From andrewhughes at pingidentity.com Mon Jun 19 00:04:44 2023 From: andrewhughes at pingidentity.com (Andrew Hughes) Date: Sun, 18 Jun 2023 17:04:44 -0700 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: I prefer the most narrow scope possible. Otherwise we will never finish. Other people will work with n the other parts. On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < policy-charter at lists.openid.net> wrote: > One thing I'd like to put out there... > > In a world where both policy and data are important parts of a decision, > we should consider expanding the scope of what we believe should be pushed > from an administration point to a decision point. Specifically, with a > ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in > relationships between subjects and objects are as critical to communicate > as policy changes. > > If folks agree, then perhaps the name of the workstream should be > generalized to "PAP-PDP group". > > Additionally, there are two possible models to consider - Pull and Push. > For example, OPA defines a pull model > for a > PDP to obtain policy updates from a policy bundle service. In practice, a > push model seems critical for real-world scenarios. > > On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < > policy-charter at lists.openid.net> wrote: > >> me too! :-D >> Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: >> >> Me too >> >> On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> Im in >>> >>> On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>>> Would love to be on it! >>>> >>>> On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < >>>> policy-charter at lists.openid.net> wrote: >>>> >>>>> *This message originated outside your organization.* >>>>> >>>>> ------------------------------ >>>>> >>>>> Count me in too >>>>> >>>>> On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via policy-charter < >>>>> policy-charter at lists.openid.net> wrote: >>>>> >>>>>> Please count me in for the Admin Policy Push group. >>>>>> >>>>>> Thanks! >>>>>> Shayne Miel >>>>>> >>>>>> >>>>>> >>>>>> *Shayne Miel* >>>>>> / Principal Engineer (he, him, his) >>>>>> >>>>>> smiel at cisco.com >>>>>> >>>>>> (919) 923-6230 >>>>>> >>>>>> cisco.com >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------ >>>>>> *From:* policy-charter on >>>>>> behalf of Gerry Gebel via policy-charter < >>>>>> policy-charter at lists.openid.net> >>>>>> *Sent:* Thursday, June 15, 2023 10:53 AM >>>>>> *To:* Policy Charter Mail List >>>>>> *Cc:* Gerry Gebel >>>>>> *Subject:* [policy-charter] Admin Policy Push Group >>>>>> >>>>>> Hi all - >>>>>> >>>>>> Thanks to Andrew Hughes for leading the PEP-PDP Group and those that >>>>>> have expressed interest in pursuing that effort. >>>>>> >>>>>> How about the Admin Policy Push work stream? Who is interested in >>>>>> participating? >>>>>> Thanks, >>>>>> Gerry >>>>>> -- >>>>>> policy-charter mailing list >>>>>> policy-charter at lists.openid.net >>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>> >>>>>> >>>>> -- >>>>> policy-charter mailing list >>>>> policy-charter at lists.openid.net >>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>> >>>> -- >>>> policy-charter mailing list >>>> policy-charter at lists.openid.net >>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >> -- >> >> >> >> Omri Gazitt | CEO >> >> Aserto Inc. | (425) 765-0079 >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- Andrew Hughes Director, Identity Standards Ping Identity Signal/Mobile: +12508889474 -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.? If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ -------------- next part -------------- An HTML attachment was scrubbed... URL: From pieter.kasselman at microsoft.com Mon Jun 19 11:30:33 2023 From: pieter.kasselman at microsoft.com (Pieter Kasselman) Date: Mon, 19 Jun 2023 11:30:33 +0000 Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft document In-Reply-To: <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary> References: <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary> Message-ID: My perspective is that we should have one Work Group focused on authorization with multiple deliverables (e.g. OpenID Connect and SSF for example has multiple deliverables) to start with. This way everyone interested in the authorization topic has visibility into the different work items and we get the benefit of wider participation and review. Agreed that something with Authorization in the name would make sense, something like AuthZEN Framework (AuthoriZation ExchaNge Framework) or AuthIT/AuthZIT Framework (Authorization Interoperability Technology Framework)?. From: policy-charter On Behalf Of Allan Foster via policy-charter Sent: Friday, June 16, 2023 10:46 PM To: Policy Charter Mail List Cc: Allan Foster Subject: Re: [policy-charter] Link to PDP-PEP Interop WG Charter draft document So, I wonder if we should do two different WGs, or one WG with two different standards?. (At least, for now?) I am inclined to think the WG should be AuthZ something??. and have two separate streams?. (or standards?) Thoughts Allan On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter > wrote: Thanks Andrew! Added a first comment in there... The season's open! ./\. On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter > wrote: Here is the document I have started - the link puts you into "suggest" mode. Please add text with self-attribution. Be respectful of others' contributions. https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true [Ping Identity] Andrew Hughes Director - Identity Standards andrewhughes at pingidentity.com Connect with us: [Glassdoor logo][LinkedIn logo][twitter logo][facebook logo][youtube logo][Blog logo] [https://www.pingidentity.com/content/dam/picr/img/em/2022-PrideMonth-426x106.png] CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.-- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- [This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.] CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information. -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerry at strata.io Mon Jun 19 15:12:27 2023 From: gerry at strata.io (Gerry Gebel) Date: Mon, 19 Jun 2023 08:12:27 -0700 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: @Omri - I agree with Andrew here that we should keep the scope more narrowly defined. Some of what you describe (push vs. pull) will be specific to the target environment and not easily generalized. That said, a separate work stream can be started if that is appropriate Gerry On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter < policy-charter at lists.openid.net> wrote: > I prefer the most narrow scope possible. Otherwise we will never finish. > > Other people will work with n the other parts. > > On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < > policy-charter at lists.openid.net> wrote: > >> One thing I'd like to put out there... >> >> In a world where both policy and data are important parts of a decision, >> we should consider expanding the scope of what we believe should be pushed >> from an administration point to a decision point. Specifically, with a >> ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in >> relationships between subjects and objects are as critical to communicate >> as policy changes. >> >> If folks agree, then perhaps the name of the workstream should be >> generalized to "PAP-PDP group". >> >> Additionally, there are two possible models to consider - Pull and Push. >> For example, OPA defines a pull model >> for a >> PDP to obtain policy updates from a policy bundle service. In practice, a >> push model seems critical for real-world scenarios. >> >> On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> me too! :-D >>> Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: >>> >>> Me too >>> >>> On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>>> Im in >>>> >>>> On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter < >>>> policy-charter at lists.openid.net> wrote: >>>> >>>>> Would love to be on it! >>>>> >>>>> On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < >>>>> policy-charter at lists.openid.net> wrote: >>>>> >>>>>> *This message originated outside your organization.* >>>>>> >>>>>> ------------------------------ >>>>>> >>>>>> Count me in too >>>>>> >>>>>> On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via policy-charter >>>>>> wrote: >>>>>> >>>>>>> Please count me in for the Admin Policy Push group. >>>>>>> >>>>>>> Thanks! >>>>>>> Shayne Miel >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Shayne Miel* >>>>>>> / Principal Engineer (he, him, his) >>>>>>> >>>>>>> smiel at cisco.com >>>>>>> >>>>>>> (919) 923-6230 >>>>>>> >>>>>>> cisco.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------ >>>>>>> *From:* policy-charter on >>>>>>> behalf of Gerry Gebel via policy-charter < >>>>>>> policy-charter at lists.openid.net> >>>>>>> *Sent:* Thursday, June 15, 2023 10:53 AM >>>>>>> *To:* Policy Charter Mail List >>>>>>> *Cc:* Gerry Gebel >>>>>>> *Subject:* [policy-charter] Admin Policy Push Group >>>>>>> >>>>>>> Hi all - >>>>>>> >>>>>>> Thanks to Andrew Hughes for leading the PEP-PDP Group and those that >>>>>>> have expressed interest in pursuing that effort. >>>>>>> >>>>>>> How about the Admin Policy Push work stream? Who is interested in >>>>>>> participating? >>>>>>> Thanks, >>>>>>> Gerry >>>>>>> -- >>>>>>> policy-charter mailing list >>>>>>> policy-charter at lists.openid.net >>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>> >>>>>>> >>>>>> -- >>>>>> policy-charter mailing list >>>>>> policy-charter at lists.openid.net >>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>> >>>>> -- >>>>> policy-charter mailing list >>>>> policy-charter at lists.openid.net >>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>> >>>> -- >>>> policy-charter mailing list >>>> policy-charter at lists.openid.net >>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>> >>> -- >>> >>> >>> >>> Omri Gazitt | CEO >>> >>> Aserto Inc. | (425) 765-0079 >>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > -- > Andrew Hughes > Director, Identity Standards > Ping Identity > Signal/Mobile: +12508889474 > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*-- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at 3edges.com Mon Jun 19 15:29:37 2023 From: alex at 3edges.com (Alex Babeanu) Date: Mon, 19 Jun 2023 08:29:37 -0700 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: On the ReBAC front, and to keep it simple, no matter what language/system we come up with, "relationships" should be prime citizens, and optional. Note also that relationships, like any other entities, can hold properties (for those of us using labelled property graphs). This should cater to all cases I think, and be simple enough. Don't need it? don't use it... Also Re: Naming, does it have to be an acronym ? Cheers, ./\. On Mon, Jun 19, 2023 at 8:12?AM Gerry Gebel via policy-charter < policy-charter at lists.openid.net> wrote: > @Omri - I agree with Andrew here that we should keep the scope more > narrowly defined. > > Some of what you describe (push vs. pull) will be specific to the target > environment and not easily generalized. > > That said, a separate work stream can be started if that is appropriate > > Gerry > > On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter < > policy-charter at lists.openid.net> wrote: > >> I prefer the most narrow scope possible. Otherwise we will never finish. >> >> Other people will work with n the other parts. >> >> On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> One thing I'd like to put out there... >>> >>> In a world where both policy and data are important parts of a decision, >>> we should consider expanding the scope of what we believe should be pushed >>> from an administration point to a decision point. Specifically, with a >>> ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in >>> relationships between subjects and objects are as critical to communicate >>> as policy changes. >>> >>> If folks agree, then perhaps the name of the workstream should be >>> generalized to "PAP-PDP group". >>> >>> Additionally, there are two possible models to consider - Pull and Push. >>> For example, OPA defines a pull model >>> for a >>> PDP to obtain policy updates from a policy bundle service. In practice, a >>> push model seems critical for real-world scenarios. >>> >>> On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>>> me too! :-D >>>> Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: >>>> >>>> Me too >>>> >>>> On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter < >>>> policy-charter at lists.openid.net> wrote: >>>> >>>>> Im in >>>>> >>>>> On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter < >>>>> policy-charter at lists.openid.net> wrote: >>>>> >>>>>> Would love to be on it! >>>>>> >>>>>> On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < >>>>>> policy-charter at lists.openid.net> wrote: >>>>>> >>>>>>> *This message originated outside your organization.* >>>>>>> >>>>>>> ------------------------------ >>>>>>> >>>>>>> Count me in too >>>>>>> >>>>>>> On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via >>>>>>> policy-charter wrote: >>>>>>> >>>>>>>> Please count me in for the Admin Policy Push group. >>>>>>>> >>>>>>>> Thanks! >>>>>>>> Shayne Miel >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *Shayne Miel* >>>>>>>> / Principal Engineer (he, him, his) >>>>>>>> >>>>>>>> smiel at cisco.com >>>>>>>> >>>>>>>> (919) 923-6230 >>>>>>>> >>>>>>>> cisco.