFF99">AVERTISSEMENT</span></strong><span style="color:black;background:#FFFF99">: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez
aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="color:black">Hi <span style="background:white">
Lucía</span>,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Process-wise, this discussion (and diagram) should actually be moved from the s2s draft into the WIMSE Architecture draft.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">And to your point, I think we just wanted to keep options open around authz. In very small deployments there may not be any explicit authz at all - everybody that presents a valid token/signature is trusted. In
such deployments the PEP is trivial and there’s no PDP.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">We have not had deep discussion of authorization at all, and AFAICT David’s message down this thread actually goes into more depth than the WG or the author team has ever had.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> Yaron<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div id="mail-editor-reference-message-container">
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentcolor currentcolor">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="color:black">From:
</span></b><span style="color:black">LUCIA CABANILLAS RODRIGUEZ <<a href="mailto:lucia.cabanillasrodriguez@telefonica.com">lucia.cabanillasrodriguez@telefonica.com</a>><br>
<b>Date: </b>Tuesday, 14 October 2025 at 12:20<br>
<b>To: </b><a href="mailto:wimse@ietf.org">wimse@ietf.org</a> <<a href="mailto:wimse@ietf.org">wimse@ietf.org</a>><br>
<b>Subject: </b>[WIMSE] Re: [Wimse] Authorization - some ideas<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Hello everyone,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">I hope this message finds you well.<o:p></o:p></span></p>
</div>
<p class="ms-outlook-mobile-reference-message"><span style="color:black">I have a question regarding Section 1.2 of draft-ietf-wimse-s2s-protocol-06, where it is stated that the PDP (Policy Decision Point) is optional and may only be deployed when policy management
is centralized.</span><o:p></o:p></p>
<p class="ms-outlook-mobile-reference-message"><span style="color:black">From an architectural and security perspective, I was wondering about the rationale behind making the PDP optional. In most policy-based frameworks, the PDP plays a crucial role in ensuring
that each action or message passing through a PEP is validated against defined policies, for example, checking protocol compliance, enforcing contextual constraints, or verifying trust requirements before any operation proceeds. Even the identity server could
query the PDP beforehand to verify certain conditions or ensure that access or message exchanges comply with established policies.</span><o:p></o:p></p>
<p class="ms-outlook-mobile-reference-message"><span style="color:black">Additionally, I might have missed some earlier discussion on this topic, but I would also like to understand whether a distributed PDP model (rather than a centralized one) has been considered,
as this could preserve policy consistency while maintaining scalability and avoiding single points of failure.</span><o:p></o:p></p>
<p class="ms-outlook-mobile-reference-message"><span style="color:black">Thank you very much for the clarification, and apologies if this has already been discussed in a previous thread.</span><o:p></o:p></p>
<div style="margin-top:12.0pt;margin-bottom:12.0pt">
<p class="MsoNormal"><span style="color:black">Kind regards,<o:p></o:p></span></p>
</div>
<p class="ms-outlook-mobile-reference-message"><span style="color:black">Lucía</span><o:p></o:p></p>
<div id="mail-editor-reference-message-container">
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentcolor currentcolor">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="color:black">De:
</span></b><span style="color:black">David Brossard <<a href="mailto:david.brossard@gmail.com">david.brossard@gmail.com</a>><br>
<b>Fecha: </b>miércoles, 1 de octubre de 2025, 12:04<br>
<b>Para: </b><a href="mailto:wimse@ietf.org">wimse@ietf.org</a> <<a href="mailto:wimse@ietf.org">wimse@ietf.org</a>><br>
<b>Asunto: </b>[Wimse] Authorization - some ideas<o:p></o:p></span></p>
</div>
<div style="border:solid #9C6500 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FFEB9C"><b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#9C6500">AVISO/WARNING:</span></b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black"> Este correo
electrónico se originó desde fuera de la organización. No haga clic en enlaces ni abra archivos adjuntos a menos que reconozca al remitente y sepa que el contenido es seguro / This email has been originated from outside of the organization. Do not click links
or open attachments unless you recognize the sender and know the content is safe.</span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Hi everyone,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I saw the recording of the interim meeting last week (<a href="https://www.youtube.com/watch?time_continue=1929&v=BqPBEfhMOUM">video</a>) and wanted to chime in.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">First of all, I think I agree with what Joseph Saloway says on the call. And of course largely with Pieter and Justin: authorization is an orthogonal concern and we shouldn't reinvent the wheel. Let's go get authorization frameworks and
patterns where they live.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Secondly, I think we need to clearly distinguish between different types of access control/authorization. If we do this, it'll help distinguish between an OAuth-based (or biased) approach to authZ vs. an "ABAC" approach to authorization.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In my mind, OAuth is great for access delegation (I grant Twitter the right to post on my wall). UMA is great for user delegation. OAuth RAR is great to scope down what clients can do (e.g. the OpenBanking payment examples). All these approaches
tend to be user-centric (though I suppose they don't have to be) and all these approaches tend to rely on the RP knowing what to do with the tokens/claims/scopes. In other words, authorization is still left in the hands of the app being protected (or workload