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------ >>>>>>>> *From:* policy-charter >>>>>>>> on behalf of Gerry Gebel via policy-charter < >>>>>>>> policy-charter at lists.openid.net> >>>>>>>> *Sent:* Thursday, June 15, 2023 10:53 AM >>>>>>>> *To:* Policy Charter Mail List >>>>>>>> *Cc:* Gerry Gebel >>>>>>>> *Subject:* [policy-charter] Admin Policy Push Group >>>>>>>> >>>>>>>> Hi all - >>>>>>>> >>>>>>>> Thanks to Andrew Hughes for leading the PEP-PDP Group and those >>>>>>>> that have expressed interest in pursuing that effort. >>>>>>>> >>>>>>>> How about the Admin Policy Push work stream? Who is interested in >>>>>>>> participating? >>>>>>>> Thanks, >>>>>>>> Gerry >>>>>>>> -- >>>>>>>> policy-charter mailing list >>>>>>>> policy-charter at lists.openid.net >>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> policy-charter mailing list >>>>>>> policy-charter at lists.openid.net >>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>> >>>>>> -- >>>>>> policy-charter mailing list >>>>>> policy-charter at lists.openid.net >>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>> >>>>> -- >>>>> policy-charter mailing list >>>>> policy-charter at lists.openid.net >>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>> >>>> -- >>>> >>>> >>>> >>>> Omri Gazitt | CEO >>>> >>>> Aserto Inc. | (425) 765-0079 >>>> >>>> -- >>>> policy-charter mailing list >>>> policy-charter at lists.openid.net >>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >> -- >> Andrew Hughes >> Director, Identity Standards >> Ping Identity >> Signal/Mobile: +12508889474 >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.*-- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.] -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pieter.kasselman at microsoft.com Mon Jun 19 18:17:06 2023 From: pieter.kasselman at microsoft.com (Pieter Kasselman) Date: Mon, 19 Jun 2023 18:17:06 +0000 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: Agreed that breaking the work down into smaller scoped packages gives us the best chance of making forward motion. Taking a Lego approach of having building blocks where one spec can build or extend another has worked well in helping progress work (as long as we keep the narrative of how they fit together crisp). For example, we can define message formats/protocols, separate from transports (perhaps this is how we differentiate between push and pull as well) and so forth. From: policy-charter On Behalf Of Gerry Gebel via policy-charter Sent: Monday, June 19, 2023 4:12 PM To: Policy Charter Mail List Cc: Gerry Gebel Subject: Re: [policy-charter] Admin Policy Push Group @Omri - I agree with Andrew here that we should keep the scope more narrowly defined. Some of what you describe (push vs. pull) will be specific to the target environment and not easily generalized. That said, a separate work stream can be started if that is appropriate Gerry On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter > wrote: I prefer the most narrow scope possible. Otherwise we will never finish. Other people will work with n the other parts. On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter > wrote: One thing I'd like to put out there... In a world where both policy and data are important parts of a decision, we should consider expanding the scope of what we believe should be pushed from an administration point to a decision point. Specifically, with a ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in relationships between subjects and objects are as critical to communicate as policy changes. If folks agree, then perhaps the name of the workstream should be generalized to "PAP-PDP group". Additionally, there are two possible models to consider - Pull and Push. For example, OPA defines a pull model for a PDP to obtain policy updates from a policy bundle service. In practice, a push model seems critical for real-world scenarios. On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter > wrote: me too! :-D Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: Me too On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter > wrote: Im in On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter > wrote: Would love to be on it! On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter > wrote: This message originated outside your organization. ________________________________ Count me in too On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via policy-charter > wrote: Please count me in for the Admin Policy Push group. Thanks! Shayne Miel [https://duo.com/assets/img/email/spacer.gif] Shayne Miel / Principal Engineer (he, him, his) smiel at cisco.com (919) 923-6230 cisco.com ________________________________ From: policy-charter > on behalf of Gerry Gebel via policy-charter > Sent: Thursday, June 15, 2023 10:53 AM To: Policy Charter Mail List > Cc: Gerry Gebel > Subject: [policy-charter] Admin Policy Push Group Hi all - Thanks to Andrew Hughes for leading the PEP-PDP Group and those that have expressed interest in pursuing that effort. How about the Admin Policy Push work stream? Who is interested in participating? Thanks, Gerry -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- [https://raw.githubusercontent.com/aserto-dev/artwork/main/logo/horizontal/color/aserto-horizontal-color.png] Omri Gazitt | CEO Aserto Inc. | (425) 765-0079 -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- Andrew Hughes Director, Identity Standards Ping Identity Signal/Mobile: +12508889474 CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.-- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -------------- next part -------------- An HTML attachment was scrubbed... URL: From pieter.kasselman at microsoft.com Mon Jun 19 18:33:39 2023 From: pieter.kasselman at microsoft.com (Pieter Kasselman) Date: Mon, 19 Jun 2023 18:33:39 +0000 Subject: [policy-charter] A rose by any other name ... or how to pick a working group name Message-ID: The topic of naming will come up as part of creating a charter for any working group. We won't have to decide for a while, but wanted to propose some criteria as we work through the process of chartering and eventually settling on a name that we can use to make a decision in the future: 1. Descriptive: It should be descriptive enough to allow people to quickly understand the working groups purpose 2. Brief and Simple: The name should be concise and easy to remember, pronounce and spell. 3. Unique: The name should be unique and not easily confused with other working groups or standards 4. Flexible/Scalable: The name should be broad enough to allow the working group to take on additional work as we understand the problem space better. 5. Positive Emotional Response: The name should create a positive emotional reaction and reflect the values/resonate with the target audience. Cheers Pieter -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewhughes at pingidentity.com Mon Jun 19 18:41:56 2023 From: andrewhughes at pingidentity.com (Andrew Hughes) Date: Mon, 19 Jun 2023 11:41:56 -0700 Subject: [policy-charter] A rose by any other name ... or how to pick a working group name In-Reply-To: References: Message-ID: So.... ROC-STAR WG? Radical Organizational Connectivity - Simple Transactional Authorization Realization WG? :-D Andrew Hughes Director - Identity Standards andrewhughes at pingidentity.com Mobile/Signal: +1 250 888 9474 On Mon, Jun 19, 2023 at 11:33?AM Pieter Kasselman via policy-charter < policy-charter at lists.openid.net> wrote: > The topic of naming will come up as part of creating a charter for any > working group. We won?t have to decide for a while, but wanted to propose > some criteria as we work through the process of chartering and eventually > settling on a name that we can use to make a decision in the future: > > > > 1. *Descriptive*: It should be descriptive enough to allow people to > quickly understand the working groups purpose > 2. *Brief and Simple*: The name should be concise and easy to > remember, pronounce and spell. > 3. *Unique*: The name should be unique and not easily confused with > other working groups or standards > 4. *Flexible/Scalable*: The name should be broad enough to allow the > working group to take on additional work as we understand the problem space > better. > 5. *Positive Emotional Response*: The name should create a positive > emotional reaction and reflect the values/resonate with the target audience. > > > Cheers > > > > Pieter > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.? If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ -------------- next part -------------- An HTML attachment was scrubbed... URL: From omri at aserto.com Mon Jun 19 21:48:50 2023 From: omri at aserto.com (Omri Gazitt) Date: Mon, 19 Jun 2023 14:48:50 -0700 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: @Gerry Gebel in principle I am very much on board with keeping scope narrow and avoid boiling the ocean. I'm mostly reacting to the fact that this workstream has been termed "Admin Policy Push Group". Do we want to only limit to "push"? As you said - push vs pull may be specific to the target environment. Perhaps we want to define what goes in the message and not how it's sent (transport)? If so, do we really want to use the term "push" in the title of the workstream? On Mon, Jun 19, 2023 at 8:12?AM Gerry Gebel via policy-charter < policy-charter at lists.openid.net> wrote: > @Omri - I agree with Andrew here that we should keep the scope more > narrowly defined. > > Some of what you describe (push vs. pull) will be specific to the target > environment and not easily generalized. > > That said, a separate work stream can be started if that is appropriate > > Gerry > > On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter < > policy-charter at lists.openid.net> wrote: > >> I prefer the most narrow scope possible. Otherwise we will never finish. >> >> Other people will work with n the other parts. >> >> On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> One thing I'd like to put out there... >>> >>> In a world where both policy and data are important parts of a decision, >>> we should consider expanding the scope of what we believe should be pushed >>> from an administration point to a decision point. Specifically, with a >>> ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in >>> relationships between subjects and objects are as critical to communicate >>> as policy changes. >>> >>> If folks agree, then perhaps the name of the workstream should be >>> generalized to "PAP-PDP group". >>> >>> Additionally, there are two possible models to consider - Pull and Push. >>> For example, OPA defines a pull model >>> for a >>> PDP to obtain policy updates from a policy bundle service. In practice, a >>> push model seems critical for real-world scenarios. >>> >>> On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>>> me too! :-D >>>> Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: >>>> >>>> Me too >>>> >>>> On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter < >>>> policy-charter at lists.openid.net> wrote: >>>> >>>>> Im in >>>>> >>>>> On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter < >>>>> policy-charter at lists.openid.net> wrote: >>>>> >>>>>> Would love to be on it! >>>>>> >>>>>> On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < >>>>>> policy-charter at lists.openid.net> wrote: >>>>>> >>>>>>> *This message originated outside your organization.* >>>>>>> >>>>>>> ------------------------------ >>>>>>> >>>>>>> Count me in too >>>>>>> >>>>>>> On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via >>>>>>> policy-charter wrote: >>>>>>> >>>>>>>> Please count me in for the Admin Policy Push group. >>>>>>>> >>>>>>>> Thanks! >>>>>>>> Shayne Miel >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *Shayne Miel* >>>>>>>> / Principal Engineer (he, him, his) >>>>>>>> >>>>>>>> smiel at cisco.com >>>>>>>> >>>>>>>> (919) 923-6230 >>>>>>>> >>>>>>>> cisco.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------ >>>>>>>> *From:* policy-charter >>>>>>>> on behalf of Gerry Gebel via policy-charter < >>>>>>>> policy-charter at lists.openid.net> >>>>>>>> *Sent:* Thursday, June 15, 2023 10:53 AM >>>>>>>> *To:* Policy Charter Mail List >>>>>>>> *Cc:* Gerry Gebel >>>>>>>> *Subject:* [policy-charter] Admin Policy Push Group >>>>>>>> >>>>>>>> Hi all - >>>>>>>> >>>>>>>> Thanks to Andrew Hughes for leading the PEP-PDP Group and those >>>>>>>> that have expressed interest in pursuing that effort. >>>>>>>> >>>>>>>> How about the Admin Policy Push work stream? Who is interested in >>>>>>>> participating? >>>>>>>> Thanks, >>>>>>>> Gerry >>>>>>>> -- >>>>>>>> policy-charter mailing list >>>>>>>> policy-charter at lists.openid.net >>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> policy-charter mailing list >>>>>>> policy-charter at lists.openid.net >>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>> >>>>>> -- >>>>>> policy-charter mailing list >>>>>> policy-charter at lists.openid.net >>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>> >>>>> -- >>>>> policy-charter mailing list >>>>> policy-charter at lists.openid.net >>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>> >>>> -- >>>> >>>> >>>> >>>> Omri Gazitt | CEO >>>> >>>> Aserto Inc. | (425) 765-0079 >>>> >>>> -- >>>> policy-charter mailing list >>>> policy-charter at lists.openid.net >>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >> -- >> Andrew Hughes >> Director, Identity Standards >> Ping Identity >> Signal/Mobile: +12508889474 >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.*-- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -------------- next part -------------- An HTML attachment was scrubbed... URL: From omri at aserto.com Mon Jun 19 21:51:28 2023 From: omri at aserto.com (Omri Gazitt) Date: Mon, 19 Jun 2023 14:51:28 -0700 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: @Alex I think you and I are making an assumption that communicating relationships (data) changes between an administration point and a decision point is just as important as communicating policy changes. But that is not (yet) agreed upon. On Mon, Jun 19, 2023 at 8:29?AM Alex Babeanu via policy-charter < policy-charter at lists.openid.net> wrote: > On the ReBAC front, and to keep it simple, no matter what language/system > we come up with, "relationships" should be prime citizens, and optional. > Note also that relationships, like any other entities, can hold properties > (for those of us using labelled property graphs). This should cater to all > cases I think, and be simple enough. Don't need it? don't use it... > > Also Re: Naming, does it have to be an acronym ? > > Cheers, > > ./\. > > > On Mon, Jun 19, 2023 at 8:12?AM Gerry Gebel via policy-charter < > policy-charter at lists.openid.net> wrote: > >> @Omri - I agree with Andrew here that we should keep the scope more >> narrowly defined. >> >> Some of what you describe (push vs. pull) will be specific to the target >> environment and not easily generalized. >> >> That said, a separate work stream can be started if that is appropriate >> >> Gerry >> >> On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> I prefer the most narrow scope possible. Otherwise we will never finish. >>> >>> Other people will work with n the other parts. >>> >>> On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>>> One thing I'd like to put out there... >>>> >>>> In a world where both policy and data are important parts of a >>>> decision, we should consider expanding the scope of what we believe should >>>> be pushed from an administration point to a decision point. Specifically, >>>> with a ReBAC model (or a hybrid policy-as-code / policy-as-data model), >>>> changes in relationships between subjects and objects are as critical to >>>> communicate as policy changes. >>>> >>>> If folks agree, then perhaps the name of the workstream should be >>>> generalized to "PAP-PDP group". >>>> >>>> Additionally, there are two possible models to consider - Pull and >>>> Push. For example, OPA defines a pull model >>>> for >>>> a PDP to obtain policy updates from a policy bundle service. In practice, >>>> a push model seems critical for real-world scenarios. >>>> >>>> On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < >>>> policy-charter at lists.openid.net> wrote: >>>> >>>>> me too! :-D >>>>> Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: >>>>> >>>>> Me too >>>>> >>>>> On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter >>>>> wrote: >>>>> >>>>>> Im in >>>>>> >>>>>> On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter >>>>>> wrote: >>>>>> >>>>>>> Would love to be on it! >>>>>>> >>>>>>> On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < >>>>>>> policy-charter at lists.openid.net> wrote: >>>>>>> >>>>>>>> *This message originated outside your organization.* >>>>>>>> >>>>>>>> ------------------------------ >>>>>>>> >>>>>>>> Count me in too >>>>>>>> >>>>>>>> On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via >>>>>>>> policy-charter wrote: >>>>>>>> >>>>>>>>> Please count me in for the Admin Policy Push group. >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> Shayne Miel >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *Shayne Miel* >>>>>>>>> / Principal Engineer (he, him, his) >>>>>>>>> >>>>>>>>> smiel at cisco.com >>>>>>>>> >>>>>>>>> (919) 923-6230 >>>>>>>>> >>>>>>>>> cisco.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------ >>>>>>>>> *From:* policy-charter >>>>>>>>> on behalf of Gerry Gebel via policy-charter < >>>>>>>>> policy-charter at lists.openid.net> >>>>>>>>> *Sent:* Thursday, June 15, 2023 10:53 AM >>>>>>>>> *To:* Policy Charter Mail List >>>>>>>>> *Cc:* Gerry Gebel >>>>>>>>> *Subject:* [policy-charter] Admin Policy Push Group >>>>>>>>> >>>>>>>>> Hi all - >>>>>>>>> >>>>>>>>> Thanks to Andrew Hughes for leading the PEP-PDP Group and those >>>>>>>>> that have expressed interest in pursuing that effort. >>>>>>>>> >>>>>>>>> How about the Admin Policy Push work stream? Who is interested in >>>>>>>>> participating? >>>>>>>>> Thanks, >>>>>>>>> Gerry >>>>>>>>> -- >>>>>>>>> policy-charter mailing list >>>>>>>>> policy-charter at lists.openid.net >>>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>>>> >>>>>>>>> >>>>>>>> -- >>>>>>>> policy-charter mailing list >>>>>>>> policy-charter at lists.openid.net >>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>>> >>>>>>> -- >>>>>>> policy-charter mailing list >>>>>>> policy-charter at lists.openid.net >>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>> >>>>>> -- >>>>>> policy-charter mailing list >>>>>> policy-charter at lists.openid.net >>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>> >>>>> -- >>>>> >>>>> >>>>> >>>>> Omri Gazitt | CEO >>>>> >>>>> Aserto Inc. | (425) 765-0079 >>>>> >>>>> -- >>>>> policy-charter mailing list >>>>> policy-charter at lists.openid.net >>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>> >>>> -- >>>> policy-charter mailing list >>>> policy-charter at lists.openid.net >>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>> >>> -- >>> Andrew Hughes >>> Director, Identity Standards >>> Ping Identity >>> Signal/Mobile: +12508889474 >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.*-- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > > > -- > [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. > Their phone number is +1 604 728 8130.] > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments > hereto, is for the sole use of the intended recipient(s) and may contain > confidential and/or proprietary information. > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at 3edges.com Mon Jun 19 22:55:34 2023 From: alex at 3edges.com (Alex Babeanu) Date: Mon, 19 Jun 2023 15:55:34 -0700 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: @Omri well actually, I think we'll need relationships to define policies, I wasn't actually talking about data... and again, suggesting they be optional, but supported. Cheers, ./\. On Mon, Jun 19, 2023 at 2:51?PM Omri Gazitt wrote: > @Alex I think you and I are making an assumption that communicating > relationships (data) changes between an administration point and a decision > point is just as important as communicating policy changes. But that is not > (yet) agreed upon. > > On Mon, Jun 19, 2023 at 8:29?AM Alex Babeanu via policy-charter < > policy-charter at lists.openid.net> wrote: > >> On the ReBAC front, and to keep it simple, no matter what language/system >> we come up with, "relationships" should be prime citizens, and optional. >> Note also that relationships, like any other entities, can hold properties >> (for those of us using labelled property graphs). This should cater to all >> cases I think, and be simple enough. Don't need it? don't use it... >> >> Also Re: Naming, does it have to be an acronym ? >> >> Cheers, >> >> ./\. >> >> >> On Mon, Jun 19, 2023 at 8:12?AM Gerry Gebel via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> @Omri - I agree with Andrew here that we should keep the scope more >>> narrowly defined. >>> >>> Some of what you describe (push vs. pull) will be specific to the target >>> environment and not easily generalized. >>> >>> That said, a separate work stream can be started if that is appropriate >>> >>> Gerry >>> >>> On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>>> I prefer the most narrow scope possible. Otherwise we will never >>>> finish. >>>> >>>> Other people will work with n the other parts. >>>> >>>> On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < >>>> policy-charter at lists.openid.net> wrote: >>>> >>>>> One thing I'd like to put out there... >>>>> >>>>> In a world where both policy and data are important parts of a >>>>> decision, we should consider expanding the scope of what we believe should >>>>> be pushed from an administration point to a decision point. Specifically, >>>>> with a ReBAC model (or a hybrid policy-as-code / policy-as-data model), >>>>> changes in relationships between subjects and objects are as critical to >>>>> communicate as policy changes. >>>>> >>>>> If folks agree, then perhaps the name of the workstream should be >>>>> generalized to "PAP-PDP group". >>>>> >>>>> Additionally, there are two possible models to consider - Pull and >>>>> Push. For example, OPA defines a pull model >>>>> for >>>>> a PDP to obtain policy updates from a policy bundle service. In practice, >>>>> a push model seems critical for real-world scenarios. >>>>> >>>>> On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < >>>>> policy-charter at lists.openid.net> wrote: >>>>> >>>>>> me too! :-D >>>>>> Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: >>>>>> >>>>>> Me too >>>>>> >>>>>> On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via >>>>>> policy-charter wrote: >>>>>> >>>>>>> Im in >>>>>>> >>>>>>> On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via >>>>>>> policy-charter wrote: >>>>>>> >>>>>>>> Would love to be on it! >>>>>>>> >>>>>>>> On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < >>>>>>>> policy-charter at lists.openid.net> wrote: >>>>>>>> >>>>>>>>> *This message originated outside your organization.* >>>>>>>>> >>>>>>>>> ------------------------------ >>>>>>>>> >>>>>>>>> Count me in too >>>>>>>>> >>>>>>>>> On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via >>>>>>>>> policy-charter wrote: >>>>>>>>> >>>>>>>>>> Please count me in for the Admin Policy Push group. >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> Shayne Miel >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *Shayne Miel* >>>>>>>>>> / Principal Engineer (he, him, his) >>>>>>>>>> >>>>>>>>>> smiel at cisco.com >>>>>>>>>> >>>>>>>>>> (919) 923-6230 >>>>>>>>>> >>>>>>>>>> cisco.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------------ >>>>>>>>>> *From:* policy-charter >>>>>>>>>> on behalf of Gerry Gebel via policy-charter < >>>>>>>>>> policy-charter at lists.openid.net> >>>>>>>>>> *Sent:* Thursday, June 15, 2023 10:53 AM >>>>>>>>>> *To:* Policy Charter Mail List >>>>>>>>>> *Cc:* Gerry Gebel >>>>>>>>>> *Subject:* [policy-charter] Admin Policy Push Group >>>>>>>>>> >>>>>>>>>> Hi all - >>>>>>>>>> >>>>>>>>>> Thanks to Andrew Hughes for leading the PEP-PDP Group and those >>>>>>>>>> that have expressed interest in pursuing that effort. >>>>>>>>>> >>>>>>>>>> How about the Admin Policy Push work stream? Who is interested in >>>>>>>>>> participating? >>>>>>>>>> Thanks, >>>>>>>>>> Gerry >>>>>>>>>> -- >>>>>>>>>> policy-charter mailing list >>>>>>>>>> policy-charter at lists.openid.net >>>>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>>>>> >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> policy-charter mailing list >>>>>>>>> policy-charter at lists.openid.net >>>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>>>> >>>>>>>> -- >>>>>>>> policy-charter mailing list >>>>>>>> policy-charter at lists.openid.net >>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>>> >>>>>>> -- >>>>>>> policy-charter mailing list >>>>>>> policy-charter at lists.openid.net >>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>>> >>>>>> -- >>>>>> >>>>>> >>>>>> >>>>>> Omri Gazitt | CEO >>>>>> >>>>>> Aserto Inc. | (425) 765-0079 >>>>>> >>>>>> -- >>>>>> policy-charter mailing list >>>>>> policy-charter at lists.openid.net >>>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>>> >>>>> -- >>>>> policy-charter mailing list >>>>> policy-charter at lists.openid.net >>>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>>> >>>> -- >>>> Andrew Hughes >>>> Director, Identity Standards >>>> Ping Identity >>>> Signal/Mobile: +12508889474 >>>> >>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>> privileged material for the sole use of the intended recipient(s). Any >>>> review, use, distribution or disclosure by others is strictly prohibited. >>>> If you have received this communication in error, please notify the sender >>>> immediately by e-mail and delete the message and any file attachments from >>>> your computer. Thank you.*-- >>>> policy-charter mailing list >>>> policy-charter at lists.openid.net >>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >> >> >> -- >> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. >> Their phone number is +1 604 728 8130.] >> >> >> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments >> hereto, is for the sole use of the intended recipient(s) and may contain >> confidential and/or proprietary information. >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > -- [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.] -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pieter.kasselman at microsoft.com Tue Jun 20 11:24:36 2023 From: pieter.kasselman at microsoft.com (Pieter Kasselman) Date: Tue, 20 Jun 2023 11:24:36 +0000 Subject: [policy-charter] Authorization Use Cases Message-ID: Hi folks, when we met at Identiverse, one of the topics that came up was the collection of use cases, in addition to PEP/PDP and Admin Policy Push. Is there an existing document we can use as a starting point for use cases from last year, or do we need to start collecting them afresh? The use cases may help us with scoping and expressing the customer problem as we create working group and work product charters/scopes. Cheers Pieter -------------- next part -------------- An HTML attachment was scrubbed... URL: From debbie.bucci at equideum.com Tue Jun 20 14:37:17 2023 From: debbie.bucci at equideum.com (Debbie Bucci) Date: Tue, 20 Jun 2023 14:37:17 +0000 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: Scope seems to be all over the place ? I kind of need to do my own research (or perhaps it?s part of charter) to better understand what the similarities and differences and /or pro cons between current implementations - compared to what my own organization needs are for exchanging polices generated at multiple levels -organization and individual choice (which kind of implies the need of roles to me) Authorization at the Org most likely not enough ?Ultimately the data holder is liable and will make that final decision. Certainly the ?sausage making? for tool of choice is out of scope but what is exchanged is most important. Perhaps I am missing something. This seems to be the short list from the original thread. XACML, Open Policy Agent, Amazon Verified Permissions and other implementations. Are there others? Graph GL? From: policy-charter on behalf of Omri Gazitt via policy-charter Date: Monday, June 19, 2023 at 5:51 PM To: Policy Charter Mail List Cc: Omri Gazitt Subject: Re: [policy-charter] Admin Policy Push