in WIMSE).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is where ABAC comes into play (and granted, comparing OAuth, a standard/technology, to a framework is skewed at best). When I say ABAC, by the way, I'm referring to the NIST 800-162 definition or even the Zero Trust NIST 800-207 definition
i.e.<o:p></o:p></p>
</div>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
externalized authorization outside the app and inside a PDP<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
runtime authorization: decisions are made at access time, not login, not session, not creation <o:p></o:p></li></ul>
<div>
<p class="MsoNormal">How ABAC is implemented is irrelevant (whether Graph or policies and if so, which policies).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So my two cents: yes of course WIMSE needs a clean decoupling and that decoupling can only happen IMHO via a PEP/PDP Architecture<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is in fact very much in line with the current draft that includes the picture below. Perhaps, my comment would be that the PEP could sit in front of workloads, gateway-style (Kong, Istio, you name it - there could be workload-friendly
proxies). And of course, shameless plug, step (4) could be OpenID AuthZEN.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<pre><span style="font-family:Consolas;color:#212529"> +------------+ +------------+<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | | (1) | |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | |<=============>| |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | | | |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | Workload A | (3) | Workload B |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | |==============>| |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | | | |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | | (5) | +--------+<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | |<==============| | PEP |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> +------------+ +---+--------+<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> ^ ^ ^<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | (2) | |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> (2) | +----------------------+ | (4)<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | | |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> v v v<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> +------------+ +------------+<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | | | |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | Identity | | PDP |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | Server | | (optional) |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> | | | |<o:p></o:p></span></pre>
<pre><span style="font-family:Consolas;color:#212529"> +------------+ +------------+<o:p></o:p></span></pre>
</div>
<div>
<pre><span style="font-family:Consolas;color:#212529"><o:p> </o:p></span></pre>
</div>
<div>
<pre><span style="font-family:Consolas;color:#212529"><o:p> </o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif;color:#222222">So, what does WIMSE need to do? <o:p></o:p></span></pre>
</div>
<pre style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="font-family:Symbol;color:#212529"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#222222">Define use cases: what are the authz requirements we envisage? This will also help clarify the other questions on this mailing list re. identifiers and their granularity.</span><span style="font-family:Consolas;color:#212529"><o:p></o:p></span></pre>
<pre style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="font-family:Symbol;color:#212529"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#222222">Suggest profiles for other standards e..g. the AuthZEN Profile of WIMSE</span><span style="font-family:Consolas;color:#212529"><o:p></o:p></span></pre>
<pre style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="font-family:Symbol;color:#212529"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:#222222">Suggest policies: using ALFA, Rego or Cedar, what does a sample policy look like?</span><span style="font-family:Consolas;color:#212529"><o:p></o:p></span></pre>
<div>
<pre><span style="font-family:"Arial",sans-serif">All of these need NOT be in the core spec but rather in a profile so long as the architecture is in the core spec (which it currently is).<o:p></o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif">Yaron also draws a parallel with MCP and even more so A2A. I've started seeing those use cases. The MCP use cases are not much different from traditional entreprise access control use cases (an employee can view data in their branch - typical mandatory access control).<o:p></o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif">A2A (and I think WIMSE as well) brings about another type of use case which blends both the mandatory type of access control and the access delegation type of access control. For instance, can agent A book travel using agent B on behalf of Bob the end user? Bob had previously delegated authority/access to agent A so it can book a trip up to $2,000 and only within the EU.<o:p></o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif">Will we see similar use cases here?<o:p></o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif">To summarize, I'd suggest the WIMSE spec follow an architecture that aligns well with ABAC if only for the sake of "zero trust". I am excited to see authorization is a hot topic so I'll strive to attend the regular calls.<o:p></o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif">Thanks,<o:p></o:p></span></pre>
</div>
<div>
<pre><span style="font-family:"Arial",sans-serif">David<o:p></o:p></span></pre>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<div>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray"><br>
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la
lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.<br>
<br>
The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.<br>
<br>
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a
leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>