Group @Alex I think you and I are making an assumption that communicating relationships (data) changes between an administration point and a decision point is just as important as communicating policy changes. But that is not (yet) agreed upon. On Mon, Jun 19, 2023 at 8:29?AM Alex Babeanu via policy-charter > wrote: On the ReBAC front, and to keep it simple, no matter what language/system we come up with, "relationships" should be prime citizens, and optional. Note also that relationships, like any other entities, can hold properties (for those of us using labelled property graphs). This should cater to all cases I think, and be simple enough. Don't need it? don't use it... Also Re: Naming, does it have to be an acronym ? Cheers, ./\. On Mon, Jun 19, 2023 at 8:12?AM Gerry Gebel via policy-charter > wrote: @Omri - I agree with Andrew here that we should keep the scope more narrowly defined. Some of what you describe (push vs. pull) will be specific to the target environment and not easily generalized. That said, a separate work stream can be started if that is appropriate Gerry On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter > wrote: I prefer the most narrow scope possible. Otherwise we will never finish. Other people will work with n the other parts. On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter > wrote: One thing I'd like to put out there... In a world where both policy and data are important parts of a decision, we should consider expanding the scope of what we believe should be pushed from an administration point to a decision point. Specifically, with a ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in relationships between subjects and objects are as critical to communicate as policy changes. If folks agree, then perhaps the name of the workstream should be generalized to "PAP-PDP group". Additionally, there are two possible models to consider - Pull and Push. For example, OPA defines a pull model for a PDP to obtain policy updates from a policy bundle service. In practice, a push model seems critical for real-world scenarios. On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter > wrote: me too! :-D Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: Me too On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter > wrote: Im in On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter > wrote: Would love to be on it! On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter > wrote: This message originated outside your organization. ________________________________ Count me in too On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via policy-charter > wrote: Please count me in for the Admin Policy Push group. Thanks! Shayne Miel Error! Filename not specified. [Image removed by sender.] Shayne Miel / Principal Engineer (he, him, his) smiel at cisco.com (919) 923-6230 cisco.com ________________________________ From: policy-charter > on behalf of Gerry Gebel via policy-charter > Sent: Thursday, June 15, 2023 10:53 AM To: Policy Charter Mail List > Cc: Gerry Gebel > Subject: [policy-charter] Admin Policy Push Group Hi all - Thanks to Andrew Hughes for leading the PEP-PDP Group and those that have expressed interest in pursuing that effort. How about the Admin Policy Push work stream? Who is interested in participating? Thanks, Gerry -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- [Image removed by sender.] Omri Gazitt | CEO Aserto Inc. | (425) 765-0079 -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- Andrew Hughes Director, Identity Standards Ping Identity Signal/Mobile: +12508889474 CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.-- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- [Image removed by sender. This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.] CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information. -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -------------- next part -------------- An HTML attachment was scrubbed... URL: From debbie.bucci at equideum.com Tue Jun 20 14:40:24 2023 From: debbie.bucci at equideum.com (Debbie Bucci) Date: Tue, 20 Jun 2023 14:40:24 +0000 Subject: [policy-charter] Authorization Use Cases In-Reply-To: References: Message-ID: +1 From: policy-charter on behalf of Pieter Kasselman via policy-charter Date: Tuesday, June 20, 2023 at 7:24 AM To: policy-charter at lists.openid.net Cc: Pieter Kasselman Subject: [policy-charter] Authorization Use Cases Hi folks, when we met at Identiverse, one of the topics that came up was the collection of use cases, in addition to PEP/PDP and Admin Policy Push. Is there an existing document we can use as a starting point for use cases from last year, or do we need to start collecting them afresh? The use cases may help us with scoping and expressing the customer problem as we create working group and work product charters/scopes. Cheers Pieter -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at 3edges.com Tue Jun 20 16:08:23 2023 From: alex at 3edges.com (Alex Babeanu) Date: Tue, 20 Jun 2023 09:08:23 -0700 Subject: [policy-charter] Authorization Use Cases In-Reply-To: References: Message-ID: I did start one indeed... Will try to complete it by end of day and share it on GDrive.... regards, ./\. On Tue, Jun 20, 2023 at 4:24?AM Pieter Kasselman via policy-charter < policy-charter at lists.openid.net> wrote: > Hi folks, when we met at Identiverse, one of the topics that came up was > the collection of use cases, in addition to PEP/PDP and Admin Policy Push. > Is there an existing document we can use as a starting point for use cases > from last year, or do we need to start collecting them afresh? The use > cases may help us with scoping and expressing the customer problem as we > create working group and work product charters/scopes. > > > > Cheers > > > > Pieter > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.] -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information. -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.brossard at gmail.com Thu Jun 22 18:26:22 2023 From: david.brossard at gmail.com (David Brossard) Date: Thu, 22 Jun 2023 11:26:22 -0700 Subject: [policy-charter] Authorization Use Cases In-Reply-To: References: Message-ID: I am looking at my notes from the past 15 years (yikes, that old) and I see customers and use cases across nearly every vertical. Financial services, Government (especially sensitive areas), and regulated industries (healthcare & insurance but also export-controlled companies) are all verticals that need authorization. In terms of use cases, it ranges from: - Developer efficiency - Rather than implement basic checks in code, let the "rules engine" decide - Business drivers - business use cases: a health insurance agent can see an insurance claim in the region they are assigned to - Legal & Compliance - legal use cases: No one can see a customer's SSN except for the customer - export control: it would be worth checking out the XACML Export Control profile . We can reach out to the authors too (2 of them, John Tolbert and Richard Hill now work at Kuppinger Cole and might be interested in helping) - compliance: - four-eyes principle e.g. 2 individuals needed to approve a PO above $X - Segregation of duty: an approver cannot approve a PO they created/submitted - Governance simplification - Move away from RBAC-driven authZ (and all it implies) to policy-driven ABAC One recurring question is where authz use cases start and stop. I remember a banking customer telling me the following story: *we run a credit card company and we want to send paper bills every billing cycle (30-45 days). We want to let customers choose to go paperless but if they miss a payment, we want to override the preference and still send a paper copy. Should that be an authorization use case/rule?* My general answer has always been: if security/compliance/legal care(s) then YES. Otherwise, up to you but don't overdo it. That example, unless the paper bill is mandated by law (e.g. a credit card piece of legislation), is NOT an authorization use case in my mind. I've added some of the use cases to this doc and made it read-only . Feel free to ask for edit rights. David On Tue, Jun 20, 2023 at 9:09?AM Alex Babeanu via policy-charter < policy-charter at lists.openid.net> wrote: > I did start one indeed... Will try to complete it by end of day and share > it on GDrive.... > regards, > > ./\. > > On Tue, Jun 20, 2023 at 4:24?AM Pieter Kasselman via policy-charter < > policy-charter at lists.openid.net> wrote: > >> Hi folks, when we met at Identiverse, one of the topics that came up was >> the collection of use cases, in addition to PEP/PDP and Admin Policy Push. >> Is there an existing document we can use as a starting point for use cases >> from last year, or do we need to start collecting them afresh? The use >> cases may help us with scoping and expressing the customer problem as we >> create working group and work product charters/scopes. >> >> >> >> Cheers >> >> >> >> Pieter >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > > > -- > [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. > Their phone number is +1 604 728 8130.] > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments > hereto, is for the sole use of the intended recipient(s) and may contain > confidential and/or proprietary information. > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- --- David Brossard http://www.linkedin.com/in/davidbrossard http://twitter.com/davidjbrossard http://about.me/brossard --- Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx Prenez vos pr?cautions sur Internet: http://www.securite-informatique.gouv.fr/gp_rubrique34.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From wesleydunnington at pingidentity.com Thu Jun 22 18:32:16 2023 From: wesleydunnington at pingidentity.com (Wesley Dunnington) Date: Thu, 22 Jun 2023 14:32:16 -0400 Subject: [policy-charter] Authorization Use Cases In-Reply-To: References: Message-ID: You bring up a good point as to when authorization stops and business logic begins. Most fully featured authorization systems are pretty decent decision engines, but if people start asking for us to include approvals via email or text in the protocols, then we will know we have stepped way over the line. Wes Dunnington On Thu, Jun 22, 2023 at 2:26?PM David Brossard via policy-charter < policy-charter at lists.openid.net> wrote: > I am looking at my notes from the past 15 years (yikes, that old) and I > see customers and use cases across nearly every vertical. Financial > services, Government (especially sensitive areas), and regulated industries > (healthcare & insurance but also export-controlled companies) are all > verticals that need authorization. > > In terms of use cases, it ranges from: > > - Developer efficiency > - Rather than implement basic checks in code, let the "rules > engine" decide > - Business drivers > - business use cases: a health insurance agent can see an insurance > claim in the region they are assigned to > - Legal & Compliance > - legal use cases: No one can see a customer's SSN except for the > customer > - export control: it would be worth checking out the XACML Export > Control profile > . > We can reach out to the authors too (2 of them, John Tolbert and Richard > Hill now work at Kuppinger Cole and might be interested in helping) > - compliance: > - four-eyes principle e.g. 2 individuals needed to approve a PO > above $X > - Segregation of duty: an approver cannot approve a PO they > created/submitted > - Governance simplification > - Move away from RBAC-driven authZ (and all it implies) to > policy-driven ABAC > > One recurring question is where authz use cases start and stop. I remember > a banking customer telling me the following story: *we run a credit card > company and we want to send paper bills every billing cycle (30-45 days). > We want to let customers choose to go paperless but if they miss a payment, > we want to override the preference and still send a paper copy. Should that > be an authorization use case/rule?* > > My general answer has always been: if security/compliance/legal care(s) > then YES. Otherwise, up to you but don't overdo it. That example, unless > the paper bill is mandated by law (e.g. a credit card piece of > legislation), is NOT an authorization use case in my mind. > > I've added some of the use cases to this doc and made it read-only > . > Feel free to ask for edit rights. > > David > > On Tue, Jun 20, 2023 at 9:09?AM Alex Babeanu via policy-charter < > policy-charter at lists.openid.net> wrote: > >> I did start one indeed... Will try to complete it by end of day and share >> it on GDrive.... >> regards, >> >> ./\. >> >> On Tue, Jun 20, 2023 at 4:24?AM Pieter Kasselman via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> Hi folks, when we met at Identiverse, one of the topics that came up was >>> the collection of use cases, in addition to PEP/PDP and Admin Policy Push. >>> Is there an existing document we can use as a starting point for use cases >>> from last year, or do we need to start collecting them afresh? The use >>> cases may help us with scoping and expressing the customer problem as we >>> create working group and work product charters/scopes. >>> >>> >>> >>> Cheers >>> >>> >>> >>> Pieter >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >> >> >> -- >> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. >> Their phone number is +1 604 728 8130.] >> >> >> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments >> hereto, is for the sole use of the intended recipient(s) and may contain >> confidential and/or proprietary information. >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > > > -- > --- > David Brossard > http://www.linkedin.com/in/davidbrossard > http://twitter.com/davidjbrossard > http://about.me/brossard > --- > Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx > Prenez vos pr?cautions sur Internet: > http://www.securite-informatique.gouv.fr/gp_rubrique34.html > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- [image: Ping Identity] Wesley Dunnington VP Architecture, Chief Architect wesleydunnington at pingidentity.com c: 508-254-5475 Connect with us: [image: Glassdoor logo] [image: LinkedIn logo] [image: twitter logo] [image: facebook logo] [image: youtube logo] [image: Blog logo] -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.? If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.brossard at gmail.com Thu Jun 22 18:47:11 2023 From: david.brossard at gmail.com (David Brossard) Date: Thu, 22 Jun 2023 11:47:11 -0700 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: HI all, Debbie, I think we might need to remove "push" from the name, I agree with Omri. But to Pieter's point, what's in a name? As for the scope... XACML purposely defined: - an architecture (borrowed from older standards - PAP, PEP, PDP are not new in XACML. PIP might be but the concept definitely isn't). It's the same architecture defined in NIST ABAC and Wikipedia (FWIW) - a policy language - a request/response "format" i.e. how to create a request and get a response. BUT the actual transportation is unspecified in the "core" specification. OASIS has a notion of profiles where you can tack on additional specs to a core spec. In the case of XACML, 3 later profiles define a transport for XACML requests/responses - The XACML SAML Profile Version 2.0 : this old profile posited that because there was a SAML-SOAP binding already defined, why not piggy-back on that and use SAML to carry XACML requests and responses back and forth rather than define a SOAP binding of XACML. Not a great idea and seldom seen in the wild. - The JSON Profile of XACML 3.0 Version 1.0 - this defines a JSON notation for XACML requests and responses rather than XML to make it more developer-friendly. It's the pre-requisite for the following profile - The REST Profile of XACML v3.0 Version 1.0 - this defines a basic way to POST a request and get a response back either in XML XACML (core spec) or in JSON (the aforementioned) XACML's core didn't really focus on transport. Most vendors in the early days (think Axiomatics, Nexlabs, Oracle, Bitkoo) all used some kind of SOAP that was 99% the same (after all you were just wrapping a standard XACML request in a SOAP message. Other than the method name, what else would be different?) What might be interesting is understanding the other ways of querying for an authorization decision. All I've written so far is what I'd call a binary request/response e.g.: - Can Alice do X? - Yes she can. But what about open-ended requests? For instance "What can Alice do?" or "What can a manager do?". This is something Axiomatics, as a vendor, calls reverse querying (based on partial evaluation). I believe OPA calls it partial evaluation as well. See Torin's blog post here . IMHO, from what I have seen, Cedar, OPA, and XACML/ALFA are 99% the same. Sure, there are differences. For instance XACML has obligations & advice. But the bottom line is: maybe we should try to standardize between these 2 models as a starting point. And then @Alex Babeanu mentions that there could be a different way altogether to signal authorizations via events. So that's a different pattern worth considering. Lastly, let's look at sibling standards? How do rich authorization requests fit in? Debbie, to your point on building a list of approaches, I think Alex put a doc together that he'll be sharing shortly that attempts to do this. From the top of my mind I roughly see: - policy-driven approaches: OPA, Cedar, XACML, ALFA are all great examples - graph: 3Edges, NGAC, others? - ACL-based: Zanzibar, OpenFGA, others? Thanks On Tue, Jun 20, 2023 at 7:37?AM Debbie Bucci via policy-charter < policy-charter at lists.openid.net> wrote: > Scope seems to be all over the place ? I kind of need to do my own > research (or perhaps it?s part of charter) to better understand what the > similarities and differences and /or pro cons between current > implementations - compared to what my own organization needs are for > exchanging polices generated at multiple levels -organization and > individual choice (which kind of implies the need of roles to me) > Authorization at the Org most likely not enough ?Ultimately the data holder > is liable and will make that final decision. Certainly the ?sausage > making? for tool of choice is out of scope but what is exchanged is most > important. Perhaps I am missing something. > > > > This seems to be the short list from the original thread. XACML, Open > Policy Agent, Amazon Verified Permissions and other implementations. Are > there others? Graph GL? > > > > *From: *policy-charter on > behalf of Omri Gazitt via policy-charter > *Date: *Monday, June 19, 2023 at 5:51 PM > *To: *Policy Charter Mail List > *Cc: *Omri Gazitt > *Subject: *Re: [policy-charter] Admin Policy Push Group > > @Alex I think you and I are making an assumption that communicating > relationships (data) changes between an administration point and a decision > point is just as important as communicating policy changes. But that is not > (yet) agreed upon. > > > > On Mon, Jun 19, 2023 at 8:29?AM Alex Babeanu via policy-charter < > policy-charter at lists.openid.net> wrote: > > On the ReBAC front, and to keep it simple, no matter what language/system > we come up with, "relationships" should be prime citizens, and optional. > Note also that relationships, like any other entities, can hold properties > (for those of us using labelled property graphs). This should cater to all > cases I think, and be simple enough. Don't need it? don't use it... > > > > Also Re: Naming, does it have to be an acronym ? > > > > Cheers, > > > > ./\. > > > > > > On Mon, Jun 19, 2023 at 8:12?AM Gerry Gebel via policy-charter < > policy-charter at lists.openid.net> wrote: > > @Omri - I agree with Andrew here that we should keep the scope more > narrowly defined. > > > > Some of what you describe (push vs. pull) will be specific to the target > environment and not easily generalized. > > > That said, a separate work stream can be started if that is appropriate > > > Gerry > > > > On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter < > policy-charter at lists.openid.net> wrote: > > I prefer the most narrow scope possible. Otherwise we will never finish. > > > > Other people will work with n the other parts. > > > > On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < > policy-charter at lists.openid.net> wrote: > > One thing I'd like to put out there... > > > > In a world where both policy and data are important parts of a decision, > we should consider expanding the scope of what we believe should be pushed > from an administration point to a decision point. Specifically, with a > ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in > relationships between subjects and objects are as critical to communicate > as policy changes. > > > > If folks agree, then perhaps the name of the workstream should be > generalized to "PAP-PDP group". > > > > Additionally, there are two possible models to consider - Pull and Push. > For example, OPA defines a pull model > for a > PDP to obtain policy updates from a policy bundle service. In practice, a > push model seems critical for real-world scenarios. > > > > On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < > policy-charter at lists.openid.net> wrote: > > me too! :-D > > Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: > > Me too > > > > On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter < > policy-charter at lists.openid.net> wrote: > > Im in > > > > On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter < > policy-charter at lists.openid.net> wrote: > > Would love to be on it! > > > > On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < > policy-charter at lists.openid.net> wrote: > > *This message originated outside your organization.* > > > ------------------------------ > > > > Count me in too > > > > On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via policy-charter < > policy-charter at lists.openid.net> wrote: > > Please count me in for the Admin Policy Push group. > > > > Thanks! > > Shayne Miel > > > > > > *Error! Filename not specified.* > > [image: Image removed by sender.] > > *Shayne Miel* > > / Principal Engineer (he, him, his) > > > smiel at cisco.com > > > (919) 923-6230 > > > cisco.com > > > [image: Image removed by sender.] > > > ------------------------------ > > *From:* policy-charter on > behalf of Gerry Gebel via policy-charter > *Sent:* Thursday, June 15, 2023 10:53 AM > *To:* Policy Charter Mail List > *Cc:* Gerry Gebel > *Subject:* [policy-charter] Admin Policy Push Group > > > > Hi all - > > > > Thanks to Andrew Hughes for leading the PEP-PDP Group and those that have > expressed interest in pursuing that effort. > > > > How about the Admin Policy Push work stream? Who is interested in > participating? > > Thanks, > > Gerry > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > -- > > [image: Image removed by sender.] > > *Omri Gazitt* *| *CEO > > Aserto Inc. *| *(425) 765-0079 > > > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > -- > > Andrew Hughes > Director, Identity Standards > Ping Identity > Signal/Mobile: +12508889474 > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*-- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > > > > -- > > [image: Image removed by sender. This is Alexandre Babeanu's card. Their > email is alex at 3edges.com. Their phone number is +1 604 728 8130.] > > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments > hereto, is for the sole use of the intended recipient(s) and may contain > confidential and/or proprietary information. > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- --- David Brossard http://www.linkedin.com/in/davidbrossard http://twitter.com/davidjbrossard http://about.me/brossard --- Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx Prenez vos pr?cautions sur Internet: http://www.securite-informatique.gouv.fr/gp_rubrique34.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.brossard at gmail.com Thu Jun 22 18:48:44 2023 From: david.brossard at gmail.com (David Brossard) Date: Thu, 22 Jun 2023 11:48:44 -0700 Subject: [policy-charter] Authorization Use Cases In-Reply-To: References: Message-ID: Excellent comment! I forgot to add that, to me, authorization is stateless. In other words, assuming time is not of the essence, asking a PDP time and time again whether Alice can get access to X and assuming none of the underlying data changes, then the answer should always be YES. A PDP does not include state. A PDP does not modify state. This is a fundamental design choice. On Thu, Jun 22, 2023 at 11:32?AM Wesley Dunnington < wesleydunnington at pingidentity.com> wrote: > You bring up a good point as to when authorization stops and business > logic begins. Most fully featured authorization systems are pretty decent > decision engines, but if people start asking for us to include approvals > via email or text in the protocols, then we will know we have stepped way > over the line. > > Wes Dunnington > > On Thu, Jun 22, 2023 at 2:26?PM David Brossard via policy-charter < > policy-charter at lists.openid.net> wrote: > >> I am looking at my notes from the past 15 years (yikes, that old) and I >> see customers and use cases across nearly every vertical. Financial >> services, Government (especially sensitive areas), and regulated industries >> (healthcare & insurance but also export-controlled companies) are all >> verticals that need authorization. >> >> In terms of use cases, it ranges from: >> >> - Developer efficiency >> - Rather than implement basic checks in code, let the "rules >> engine" decide >> - Business drivers >> - business use cases: a health insurance agent can see an >> insurance claim in the region they are assigned to >> - Legal & Compliance >> - legal use cases: No one can see a customer's SSN except for the >> customer >> - export control: it would be worth checking out the XACML Export >> Control profile >> . >> We can reach out to the authors too (2 of them, John Tolbert and Richard >> Hill now work at Kuppinger Cole and might be interested in helping) >> - compliance: >> - four-eyes principle e.g. 2 individuals needed to approve a PO >> above $X >> - Segregation of duty: an approver cannot approve a PO they >> created/submitted >> - Governance simplification >> - Move away from RBAC-driven authZ (and all it implies) to >> policy-driven ABAC >> >> One recurring question is where authz use cases start and stop. I >> remember a banking customer telling me the following story: *we run a >> credit card company and we want to send paper bills every billing cycle >> (30-45 days). We want to let customers choose to go paperless but if they >> miss a payment, we want to override the preference and still send a paper >> copy. Should that be an authorization use case/rule?* >> >> My general answer has always been: if security/compliance/legal care(s) >> then YES. Otherwise, up to you but don't overdo it. That example, unless >> the paper bill is mandated by law (e.g. a credit card piece of >> legislation), is NOT an authorization use case in my mind. >> >> I've added some of the use cases to this doc and made it read-only >> . >> Feel free to ask for edit rights. >> >> David >> >> On Tue, Jun 20, 2023 at 9:09?AM Alex Babeanu via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> I did start one indeed... Will try to complete it by end of day and >>> share it on GDrive.... >>> regards, >>> >>> ./\. >>> >>> On Tue, Jun 20, 2023 at 4:24?AM Pieter Kasselman via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>>> Hi folks, when we met at Identiverse, one of the topics that came up >>>> was the collection of use cases, in addition to PEP/PDP and Admin Policy >>>> Push. Is there an existing document we can use as a starting point for use >>>> cases from last year, or do we need to start collecting them afresh? The >>>> use cases may help us with scoping and expressing the customer problem as >>>> we create working group and work product charters/scopes. >>>> >>>> >>>> >>>> Cheers >>>> >>>> >>>> >>>> Pieter >>>> -- >>>> policy-charter mailing list >>>> policy-charter at lists.openid.net >>>> https://lists.openid.net/mailman/listinfo/policy-charter >>>> >>> >>> >>> -- >>> [image: This is Alexandre Babeanu's card. Their email is >>> alex at 3edges.com. Their phone number is +1 604 728 8130.] >>> >>> >>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments >>> hereto, is for the sole use of the intended recipient(s) and may contain >>> confidential and/or proprietary information. >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >> >> >> -- >> --- >> David Brossard >> http://www.linkedin.com/in/davidbrossard >> http://twitter.com/davidjbrossard >> http://about.me/brossard >> --- >> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx >> Prenez vos pr?cautions sur Internet: >> http://www.securite-informatique.gouv.fr/gp_rubrique34.html >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > > > -- > [image: Ping Identity] > > Wesley Dunnington > VP Architecture, Chief Architect > wesleydunnington at pingidentity.com > > c: 508-254-5475 > Connect with us: [image: Glassdoor logo] > [image: > LinkedIn logo] [image: twitter > logo] [image: facebook logo] > [image: youtube logo] > [image: Blog logo] > > > > > > > > > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* -- --- David Brossard http://www.linkedin.com/in/davidbrossard http://twitter.com/davidjbrossard http://about.me/brossard --- Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx Prenez vos pr?cautions sur Internet: http://www.securite-informatique.gouv.fr/gp_rubrique34.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.brossard at gmail.com Thu Jun 22 18:51:50 2023 From: david.brossard at gmail.com (David Brossard) Date: Thu, 22 Jun 2023 11:51:50 -0700 Subject: [policy-charter] A rose by any other name ... or how to pick a working group name In-Reply-To: References: Message-ID: Vegas: verified externalized general authorization system On Mon, Jun 19, 2023 at 11:42?AM Andrew Hughes via policy-charter < policy-charter at lists.openid.net> wrote: > So.... > > ROC-STAR WG? > > Radical Organizational Connectivity - Simple Transactional Authorization > Realization WG? > > :-D > > Andrew Hughes > Director - Identity Standards > andrewhughes at pingidentity.com > Mobile/Signal: +1 250 888 9474 > > > > On Mon, Jun 19, 2023 at 11:33?AM Pieter Kasselman via policy-charter < > policy-charter at lists.openid.net> wrote: > >> The topic of naming will come up as part of creating a charter for any >> working group. We won?t have to decide for a while, but wanted to propose >> some criteria as we work through the process of chartering and eventually >> settling on a name that we can use to make a decision in the future: >> >> >> >> 1. *Descriptive*: It should be descriptive enough to allow people to >> quickly understand the working groups purpose >> 2. *Brief and Simple*: The name should be concise and easy to >> remember, pronounce and spell. >> 3. *Unique*: The name should be unique and not easily confused with >> other working groups or standards >> 4. *Flexible/Scalable*: The name should be broad enough to allow the >> working group to take on additional work as we understand the problem space >> better. >> 5. *Positive Emotional Response*: The name should create a positive >> emotional reaction and reflect the values/resonate with the target audience. >> >> >> Cheers >> >> >> >> Pieter >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*-- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- --- David Brossard http://www.linkedin.com/in/davidbrossard http://twitter.com/davidjbrossard http://about.me/brossard --- Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx Prenez vos pr?cautions sur Internet: http://www.securite-informatique.gouv.fr/gp_rubrique34.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at 3edges.com Thu Jun 22 20:01:35 2023 From: alex at 3edges.com (Alex Babeanu) Date: Thu, 22 Jun 2023 13:01:35 -0700 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: Thanks David...! So to follow-up on this note, I had started the doc you refer to a few days ago, not sure if we should consolidate both into one or not, but here goes, everybody should have commenter access to it: https://docs.google.com/document/d/1xf5H2hLSJVa-iRTenwlAlD48dntbL8uuItDQlCIonUI/edit?usp=sharing *Notes*: - These patterns are a compilation of what I've seen in the field over 10 years of IAM consulting (in all verticals - including IoT- , and public, private and higher ed too)... That said, I may be missing stuff or be plainly wrong, please feel free to comment in those cases! - It seems to me that these design patterns *are the main reason* we haven't seen more adoption of external AuthZ yet, and why the skeptics are skeptical. Even though vendors (and standards) sell "one-size-fits-all" solutions, as you can see, it's not the case at all! in the wild ! - If we start from the top down, from use-cases, then we'll end-up with the same pb imho. Every single use case can include several of these patterns, so we're back to square 1. Rather, starting at a lower level, at the pattern level, may give us a better way to scope and frame the pb and solutions. Just my $0.02... - Finally, given the varied possible patterns, one possibility is indeed to exchange messages, rather than forcing a language or an API scheme on all. We could then just focus on the formats of requests/responses (which would include open ended ones, thanks @David). That is indeed just an idea, but one with legs given the efforts of our friends in the SSF workgroup. Thoughts? ./\. On Thu, Jun 22, 2023 at 11:47?AM David Brossard wrote: > HI all, Debbie, > > I think we might need to remove "push" from the name, I agree with Omri. > But to Pieter's point, what's in a name? > > As for the scope... XACML purposely defined: > > - an architecture (borrowed from older standards - PAP, PEP, PDP are > not new in XACML. PIP might be but the concept definitely isn't). It's the > same architecture defined in NIST ABAC and Wikipedia (FWIW) > - a policy language > - a request/response "format" i.e. how to create a request and get a > response. BUT the actual transportation is unspecified in the "core" > specification. OASIS has a notion of profiles where you can tack on > additional specs to a core spec. In the case of XACML, 3 later profiles > define a transport for XACML requests/responses > - The XACML SAML Profile Version 2.0 > : > this old profile posited that because there was a SAML-SOAP binding already > defined, why not piggy-back on that and use SAML to carry XACML requests > and responses back and forth rather than define a SOAP binding of XACML. > Not a great idea and seldom seen in the wild. > - The JSON Profile of XACML 3.0 Version 1.0 > > - this defines a JSON notation for XACML requests and responses > rather than XML to make it more developer-friendly. It's the pre-requisite > for the following profile > - The REST Profile of XACML v3.0 Version 1.0 > > - this defines a basic way to POST a request and get a response > back either in XML XACML (core spec) or in JSON (the aforementioned) > > XACML's core didn't really focus on transport. Most vendors in the early > days (think Axiomatics, Nexlabs, Oracle, Bitkoo) all used some kind of SOAP > that was 99% the same (after all you were just wrapping a standard XACML > request in a SOAP message. Other than the method name, what else would be > different?) > > What might be interesting is understanding the other ways of querying for > an authorization decision. All I've written so far is what I'd call a > binary request/response e.g.: > > - Can Alice do X? > - Yes she can. > > But what about open-ended requests? For instance "What can Alice do?" or > "What can a manager do?". This is something Axiomatics, as a vendor, calls reverse > querying > > (based on partial evaluation). I believe OPA calls it partial evaluation as > well. See Torin's blog post here > . > > IMHO, from what I have seen, Cedar, OPA, and XACML/ALFA are 99% the same. > Sure, there are differences. For instance XACML has obligations & advice. > But the bottom line is: maybe we should try to standardize between these 2 > models as a starting point. > > And then @Alex Babeanu mentions that there could be a > different way altogether to signal authorizations via events. So that's a > different pattern worth considering. > > Lastly, let's look at sibling standards? How do rich authorization > requests fit in? > > Debbie, to your point on building a list of approaches, I think Alex put a > doc together that he'll be sharing shortly that attempts to do this. From > the top of my mind I roughly see: > > - policy-driven approaches: OPA, Cedar, XACML, ALFA are all great > examples > - graph: 3Edges, NGAC, others? > - ACL-based: Zanzibar, OpenFGA, others? > > Thanks > > On Tue, Jun 20, 2023 at 7:37?AM Debbie Bucci via policy-charter < > policy-charter at lists.openid.net> wrote: > >> Scope seems to be all over the place ? I kind of need to do my own >> research (or perhaps it?s part of charter) to better understand what the >> similarities and differences and /or pro cons between current >> implementations - compared to what my own organization needs are for >> exchanging polices generated at multiple levels -organization and >> individual choice (which kind of implies the need of roles to me) >> Authorization at the Org most likely not enough ?Ultimately the data holder >> is liable and will make that final decision. Certainly the ?sausage >> making? for tool of choice is out of scope but what is exchanged is most >> important. Perhaps I am missing something. >> >> >> >> This seems to be the short list from the original thread. XACML, Open >> Policy Agent, Amazon Verified Permissions and other implementations. Are >> there others? Graph GL? >> >> >> >> *From: *policy-charter on >> behalf of Omri Gazitt via policy-charter > > >> *Date: *Monday, June 19, 2023 at 5:51 PM >> *To: *Policy Charter Mail List >> *Cc: *Omri Gazitt >> *Subject: *Re: [policy-charter] Admin Policy Push Group >> >> @Alex I think you and I are making an assumption that communicating >> relationships (data) changes between an administration point and a decision >> point is just as important as communicating policy changes. But that is not >> (yet) agreed upon. >> >> >> >> On Mon, Jun 19, 2023 at 8:29?AM Alex Babeanu via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> On the ReBAC front, and to keep it simple, no matter what language/system >> we come up with, "relationships" should be prime citizens, and optional. >> Note also that relationships, like any other entities, can hold properties >> (for those of us using labelled property graphs). This should cater to all >> cases I think, and be simple enough. Don't need it? don't use it... >> >> >> >> Also Re: Naming, does it have to be an acronym ? >> >> >> >> Cheers, >> >> >> >> ./\. >> >> >> >> >> >> On Mon, Jun 19, 2023 at 8:12?AM Gerry Gebel via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> @Omri - I agree with Andrew here that we should keep the scope more >> narrowly defined. >> >> >> >> Some of what you describe (push vs. pull) will be specific to the target >> environment and not easily generalized. >> >> >> That said, a separate work stream can be started if that is appropriate >> >> >> Gerry >> >> >> >> On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> I prefer the most narrow scope possible. Otherwise we will never finish. >> >> >> >> Other people will work with n the other parts. >> >> >> >> On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> One thing I'd like to put out there... >> >> >> >> In a world where both policy and data are important parts of a decision, >> we should consider expanding the scope of what we believe should be pushed >> from an administration point to a decision point. Specifically, with a >> ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in >> relationships between subjects and objects are as critical to communicate >> as policy changes. >> >> >> >> If folks agree, then perhaps the name of the workstream should be >> generalized to "PAP-PDP group". >> >> >> >> Additionally, there are two possible models to consider - Pull and Push. >> For example, OPA defines a pull model >> for a >> PDP to obtain policy updates from a policy bundle service. In practice, a >> push model seems critical for real-world scenarios. >> >> >> >> On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> me too! :-D >> >> Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: >> >> Me too >> >> >> >> On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> Im in >> >> >> >> On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> Would love to be on it! >> >> >> >> On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> *This message originated outside your organization.* >> >> >> ------------------------------ >> >> >> >> Count me in too >> >> >> >> On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> Please count me in for the Admin Policy Push group. >> >> >> >> Thanks! >> >> Shayne Miel >> >> >> >> >> >> *Error! Filename not specified.* >> >> [image: Image removed by sender.] >> >> *Shayne Miel* >> >> / Principal Engineer (he, him, his) >> >> >> smiel at cisco.com >> >> >> (919) 923-6230 >> >> >> cisco.com >> >> >> [image: Image removed by sender.] >> >> >> ------------------------------ >> >> *From:* policy-charter on >> behalf of Gerry Gebel via policy-charter > > >> *Sent:* Thursday, June 15, 2023 10:53 AM >> *To:* Policy Charter Mail List >> *Cc:* Gerry Gebel >> *Subject:* [policy-charter] Admin Policy Push Group >> >> >> >> Hi all - >> >> >> >> Thanks to Andrew Hughes for leading the PEP-PDP Group and those that have >> expressed interest in pursuing that effort. >> >> >> >> How about the Admin Policy Push work stream? Who is interested in >> participating? >> >> Thanks, >> >> Gerry >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> >> [image: Image removed by sender.] >> >> *Omri Gazitt* *| *CEO >> >> Aserto Inc. *| *(425) 765-0079 >> >> >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> >> Andrew Hughes >> Director, Identity Standards >> Ping Identity >> Signal/Mobile: +12508889474 >> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.*-- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> >> >> >> -- >> >> [image: Image removed by sender. This is Alexandre Babeanu's card. Their >> email is alex at 3edges.com. Their phone number is +1 604 728 8130.] >> >> >> >> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments >> hereto, is for the sole use of the intended recipient(s) and may contain >> confidential and/or proprietary information. >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > > > -- > --- > David Brossard > http://www.linkedin.com/in/davidbrossard > http://twitter.com/davidjbrossard > http://about.me/brossard > --- > Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx > Prenez vos pr?cautions sur Internet: > http://www.securite-informatique.gouv.fr/gp_rubrique34.html > -- [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.] -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at 3edges.com Fri Jun 23 16:05:22 2023 From: alex at 3edges.com (Alex Babeanu) Date: Fri, 23 Jun 2023 09:05:22 -0700 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: Thanks Gerry for the comments! I made the suggested changes. Which led me to realize I can't possibly sustain this if there are a lot of comments... So instead you now all have full access, please feel free to make your own updates in the doc, but as suggestions, so we can easily track it... Full access link: https://docs.google.com/document/d/1xf5H2hLSJVa-iRTenwlAlD48dntbL8uuItDQlCIonUI/edit?usp=sharing And feel free to add your name to the contributors list too if you are contributing. (also if you think this approach doesn't help in the discussion, it would be good to know that too). Cheers, ./\. On Thu, Jun 22, 2023 at 1:01?PM Alex Babeanu wrote: > Thanks David...! > > So to follow-up on this note, I had started the doc you refer to a few > days ago, not sure if we should consolidate both into one or not, but here > goes, everybody should have commenter access to it: > > > https://docs.google.com/document/d/1xf5H2hLSJVa-iRTenwlAlD48dntbL8uuItDQlCIonUI/edit?usp=sharing > > *Notes*: > - These patterns are a compilation of what I've seen in the field over 10 > years of IAM consulting (in all verticals - including IoT- , and public, > private and higher ed too)... That said, I may be missing stuff or be > plainly wrong, please feel free to comment in those cases! > > - It seems to me that these design patterns *are the main reason* we > haven't seen more adoption of external AuthZ yet, and why the skeptics are > skeptical. Even though vendors (and standards) sell "one-size-fits-all" > solutions, as you can see, it's not the case at all! in the wild ! > > - If we start from the top down, from use-cases, then we'll end-up with > the same pb imho. Every single use case can include several of these > patterns, so we're back to square 1. Rather, starting at a lower level, at > the pattern level, may give us a better way to scope and frame the pb and > solutions. Just my $0.02... > > - Finally, given the varied possible patterns, one possibility is indeed > to exchange messages, rather than forcing a language or an API scheme on > all. We could then just focus on the formats of requests/responses (which > would include open ended ones, thanks @David). That is indeed just an idea, > but one with legs given the efforts of our friends in the SSF workgroup. > > Thoughts? > > ./\. > > > On Thu, Jun 22, 2023 at 11:47?AM David Brossard > wrote: > >> HI all, Debbie, >> >> I think we might need to remove "push" from the name, I agree with Omri. >> But to Pieter's point, what's in a name? >> >> As for the scope... XACML purposely defined: >> >> - an architecture (borrowed from older standards - PAP, PEP, PDP are >> not new in XACML. PIP might be but the concept definitely isn't). It's the >> same architecture defined in NIST ABAC and Wikipedia (FWIW) >> - a policy language >> - a request/response "format" i.e. how to create a request and get a >> response. BUT the actual transportation is unspecified in the "core" >> specification. OASIS has a notion of profiles where you can tack on >> additional specs to a core spec. In the case of XACML, 3 later profiles >> define a transport for XACML requests/responses >> - The XACML SAML Profile Version 2.0 >> : >> this old profile posited that because there was a SAML-SOAP binding already >> defined, why not piggy-back on that and use SAML to carry XACML requests >> and responses back and forth rather than define a SOAP binding of XACML. >> Not a great idea and seldom seen in the wild. >> - The JSON Profile of XACML 3.0 Version 1.0 >> >> - this defines a JSON notation for XACML requests and responses >> rather than XML to make it more developer-friendly. It's the pre-requisite >> for the following profile >> - The REST Profile of XACML v3.0 Version 1.0 >> >> - this defines a basic way to POST a request and get a response >> back either in XML XACML (core spec) or in JSON (the aforementioned) >> >> XACML's core didn't really focus on transport. Most vendors in the early >> days (think Axiomatics, Nexlabs, Oracle, Bitkoo) all used some kind of SOAP >> that was 99% the same (after all you were just wrapping a standard XACML >> request in a SOAP message. Other than the method name, what else would be >> different?) >> >> What might be interesting is understanding the other ways of querying for >> an authorization decision. All I've written so far is what I'd call a >> binary request/response e.g.: >> >> - Can Alice do X? >> - Yes she can. >> >> But what about open-ended requests? For instance "What can Alice do?" or >> "What can a manager do?". This is something Axiomatics, as a vendor, calls reverse >> querying >> >> (based on partial evaluation). I believe OPA calls it partial evaluation as >> well. See Torin's blog post here >> . >> >> IMHO, from what I have seen, Cedar, OPA, and XACML/ALFA are 99% the same. >> Sure, there are differences. For instance XACML has obligations & advice. >> But the bottom line is: maybe we should try to standardize between these 2 >> models as a starting point. >> >> And then @Alex Babeanu mentions that there could be a >> different way altogether to signal authorizations via events. So that's a >> different pattern worth considering. >> >> Lastly, let's look at sibling standards? How do rich authorization >> requests fit in? >> >> Debbie, to your point on building a list of approaches, I think Alex put >> a doc together that he'll be sharing shortly that attempts to do this. From >> the top of my mind I roughly see: >> >> - policy-driven approaches: OPA, Cedar, XACML, ALFA are all great >> examples >> - graph: 3Edges, NGAC, others? >> - ACL-based: Zanzibar, OpenFGA, others? >> >> Thanks >> >> On Tue, Jun 20, 2023 at 7:37?AM Debbie Bucci via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> Scope seems to be all over the place ? I kind of need to do my own >>> research (or perhaps it?s part of charter) to better understand what the >>> similarities and differences and /or pro cons between current >>> implementations - compared to what my own organization needs are for >>> exchanging polices generated at multiple levels -organization and >>> individual choice (which kind of implies the need of roles to me) >>> Authorization at the Org most likely not enough ?Ultimately the data holder >>> is liable and will make that final decision. Certainly the ?sausage >>> making? for tool of choice is out of scope but what is exchanged is most >>> important. Perhaps I am missing something. >>> >>> >>> >>> This seems to be the short list from the original thread. XACML, Open >>> Policy Agent, Amazon Verified Permissions and other implementations. >>> Are there others? Graph GL? >>> >>> >>> >>> *From: *policy-charter on >>> behalf of Omri Gazitt via policy-charter < >>> policy-charter at lists.openid.net> >>> *Date: *Monday, June 19, 2023 at 5:51 PM >>> *To: *Policy Charter Mail List >>> *Cc: *Omri Gazitt >>> *Subject: *Re: [policy-charter] Admin Policy Push Group >>> >>> @Alex I think you and I are making an assumption that communicating >>> relationships (data) changes between an administration point and a decision >>> point is just as important as communicating policy changes. But that is not >>> (yet) agreed upon. >>> >>> >>> >>> On Mon, Jun 19, 2023 at 8:29?AM Alex Babeanu via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>> On the ReBAC front, and to keep it simple, no matter what >>> language/system we come up with, "relationships" should be prime citizens, >>> and optional. Note also that relationships, like any other entities, can >>> hold properties (for those of us using labelled property >>> graphs). This should cater to all cases I think, and be simple enough. >>> Don't need it? don't use it... >>> >>> >>> >>> Also Re: Naming, does it have to be an acronym ? >>> >>> >>> >>> Cheers, >>> >>> >>> >>> ./\. >>> >>> >>> >>> >>> >>> On Mon, Jun 19, 2023 at 8:12?AM Gerry Gebel via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>> @Omri - I agree with Andrew here that we should keep the scope more >>> narrowly defined. >>> >>> >>> >>> Some of what you describe (push vs. pull) will be specific to the target >>> environment and not easily generalized. >>> >>> >>> That said, a separate work stream can be started if that is appropriate >>> >>> >>> Gerry >>> >>> >>> >>> On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>> I prefer the most narrow scope possible. Otherwise we will never finish. >>> >>> >>> >>> Other people will work with n the other parts. >>> >>> >>> >>> On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>> One thing I'd like to put out there... >>> >>> >>> >>> In a world where both policy and data are important parts of a decision, >>> we should consider expanding the scope of what we believe should be pushed >>> from an administration point to a decision point. Specifically, with a >>> ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in >>> relationships between subjects and objects are as critical to communicate >>> as policy changes. >>> >>> >>> >>> If folks agree, then perhaps the name of the workstream should be >>> generalized to "PAP-PDP group". >>> >>> >>> >>> Additionally, there are two possible models to consider - Pull and Push. >>> For example, OPA defines a pull model >>> for a >>> PDP to obtain policy updates from a policy bundle service. In practice, a >>> push model seems critical for real-world scenarios. >>> >>> >>> >>> On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>> me too! :-D >>> >>> Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: >>> >>> Me too >>> >>> >>> >>> On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>> Im in >>> >>> >>> >>> On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>> Would love to be on it! >>> >>> >>> >>> On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>> *This message originated outside your organization.* >>> >>> >>> ------------------------------ >>> >>> >>> >>> Count me in too >>> >>> >>> >>> On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via policy-charter < >>> policy-charter at lists.openid.net> wrote: >>> >>> Please count me in for the Admin Policy Push group. >>> >>> >>> >>> Thanks! >>> >>> Shayne Miel >>> >>> >>> >>> >>> >>> *Error! Filename not specified.* >>> >>> [image: Image removed by sender.] >>> >>> *Shayne Miel* >>> >>> / Principal Engineer (he, him, his) >>> >>> >>> smiel at cisco.com >>> >>> >>> (919) 923-6230 >>> >>> >>> cisco.com >>> >>> >>> [image: Image removed by sender.] >>> >>> >>> ------------------------------ >>> >>> *From:* policy-charter on >>> behalf of Gerry Gebel via policy-charter < >>> policy-charter at lists.openid.net> >>> *Sent:* Thursday, June 15, 2023 10:53 AM >>> *To:* Policy Charter Mail List >>> *Cc:* Gerry Gebel >>> *Subject:* [policy-charter] Admin Policy Push Group >>> >>> >>> >>> Hi all - >>> >>> >>> >>> Thanks to Andrew Hughes for leading the PEP-PDP Group and those that >>> have expressed interest in pursuing that effort. >>> >>> >>> >>> How about the Admin Policy Push work stream? Who is interested in >>> participating? >>> >>> Thanks, >>> >>> Gerry >>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> -- >>> >>> [image: Image removed by sender.] >>> >>> *Omri Gazitt* *| *CEO >>> >>> Aserto Inc. *| *(425) 765-0079 >>> >>> >>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> -- >>> >>> Andrew Hughes >>> Director, Identity Standards >>> Ping Identity >>> Signal/Mobile: +12508889474 >>> >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.*-- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> >>> >>> >>> -- >>> >>> [image: Image removed by sender. This is Alexandre Babeanu's card. Their >>> email is alex at 3edges.com. Their phone number is +1 604 728 8130.] >>> >>> >>> >>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments >>> hereto, is for the sole use of the intended recipient(s) and may contain >>> confidential and/or proprietary information. >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >> >> >> -- >> --- >> David Brossard >> http://www.linkedin.com/in/davidbrossard >> http://twitter.com/davidjbrossard >> http://about.me/brossard >> --- >> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx >> Prenez vos pr?cautions sur Internet: >> http://www.securite-informatique.gouv.fr/gp_rubrique34.html >> > > > -- > [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. > Their phone number is +1 604 728 8130.] > > -- [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.] -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pharding at pingidentity.com Fri Jun 23 16:38:45 2023 From: pharding at pingidentity.com (Patrick Harding) Date: Fri, 23 Jun 2023 12:38:45 -0400 Subject: [policy-charter] Admin Policy Push Group In-Reply-To: References: <2b04cf85-8758-a100-579f-f2dd53eb01d4@umbrella.associates> Message-ID: 'Push' Should not be in the name. I think I introduced that term in Vegas - in an attempt to be descriptive of a common way that an org could implement a centralised Policy Service with SaaS applications. But to me this is more of a distributed policy management problem - the underlying communication mechanisms could be push, pull, whatever On Thu, Jun 22, 2023 at 2:47?PM David Brossard via policy-charter < policy-charter at lists.openid.net> wrote: > HI all, Debbie, > > I think we might need to remove "push" from the name, I agree with Omri. > But to Pieter's point, what's in a name? > > As for the scope... XACML purposely defined: > > - an architecture (borrowed from older standards - PAP, PEP, PDP are > not new in XACML. PIP might be but the concept definitely isn't). It's the > same architecture defined in NIST ABAC and Wikipedia (FWIW) > - a policy language > - a request/response "format" i.e. how to create a request and get a > response. BUT the actual transportation is unspecified in the "core" > specification. OASIS has a notion of profiles where you can tack on > additional specs to a core spec. In the case of XACML, 3 later profiles > define a transport for XACML requests/responses > - The XACML SAML Profile Version 2.0 > : > this old profile posited that because there was a SAML-SOAP binding already > defined, why not piggy-back on that and use SAML to carry XACML requests > and responses back and forth rather than define a SOAP binding of XACML. > Not a great idea and seldom seen in the wild. > - The JSON Profile of XACML 3.0 Version 1.0 > > - this defines a JSON notation for XACML requests and responses > rather than XML to make it more developer-friendly. It's the pre-requisite > for the following profile > - The REST Profile of XACML v3.0 Version 1.0 > > - this defines a basic way to POST a request and get a response > back either in XML XACML (core spec) or in JSON (the aforementioned) > > XACML's core didn't really focus on transport. Most vendors in the early > days (think Axiomatics, Nexlabs, Oracle, Bitkoo) all used some kind of SOAP > that was 99% the same (after all you were just wrapping a standard XACML > request in a SOAP message. Other than the method name, what else would be > different?) > > What might be interesting is understanding the other ways of querying for > an authorization decision. All I've written so far is what I'd call a > binary request/response e.g.: > > - Can Alice do X? > - Yes she can. > > But what about open-ended requests? For instance "What can Alice do?" or > "What can a manager do?". This is something Axiomatics, as a vendor, calls reverse > querying > > (based on partial evaluation). I believe OPA calls it partial evaluation as > well. See Torin's blog post here > . > > IMHO, from what I have seen, Cedar, OPA, and XACML/ALFA are 99% the same. > Sure, there are differences. For instance XACML has obligations & advice. > But the bottom line is: maybe we should try to standardize between these 2 > models as a starting point. > > And then @Alex Babeanu mentions that there could be a > different way altogether to signal authorizations via events. So that's a > different pattern worth considering. > > Lastly, let's look at sibling standards? How do rich authorization > requests fit in? > > Debbie, to your point on building a list of approaches, I think Alex put a > doc together that he'll be sharing shortly that attempts to do this. From > the top of my mind I roughly see: > > - policy-driven approaches: OPA, Cedar, XACML, ALFA are all great > examples > - graph: 3Edges, NGAC, others? > - ACL-based: Zanzibar, OpenFGA, others? > > Thanks > > On Tue, Jun 20, 2023 at 7:37?AM Debbie Bucci via policy-charter < > policy-charter at lists.openid.net> wrote: > >> Scope seems to be all over the place ? I kind of need to do my own >> research (or perhaps it?s part of charter) to better understand what the >> similarities and differences and /or pro cons between current >> implementations - compared to what my own organization needs are for >> exchanging polices generated at multiple levels -organization and >> individual choice (which kind of implies the need of roles to me) >> Authorization at the Org most likely not enough ?Ultimately the data holder >> is liable and will make that final decision. Certainly the ?sausage >> making? for tool of choice is out of scope but what is exchanged is most >> important. Perhaps I am missing something. >> >> >> >> This seems to be the short list from the original thread. XACML, Open >> Policy Agent, Amazon Verified Permissions and other implementations. Are >> there others? Graph GL? >> >> >> >> *From: *policy-charter on >> behalf of Omri Gazitt via policy-charter > > >> *Date: *Monday, June 19, 2023 at 5:51 PM >> *To: *Policy Charter Mail List >> *Cc: *Omri Gazitt >> *Subject: *Re: [policy-charter] Admin Policy Push Group >> >> @Alex I think you and I are making an assumption that communicating >> relationships (data) changes between an administration point and a decision >> point is just as important as communicating policy changes. But that is not >> (yet) agreed upon. >> >> >> >> On Mon, Jun 19, 2023 at 8:29?AM Alex Babeanu via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> On the ReBAC front, and to keep it simple, no matter what language/system >> we come up with, "relationships" should be prime citizens, and optional. >> Note also that relationships, like any other entities, can hold properties >> (for those of us using labelled property graphs). This should cater to all >> cases I think, and be simple enough. Don't need it? don't use it... >> >> >> >> Also Re: Naming, does it have to be an acronym ? >> >> >> >> Cheers, >> >> >> >> ./\. >> >> >> >> >> >> On Mon, Jun 19, 2023 at 8:12?AM Gerry Gebel via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> @Omri - I agree with Andrew here that we should keep the scope more >> narrowly defined. >> >> >> >> Some of what you describe (push vs. pull) will be specific to the target >> environment and not easily generalized. >> >> >> That said, a separate work stream can be started if that is appropriate >> >> >> Gerry >> >> >> >> On Sun, Jun 18, 2023 at 5:05?PM Andrew Hughes via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> I prefer the most narrow scope possible. Otherwise we will never finish. >> >> >> >> Other people will work with n the other parts. >> >> >> >> On Sun, Jun 18, 2023 at 4:00 PM Omri Gazitt via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> One thing I'd like to put out there... >> >> >> >> In a world where both policy and data are important parts of a decision, >> we should consider expanding the scope of what we believe should be pushed >> from an administration point to a decision point. Specifically, with a >> ReBAC model (or a hybrid policy-as-code / policy-as-data model), changes in >> relationships between subjects and objects are as critical to communicate >> as policy changes. >> >> >> >> If folks agree, then perhaps the name of the workstream should be >> generalized to "PAP-PDP group". >> >> >> >> Additionally, there are two possible models to consider - Pull and Push. >> For example, OPA defines a pull model >> for a >> PDP to obtain policy updates from a policy bundle service. In practice, a >> push model seems critical for real-world scenarios. >> >> >> >> On Sun, Jun 18, 2023 at 2:54?PM Roland Baum via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> me too! :-D >> >> Am 15.06.23 um 20:51 schrieb Omri Gazitt via policy-charter: >> >> Me too >> >> >> >> On Thu, Jun 15, 2023 at 10:35 AM Atul Tulshibagwale via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> Im in >> >> >> >> On Thu, Jun 15, 2023 at 10:34?AM Vittorio Bertocci via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> Would love to be on it! >> >> >> >> On Thu, Jun 15, 2023 at 10:33 David Brossard via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> *This message originated outside your organization.* >> >> >> ------------------------------ >> >> >> >> Count me in too >> >> >> >> On Thu, Jun 15, 2023, 10:30 AM Shayne Miel (smiel) via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >> Please count me in for the Admin Policy Push group. >> >> >> >> Thanks! >> >> Shayne Miel >> >> >> >> >> >> *Error! Filename not specified.* >> >> [image: Image removed by sender.] >> >> *Shayne Miel* >> >> / Principal Engineer (he, him, his) >> >> >> smiel at cisco.com >> >> >> (919) 923-6230 >> >> >> cisco.com >> >> >> [image: Image removed by sender.] >> >> >> ------------------------------ >> >> *From:* policy-charter on >> behalf of Gerry Gebel via policy-charter > > >> *Sent:* Thursday, June 15, 2023 10:53 AM >> *To:* Policy Charter Mail List >> *Cc:* Gerry Gebel >> *Subject:* [policy-charter] Admin Policy Push Group >> >> >> >> Hi all - >> >> >> >> Thanks to Andrew Hughes for leading the PEP-PDP Group and those that have >> expressed interest in pursuing that effort. >> >> >> >> How about the Admin Policy Push work stream? Who is interested in >> participating? >> >> Thanks, >> >> Gerry >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> >> [image: Image removed by sender.] >> >> *Omri Gazitt* *| *CEO >> >> Aserto Inc. *| *(425) 765-0079 >> >> >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> >> Andrew Hughes >> Director, Identity Standards >> Ping Identity >> Signal/Mobile: +12508889474 >> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.*-- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> >> >> >> -- >> >> [image: Image removed by sender. This is Alexandre Babeanu's card. Their >> email is alex at 3edges.com. Their phone number is +1 604 728 8130.] >> >> >> >> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments >> hereto, is for the sole use of the intended recipient(s) and may contain >> confidential and/or proprietary information. >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > > > -- > --- > David Brossard > http://www.linkedin.com/in/davidbrossard > http://twitter.com/davidjbrossard > http://about.me/brossard > --- > Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx > Prenez vos pr?cautions sur Internet: > http://www.securite-informatique.gouv.fr/gp_rubrique34.html > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- [image: Ping Identity] Patrick Harding pharding at pingidentity.com Connect with us: [image: Glassdoor logo] [image: LinkedIn logo] [image: twitter logo] [image: facebook logo] [image: youtube logo] [image: Blog logo] -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.? If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewhughes at pingidentity.com Fri Jun 23 16:59:57 2023 From: andrewhughes at pingidentity.com (Andrew Hughes) Date: Fri, 23 Jun 2023 09:59:57 -0700 Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft document In-Reply-To: References: <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary> Message-ID: Anyone else want to weigh in on this? I'm onboard with Pieter's suggestion that the attached document describes a deliverable of a larger work group - if so, I'd like to get closure on the description quickly I hope it's a simple and non-controversial deliverable... Andrew Hughes Director - Identity Standards andrewhughes at pingidentity.com Mobile/Signal: +1 250 888 9474 On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter < policy-charter at lists.openid.net> wrote: > My perspective is that we should have one Work Group focused on > authorization with multiple deliverables (e.g. OpenID Connect and SSF for > example has multiple deliverables) to start with. This way everyone > interested in the authorization topic has visibility into the different > work items and we get the benefit of wider participation and review. > > > > Agreed that something with Authorization in the name would make sense, > something like AuthZEN Framework (AuthoriZation ExchaNge Framework) or > AuthIT/AuthZIT Framework (Authorization Interoperability Technology > Framework)?. > > > > *From:* policy-charter *On > Behalf Of *Allan Foster via policy-charter > *Sent:* Friday, June 16, 2023 10:46 PM > *To:* Policy Charter Mail List > *Cc:* Allan Foster > *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter draft > document > > > > So, I wonder if we should do two different WGs, or one WG with two > different standards?. (At least, for now?) > > > > I am inclined to think the WG should be AuthZ something??. and have two > separate streams?. (or standards?) > > > > Thoughts > > > > Allan > > > > > > > > On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter < > policy-charter at lists.openid.net> wrote: > > Thanks Andrew! > > Added a first comment in there... The season's open! > > > > ./\. > > > > On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter < > policy-charter at lists.openid.net> wrote: > > Here is the document I have started - the link puts you into "suggest" > mode. Please add text with self-attribution. Be respectful of others' > contributions. > > > > > > > https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true > > > > > [image: Ping Identity] > > *Andrew Hughes* > Director - Identity Standards > andrewhughes at pingidentity.com > > *Connect with us: * > > [image: Glassdoor logo] > [image: > LinkedIn logo] [image: twitter > logo] [image: facebook logo] > [image: youtube logo] > [image: Blog logo] > > > > > > > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*-- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > > > > -- > > [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com. > Their phone number is +1 604 728 8130.] > > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments > hereto, is for the sole use of the intended recipient(s) and may contain > confidential and/or proprietary information. > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.? If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ -------------- next part -------------- An HTML attachment was scrubbed... URL: