From SHutchinson at us.mufg.jp  Mon Jun 26 13:58:31 2023
From: SHutchinson at us.mufg.jp (Stephen Hutchinson)
Date: Mon, 26 Jun 2023 13:58:31 +0000
Subject: [policy-charter] [External] Re: Link to PDP-PEP Interop WG
 Charter draft document
In-Reply-To: <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
Message-ID: <MN2PR15MB334177C0A9739EE44EF3165F9B26A@MN2PR15MB3341.namprd15.prod.outlook.com>

As long as we don?t lose the policy synchronization/push/whatever piece that started this whole effort last year, I?m fine with it being under a larger ?authorization? umbrella.

Selfishly, I have far less concerns about a variety of PEPs being able to interact with different PDPs than I do with how does one keep the policy that resides in a multitude of PDPs somewhat in sync. From the trench I work in, my difficulties all spring from lack of PAP-PDP Interop much more so than PDP-PEP.


Steve ?Hutch? Hutchinson
Director, Security Architecture
MUFG Americas HQA Architecture

Remote: Richmond, VA
T:+1-804-245-4172
shutchinson at us.mufg.jp<mailto:shutchinson at us.mufg.jp>
@IdentityHutch
[Description: MUFG]

From: policy-charter <policy-charter-bounces at lists.openid.net> On Behalf Of Andrew Hughes via policy-charter
Sent: Friday, June 23, 2023 1:00 PM
To: Policy Charter Mail List <policy-charter at lists.openid.net>
Cc: Andrew Hughes <andrewhughes at pingidentity.com>
Subject: [External] Re: [policy-charter] Link to PDP-PEP Interop WG Charter draft document

*** External email: Please be careful when opening attachments or clicking links. ***

Anyone else want to weigh in on this?

I'm onboard with Pieter's suggestion that the attached document describes a deliverable of a larger work group - if so, I'd like to get closure on the description quickly

I hope it's a simple and non-controversial deliverable...

Andrew Hughes
Director - Identity Standards
andrewhughes at pingidentity.com<mailto:andrewhughes at pingidentity.com>
Mobile/Signal: +1 250 888 9474



On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>> wrote:
My perspective is that we should have one Work Group focused on authorization with multiple deliverables (e.g. OpenID Connect and SSF for example has multiple deliverables) to start with. This way everyone interested in the authorization topic has visibility into the different work items and we get the benefit of wider participation and review.

Agreed that something with Authorization in the name would make sense, something like AuthZEN Framework (AuthoriZation ExchaNge Framework) or AuthIT/AuthZIT Framework (Authorization Interoperability Technology Framework)?.

From: policy-charter <policy-charter-bounces at lists.openid.net<mailto:policy-charter-bounces at lists.openid.net>> On Behalf Of Allan Foster via policy-charter
Sent: Friday, June 16, 2023 10:46 PM
To: Policy Charter Mail List <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>>
Cc: Allan Foster <allan at macguru.com<mailto:allan at macguru.com>>
Subject: Re: [policy-charter] Link to PDP-PEP Interop WG Charter draft document


So,  I wonder if we should do two different WGs,  or one WG with two different standards?. (At least,  for now?)

I am inclined to think the WG should be AuthZ something??.   and have two separate streams?. (or standards?)

Thoughts

Allan



On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>> wrote:
Thanks Andrew!
Added a first comment in there... The season's open!

./\.

On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>> wrote:
Here is the document I have started - the link puts you into "suggest" mode. Please add text with self-attribution. Be respectful of others' contributions.


https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true<https://urldefense.com/v3/__https:/docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNu05Vxhrg$>


[Ping Identity]<https://urldefense.com/v3/__https:/www.pingidentity.com/__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNu-3CM0KE$>
Andrew Hughes
Director - Identity Standards
andrewhughes at pingidentity.com<mailto:andrewhughes at pingidentity.com>
Connect with us:
[Glassdoor logo]<https://urldefense.com/v3/__https:/www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNu8I8gjIo$>[LinkedIn logo]<https://urldefense.com/v3/__https:/www.linkedin.com/company/21870__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNuHlHsIFQ$>[twitter logo]<https://urldefense.com/v3/__https:/twitter.com/pingidentity__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNu88LDFt0$>[facebook logo]<https://urldefense.com/v3/__https:/www.facebook.com/pingidentitypage__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNujLuzPjs$>[youtube logo]<https://urldefense.com/v3/__https:/www.youtube.com/user/PingIdentityTV__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNuVTludL8$>[Blog logo]<https://urldefense.com/v3/__https:/www.pingidentity.com/en/blog.html__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNuJXFYawA$>
[https://www.pingidentity.com/content/dam/picr/img/em/2022-PrideMonth-426x106.png]<https://urldefense.com/v3/__https:/www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct*20to*20website&utm_medium=emailsig__;JSU!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNuD4JxRbY$>


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.--
policy-charter mailing list
policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>
https://lists.openid.net/mailman/listinfo/policy-charter<https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/policy-charter__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNuttXZPDQ$>


--
[This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.]<https://urldefense.com/v3/__https:/hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNu5i8gH_A$>

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information.
--
policy-charter mailing list
policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>
https://lists.openid.net/mailman/listinfo/policy-charter<https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/policy-charter__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNuttXZPDQ$>
--
policy-charter mailing list
policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>
https://lists.openid.net/mailman/listinfo/policy-charter<https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/policy-charter__;!!LAhfwj6O_psYQhU!Cm-GGFSI3gGdVxvqggPk8ulu3YvcNBU6QGa8BqfVjobWZFiyitrPXnGd-YGvCgUljXJ-iV4jmPxP23UpIfwvZu7d_VNuttXZPDQ$>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

======================================================================
This email is confidential, and your receipt of it is subject to the recipient terms appearing at: https://www.mufgamericas.com/emailrecipientterms . If you have received this email in error, please inform us by email reply and then delete the message. Any use of this email inconsistent with those terms is strictly prohibited.  Additionally, for information on cybersecurity and Corporate & Investment Banking, please click here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230626/e842106e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7138 bytes
Desc: image001.png
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230626/e842106e/attachment-0001.png>

From alex at 3edges.com  Mon Jun 26 15:42:12 2023
From: alex at 3edges.com (Alex Babeanu)
Date: Mon, 26 Jun 2023 08:42:12 -0700
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
Message-ID: <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>

Sounds good to me too.
Thanks,

./\.

On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
policy-charter at lists.openid.net> wrote:

> Anyone else want to weigh in on this?
>
> I'm onboard with Pieter's suggestion that the attached document describes
> a deliverable of a larger work group - if so, I'd like to get closure on
> the description quickly
>
> I hope it's a simple and non-controversial deliverable...
>
> Andrew Hughes
> Director - Identity Standards
> andrewhughes at pingidentity.com
> Mobile/Signal: +1 250 888 9474
>
>
>
> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> My perspective is that we should have one Work Group focused on
>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>> example has multiple deliverables) to start with. This way everyone
>> interested in the authorization topic has visibility into the different
>> work items and we get the benefit of wider participation and review.
>>
>>
>>
>> Agreed that something with Authorization in the name would make sense,
>> something like AuthZEN Framework (AuthoriZation ExchaNge Framework) or
>> AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>> Framework)?.
>>
>>
>>
>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>> Behalf Of *Allan Foster via policy-charter
>> *Sent:* Friday, June 16, 2023 10:46 PM
>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>> *Cc:* Allan Foster <allan at macguru.com>
>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter draft
>> document
>>
>>
>>
>> So,  I wonder if we should do two different WGs,  or one WG with two
>> different standards?. (At least,  for now?)
>>
>>
>>
>> I am inclined to think the WG should be AuthZ something??.   and have two
>> separate streams?. (or standards?)
>>
>>
>>
>> Thoughts
>>
>>
>>
>> Allan
>>
>>
>>
>>
>>
>>
>>
>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>> Thanks Andrew!
>>
>> Added a first comment in there... The season's open!
>>
>>
>>
>> ./\.
>>
>>
>>
>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>> Here is the document I have started - the link puts you into "suggest"
>> mode. Please add text with self-attribution. Be respectful of others'
>> contributions.
>>
>>
>>
>>
>>
>>
>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>
>>
>>
>>
>> [image: Ping Identity] <https://www.pingidentity.com/>
>>
>> *Andrew Hughes*
>> Director - Identity Standards
>> andrewhughes at pingidentity.com
>>
>> *Connect with us: *
>>
>> [image: Glassdoor logo]
>> <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>[image:
>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image: twitter
>> logo] <https://twitter.com/pingidentity>[image: facebook logo]
>> <https://www.facebook.com/pingidentitypage>[image: youtube logo]
>> <https://www.youtube.com/user/PingIdentityTV>[image: Blog logo]
>> <https://www.pingidentity.com/en/blog.html>
>>
>>
>> <https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct%20to%20website&utm_medium=emailsig>
>>
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*--
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>>
>>
>>
>> --
>>
>> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
>> Their phone number is +1 604 728 8130.]
>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>> hereto, is for the sole use of the intended recipient(s) and may contain
>> confidential and/or proprietary information.
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*--
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>


-- 
[image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
Their phone number is +1 604 728 8130.]
<https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments 
hereto, is for the sole use of the intended recipient(s) and may contain 
confidential and/or proprietary information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230626/5e7b6958/attachment-0001.html>

From david.brossard at gmail.com  Tue Jun 27 15:09:26 2023
From: david.brossard at gmail.com (David Brossard)
Date: Tue, 27 Jun 2023 08:09:26 -0700
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
 <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
Message-ID: <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>

I added notes and comments in the Google Doc
<https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?pli=1>.
I think it is worth highlighting we're not after yet another standard
<https://xkcd.com/927/>. We want to:

   1. increase interoperability between existing standards. In my mind, the
   four horsemen of the ap-authz-calypse are ALFA, Cedar, OPA, and IDQL.
      1. interop from a policy management perspective
      2. interop from a runtime request/response perspective
   2. increase awareness of externalized authz so that software
   developers/owners/SaaS never rebuild their own
      1. Be the OAuth/SAML of authZ
      2. Define and propose standard authZ patterns
         1. use cases
         2. integration patterns


On Mon, Jun 26, 2023 at 8:42?AM Alex Babeanu via policy-charter <
policy-charter at lists.openid.net> wrote:

> Sounds good to me too.
> Thanks,
>
> ./\.
>
> On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Anyone else want to weigh in on this?
>>
>> I'm onboard with Pieter's suggestion that the attached document describes
>> a deliverable of a larger work group - if so, I'd like to get closure on
>> the description quickly
>>
>> I hope it's a simple and non-controversial deliverable...
>>
>> Andrew Hughes
>> Director - Identity Standards
>> andrewhughes at pingidentity.com
>> Mobile/Signal: +1 250 888 9474
>>
>>
>>
>> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> My perspective is that we should have one Work Group focused on
>>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>>> example has multiple deliverables) to start with. This way everyone
>>> interested in the authorization topic has visibility into the different
>>> work items and we get the benefit of wider participation and review.
>>>
>>>
>>>
>>> Agreed that something with Authorization in the name would make sense,
>>> something like AuthZEN Framework (AuthoriZation ExchaNge Framework) or
>>> AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>>> Framework)?.
>>>
>>>
>>>
>>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>>> Behalf Of *Allan Foster via policy-charter
>>> *Sent:* Friday, June 16, 2023 10:46 PM
>>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>>> *Cc:* Allan Foster <allan at macguru.com>
>>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter
>>> draft document
>>>
>>>
>>>
>>> So,  I wonder if we should do two different WGs,  or one WG with two
>>> different standards?. (At least,  for now?)
>>>
>>>
>>>
>>> I am inclined to think the WG should be AuthZ something??.   and have
>>> two separate streams?. (or standards?)
>>>
>>>
>>>
>>> Thoughts
>>>
>>>
>>>
>>> Allan
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>> Thanks Andrew!
>>>
>>> Added a first comment in there... The season's open!
>>>
>>>
>>>
>>> ./\.
>>>
>>>
>>>
>>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>> Here is the document I have started - the link puts you into "suggest"
>>> mode. Please add text with self-attribution. Be respectful of others'
>>> contributions.
>>>
>>>
>>>
>>>
>>>
>>>
>>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>>
>>>
>>>
>>>
>>> [image: Ping Identity] <https://www.pingidentity.com/>
>>>
>>> *Andrew Hughes*
>>> Director - Identity Standards
>>> andrewhughes at pingidentity.com
>>>
>>> *Connect with us: *
>>>
>>> [image: Glassdoor logo]
>>> <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>[image:
>>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image: twitter
>>> logo] <https://twitter.com/pingidentity>[image: facebook logo]
>>> <https://www.facebook.com/pingidentitypage>[image: youtube logo]
>>> <https://www.youtube.com/user/PingIdentityTV>[image: Blog logo]
>>> <https://www.pingidentity.com/en/blog.html>
>>>
>>>
>>> <https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct%20to%20website&utm_medium=emailsig>
>>>
>>>
>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited.
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*--
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>>
>>>
>>>
>>> --
>>>
>>> [image: This is Alexandre Babeanu's card. Their email is
>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>> confidential and/or proprietary information.
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*--
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
>
> --
> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
> Their phone number is +1 604 728 8130.]
> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
> hereto, is for the sole use of the intended recipient(s) and may contain
> confidential and/or proprietary information.
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>


-- 
---
David Brossard
http://www.linkedin.com/in/davidbrossard
http://twitter.com/davidjbrossard
http://about.me/brossard
---
Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
Prenez vos pr?cautions sur Internet:
http://www.securite-informatique.gouv.fr/gp_rubrique34.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/78784bd1/attachment-0001.html>

From david.brossard at gmail.com  Tue Jun 27 15:16:35 2023
From: david.brossard at gmail.com (David Brossard)
Date: Tue, 27 Jun 2023 08:16:35 -0700
Subject: [policy-charter] PEP-PDP Group
In-Reply-To: <2a5c3d88-c433-453a-8085-c3e2834ea9c2@Canary>
References: <CALkJ7sWdDSMHo1d5xJY7xZWsfhDfYjk06ePR3zDAnMC3GhPdXw@mail.gmail.com>
 <CAJO7GQ_tQDOcm4FwiZE72rz56-jRscPafL9+1MiQAhCwjJmNnQ@mail.gmail.com>
 <6df4307c-f221-1068-3a3f-5c1672a9eaaf@umbrella.associates>
 <CALkJ7sUMNM8_56i7RvFTcf3EQpnSwdH7rkt=XLcJFprJ8CJUsA@mail.gmail.com>
 <DM8P220MB06530D44226E548E051CC70AF755A@DM8P220MB0653.NAMP220.PROD.OUTLOOK.COM>
 <CAOFyxENvzJ=+DU4vHjVB2ai0MC6MzzfNqxL5jF0Rw1MnQkq_dQ@mail.gmail.com>
 <2a5c3d88-c433-453a-8085-c3e2834ea9c2@Canary>
Message-ID: <CAJO7GQ_HHvuxS17v1KKJJsPOfg__0bZ-spgP=XfuxmjR9vUX4A@mail.gmail.com>

I agree with Allan. There's another aspect to runtime authZ: it eliminates
the need to define entitlements up front. It eliminates the need for role,
permissions, and entitlements engineering, and consequently provisioning
and de-provisioning.

This makes me think another area of investigation for this WG is bridging
the runtime authz world (XACML, OPA...) with the non-runtime authz world
(OAuth scopes & claims, SCIM entitlements...) AuthZ frameworks should be
capable of generating dynamic claims that are fed into a token. CAEP could
be used to update/revoke/enrich such tokens.

This means we need different ways to query a policy. And perhaps different
ways to write policies. Let's assume a business authz policy:


   - *Policy*: Claims processors can approve a claim in their region if the
   amount claimed is less than the approver's limit.
   - *Direct request*: Can Alice approve claim #123? (in the background,
   attribute retrieval is run to figure out who Alice is and what claim 123's
   region and amount are)
      - Answer: Permit/Deny + obligations
   - *Indirect request*: tell me what Alice can do on claims
      - Answer: approve + claim amount < $500 + region = Moose Jaw.



On Wed, Jun 14, 2023 at 8:15?AM Allan Foster via policy-charter <
policy-charter at lists.openid.net> wrote:

>
> Alex,  I am not sure I fully agree with your statement!
>
> Although you might not use a PEP to protect those resources,  There is
> still a reasonable use case to treat the spec as the API and transport for
> those resources to call out to a centralized AuthZ server.
>
> I think there are at least two use cases for standardization (as we
> discussed at IDentiverse)
>
> 1.  A standardized interface between PEPs  or agents and the PDP.  This
> would allow de-weaponization of agents, and interoperability at the agent
> level?.
> 2.  A standardization athe policy level so that IF the PDP cannot be
> centralized, the interop would be at the Policy level.  Enabling the Policy
> Management to be centralized.
>
> A SaaS might not be willing to call out to a central PDP for AuthZ (and
> all the performance problems that brings) but might well be willing to
> accept the Policy definition into its own AuthZ system
>
> I see these as complimentary.
>
> On another note, We want to ensure that whatever we do at the PEP/PDP
> level,  we allow for real time decisions.  AuthZ decisions are not
> necessarily entitlements, and the decision may well depend on environmental
> issues at the time of the request.
>
> Allan
>
>
>
> On Tuesday, Jun 13, 2023 at 11:45, Alex Babeanu <alex at 3edges.com> wrote:
> This is a good discussion, that said a PEP is actually *not* mandated in
> all cases. For example you would *not* use a PEP to secure GraphQL APIs
> nor COTS software.
>
> I'm going to share soon a doc, to all contribute on, that lists common
> authorization design patterns. I think it would be a good basis for
> discussion, and at least to scope what we're trying to do...
>
> Thanks,
> ./\lex.
>
> On Tue, Jun 13, 2023 at 11:30?AM Allan Foster via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> So I am thinking we also want to set some scope of what we want to
>> cover?
>>
>>
>>
>> Off the top of my head?.   I can put some more context around these if
>> they aren?t clear
>>
>>
>>
>> The Transport layer
>>
>> The Envelope Layer
>>
>> The request/response transaction layer
>>
>> How meta-data is handled?  (both request and response)
>>
>> Extension mechanisms
>>
>> Exception mechanism
>>
>>
>>
>> Allan
>>
>>
>>
>>
>>
>>
>>
>> *From: *policy-charter <policy-charter-bounces at lists.openid.net> on
>> behalf of Omri Gazitt via policy-charter <policy-charter at lists.openid.net
>> >
>> *Date: *Tuesday, June 13, 2023 at 10:54
>> *To: *Policy Charter Mail List <policy-charter at lists.openid.net>
>> *Cc: *Omri Gazitt <omri at aserto.com>
>> *Subject: *Re: [policy-charter] PEP-PDP Group
>>
>> I agree with David that looking at existing systems is a good place to
>> start. If the idea is that PDPs can add a "standard" API that PEPs can
>> call, then it would be good if the API supports the existing message
>> exchange patterns (and doesn't mandate things that aren't supported).
>>
>>
>>
>> Here are three examples, to get us started:
>>
>>    - OPA is interesting in the sense that its primary REST API is very
>>    document-oriented - you have a set of rules that are defined in a
>>    JSON-style hierarchy and you issue a GET or POST on that resource in the
>>    hierarchy to evaluate the rule that is rooted there. This seems like a
>>    special case. OPA does have a generic query
>>    <https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query>
>>    API, which allows you to pass input and evaluate a rego query based on the
>>    loaded policy document and the input.
>>    - Auth0 FGA (one of the zanzibar implementations) has a check
>>    <https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query> API
>>    that takes a JSON payload containing a user key, relation name, and object
>>    key, and returns an allowed decision (true or false). Most zanzibar
>>    implementations seem to do something similar - e.g. SpiceDB has a
>>    check
>>    <https://www.postman.com/authzed/workspace/spicedb/documentation/21043612-9786e5f3-2014-4b31-86c1-39335236c0e2?entity=request-c58c40ff-9fc7-4c3e-9cca-f017160ba5b8>
>>    API that takes a resource, permission, and subject.
>>    - Topaz (Aserto's OSS authorizer) has a query
>>    <https://aserto.readme.io/reference/authorizerquery-1> API that takes
>>    an identity and policy (rule/decisions to evaluate), and optionally a
>>    resource context and additional input, and returns what OPA would return.
>>    It also has a simpler is
>>    <https://aserto.readme.io/reference/authorizeris-1> API that
>>    evaluates a policy (rule/decisions) with an identity and resource context.
>>
>>
>>
>>
>>
>> On Tue, Jun 13, 2023 at 1:54?AM Roland Baum via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>> I'm in as well :-D
>>
>>
>>
>> Roland Baum
>> umbrella.associates GmbH
>>
>>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
>
> --
> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
> Their phone number is +1 604 728 8130.]
> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
> hereto, is for the sole use of the intended recipient(s) and may contain
> confidential and/or proprietary information.
>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>


-- 
---
David Brossard
http://www.linkedin.com/in/davidbrossard
http://twitter.com/davidjbrossard
http://about.me/brossard
---
Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
Prenez vos pr?cautions sur Internet:
http://www.securite-informatique.gouv.fr/gp_rubrique34.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/caa9ddcd/attachment.html>

From andres.aguiar at okta.com  Tue Jun 27 15:25:22 2023
From: andres.aguiar at okta.com (Andres Aguiar)
Date: Tue, 27 Jun 2023 12:25:22 -0300
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
 <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
 <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>
Message-ID: <CALVhW9P2e-VtErszdjCZVwgFEL9qWN-+PhdoGjDuy1e7EOYQGg@mail.gmail.com>

Hi all!

Any reason not to include Google Zanzibar-inspired AuthZ implementations
(e.g. OpenFGA, Topaz, SpiceDB, Permify, etc) as part of the scope of this
effort?

Regards,

Andres


On Tue, Jun 27, 2023 at 12:09?PM David Brossard via policy-charter <
policy-charter at lists.openid.net> wrote:

> *This message originated outside your organization.*
>
> ------------------------------
>
> I added notes and comments in the Google Doc
> <https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?pli=1>.
> I think it is worth highlighting we're not after yet another standard
> <https://urldefense.com/v3/__https://xkcd.com/927/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzOe8cLp8$>.
> We want to:
>
>    1. increase interoperability between existing standards. In my mind,
>    the four horsemen of the ap-authz-calypse are ALFA, Cedar, OPA, and IDQL.
>       1. interop from a policy management perspective
>       2. interop from a runtime request/response perspective
>    2. increase awareness of externalized authz so that software
>    developers/owners/SaaS never rebuild their own
>       1. Be the OAuth/SAML of authZ
>       2. Define and propose standard authZ patterns
>          1. use cases
>          2. integration patterns
>
>
> On Mon, Jun 26, 2023 at 8:42?AM Alex Babeanu via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Sounds good to me too.
>> Thanks,
>>
>> ./\.
>>
>> On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Anyone else want to weigh in on this?
>>>
>>> I'm onboard with Pieter's suggestion that the attached document
>>> describes a deliverable of a larger work group - if so, I'd like to get
>>> closure on the description quickly
>>>
>>> I hope it's a simple and non-controversial deliverable...
>>>
>>> Andrew Hughes
>>> Director - Identity Standards
>>> andrewhughes at pingidentity.com
>>> Mobile/Signal: +1 250 888 9474
>>>
>>>
>>>
>>> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> My perspective is that we should have one Work Group focused on
>>>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>>>> example has multiple deliverables) to start with. This way everyone
>>>> interested in the authorization topic has visibility into the different
>>>> work items and we get the benefit of wider participation and review.
>>>>
>>>>
>>>>
>>>> Agreed that something with Authorization in the name would make sense,
>>>> something like AuthZEN Framework (AuthoriZation ExchaNge Framework) or
>>>> AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>>>> Framework)?.
>>>>
>>>>
>>>>
>>>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>>>> Behalf Of *Allan Foster via policy-charter
>>>> *Sent:* Friday, June 16, 2023 10:46 PM
>>>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>>>> *Cc:* Allan Foster <allan at macguru.com>
>>>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter
>>>> draft document
>>>>
>>>>
>>>>
>>>> So,  I wonder if we should do two different WGs,  or one WG with two
>>>> different standards?. (At least,  for now?)
>>>>
>>>>
>>>>
>>>> I am inclined to think the WG should be AuthZ something??.   and have
>>>> two separate streams?. (or standards?)
>>>>
>>>>
>>>>
>>>> Thoughts
>>>>
>>>>
>>>>
>>>> Allan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>> Thanks Andrew!
>>>>
>>>> Added a first comment in there... The season's open!
>>>>
>>>>
>>>>
>>>> ./\.
>>>>
>>>>
>>>>
>>>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>> Here is the document I have started - the link puts you into "suggest"
>>>> mode. Please add text with self-attribution. Be respectful of others'
>>>> contributions.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>>>
>>>>
>>>>
>>>>
>>>> [image: Ping Identity]
>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzcNeP4vs$>
>>>>
>>>> *Andrew Hughes*
>>>> Director - Identity Standards
>>>> andrewhughes at pingidentity.com
>>>>
>>>> *Connect with us: *
>>>>
>>>> [image: Glassdoor logo]
>>>> <https://urldefense.com/v3/__https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzWdCjpz4$>[image:
>>>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image: twitter
>>>> logo]
>>>> <https://urldefense.com/v3/__https://twitter.com/pingidentity__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzDUeSi2c$>[image:
>>>> facebook logo]
>>>> <https://urldefense.com/v3/__https://www.facebook.com/pingidentitypage__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzqt_Q5uo$>[image:
>>>> youtube logo]
>>>> <https://urldefense.com/v3/__https://www.youtube.com/user/PingIdentityTV__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzayZ0G60$>[image:
>>>> Blog logo]
>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/blog.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzBZ_t8is$>
>>>>
>>>>
>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct*20to*20website&utm_medium=emailsig__;JSU!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzIokbF3o$>
>>>>
>>>>
>>>>
>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*--
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>>> confidential and/or proprietary information.
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited.
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*--
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>
>>
>>
>> --
>> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
>> Their phone number is +1 604 728 8130.]
>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>> hereto, is for the sole use of the intended recipient(s) and may contain
>> confidential and/or proprietary information.
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>
>
>
> --
> ---
> David Brossard
> http://www.linkedin.com/in/davidbrossard
> http://twitter.com/davidjbrossard
> <https://urldefense.com/v3/__http://twitter.com/davidjbrossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQRlFaRU$>
> http://about.me/brossard
> <https://urldefense.com/v3/__http://about.me/brossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQqI8AE8$>
> ---
> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
> <https://urldefense.com/v3/__http://www.ic3.gov/preventiontips.aspx__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzljfWGu0$>
> Prenez vos pr?cautions sur Internet:
> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
> <https://urldefense.com/v3/__http://www.securite-informatique.gouv.fr/gp_rubrique34.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzo5yrZAg$>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/eaff9577/attachment-0001.html>

From david.brossard at gmail.com  Tue Jun 27 15:39:47 2023
From: david.brossard at gmail.com (David Brossard)
Date: Tue, 27 Jun 2023 08:39:47 -0700
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CALVhW9P2e-VtErszdjCZVwgFEL9qWN-+PhdoGjDuy1e7EOYQGg@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
 <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
 <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>
 <CALVhW9P2e-VtErszdjCZVwgFEL9qWN-+PhdoGjDuy1e7EOYQGg@mail.gmail.com>
Message-ID: <CAJO7GQ_Y5Nu1aR4BEw+DgS5cwjYGOd58ZM_wcxiOELr1uoL8YA@mail.gmail.com>

We totally should! It is an oversight on my part because I am so policy
biased. Sorry!

On Tue, Jun 27, 2023, 8:25 AM Andres Aguiar <andres.aguiar at okta.com> wrote:

> Hi all!
>
> Any reason not to include Google Zanzibar-inspired AuthZ implementations
> (e.g. OpenFGA, Topaz, SpiceDB, Permify, etc) as part of the scope of this
> effort?
>
> Regards,
>
> Andres
>
>
> On Tue, Jun 27, 2023 at 12:09?PM David Brossard via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> *This message originated outside your organization.*
>>
>> ------------------------------
>>
>> I added notes and comments in the Google Doc
>> <https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?pli=1>.
>> I think it is worth highlighting we're not after yet another standard
>> <https://urldefense.com/v3/__https://xkcd.com/927/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzOe8cLp8$>.
>> We want to:
>>
>>    1. increase interoperability between existing standards. In my mind,
>>    the four horsemen of the ap-authz-calypse are ALFA, Cedar, OPA, and IDQL.
>>       1. interop from a policy management perspective
>>       2. interop from a runtime request/response perspective
>>    2. increase awareness of externalized authz so that software
>>    developers/owners/SaaS never rebuild their own
>>       1. Be the OAuth/SAML of authZ
>>       2. Define and propose standard authZ patterns
>>          1. use cases
>>          2. integration patterns
>>
>>
>> On Mon, Jun 26, 2023 at 8:42?AM Alex Babeanu via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Sounds good to me too.
>>> Thanks,
>>>
>>> ./\.
>>>
>>> On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> Anyone else want to weigh in on this?
>>>>
>>>> I'm onboard with Pieter's suggestion that the attached document
>>>> describes a deliverable of a larger work group - if so, I'd like to get
>>>> closure on the description quickly
>>>>
>>>> I hope it's a simple and non-controversial deliverable...
>>>>
>>>> Andrew Hughes
>>>> Director - Identity Standards
>>>> andrewhughes at pingidentity.com
>>>> Mobile/Signal: +1 250 888 9474
>>>>
>>>>
>>>>
>>>> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>>> My perspective is that we should have one Work Group focused on
>>>>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>>>>> example has multiple deliverables) to start with. This way everyone
>>>>> interested in the authorization topic has visibility into the different
>>>>> work items and we get the benefit of wider participation and review.
>>>>>
>>>>>
>>>>>
>>>>> Agreed that something with Authorization in the name would make sense,
>>>>> something like AuthZEN Framework (AuthoriZation ExchaNge Framework) or
>>>>> AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>>>>> Framework)?.
>>>>>
>>>>>
>>>>>
>>>>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>>>>> Behalf Of *Allan Foster via policy-charter
>>>>> *Sent:* Friday, June 16, 2023 10:46 PM
>>>>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>>>>> *Cc:* Allan Foster <allan at macguru.com>
>>>>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter
>>>>> draft document
>>>>>
>>>>>
>>>>>
>>>>> So,  I wonder if we should do two different WGs,  or one WG with two
>>>>> different standards?. (At least,  for now?)
>>>>>
>>>>>
>>>>>
>>>>> I am inclined to think the WG should be AuthZ something??.   and have
>>>>> two separate streams?. (or standards?)
>>>>>
>>>>>
>>>>>
>>>>> Thoughts
>>>>>
>>>>>
>>>>>
>>>>> Allan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>>>>> policy-charter at lists.openid.net> wrote:
>>>>>
>>>>> Thanks Andrew!
>>>>>
>>>>> Added a first comment in there... The season's open!
>>>>>
>>>>>
>>>>>
>>>>> ./\.
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>>>>> policy-charter at lists.openid.net> wrote:
>>>>>
>>>>> Here is the document I have started - the link puts you into "suggest"
>>>>> mode. Please add text with self-attribution. Be respectful of others'
>>>>> contributions.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> [image: Ping Identity]
>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzcNeP4vs$>
>>>>>
>>>>> *Andrew Hughes*
>>>>> Director - Identity Standards
>>>>> andrewhughes at pingidentity.com
>>>>>
>>>>> *Connect with us: *
>>>>>
>>>>> [image: Glassdoor logo]
>>>>> <https://urldefense.com/v3/__https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzWdCjpz4$>[image:
>>>>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image:
>>>>> twitter logo]
>>>>> <https://urldefense.com/v3/__https://twitter.com/pingidentity__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzDUeSi2c$>[image:
>>>>> facebook logo]
>>>>> <https://urldefense.com/v3/__https://www.facebook.com/pingidentitypage__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzqt_Q5uo$>[image:
>>>>> youtube logo]
>>>>> <https://urldefense.com/v3/__https://www.youtube.com/user/PingIdentityTV__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzayZ0G60$>[image:
>>>>> Blog logo]
>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/blog.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzBZ_t8is$>
>>>>>
>>>>>
>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct*20to*20website&utm_medium=emailsig__;JSU!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzIokbF3o$>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>> If you have received this communication in error, please notify the sender
>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>> your computer. Thank you.*--
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>>>> confidential and/or proprietary information.
>>>>> --
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>
>>>>> --
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>
>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*--
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>
>>>
>>>
>>> --
>>> [image: This is Alexandre Babeanu's card. Their email is
>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>
>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>> confidential and/or proprietary information.
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>
>>
>>
>> --
>> ---
>> David Brossard
>> http://www.linkedin.com/in/davidbrossard
>> http://twitter.com/davidjbrossard
>> <https://urldefense.com/v3/__http://twitter.com/davidjbrossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQRlFaRU$>
>> http://about.me/brossard
>> <https://urldefense.com/v3/__http://about.me/brossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQqI8AE8$>
>> ---
>> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
>> <https://urldefense.com/v3/__http://www.ic3.gov/preventiontips.aspx__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzljfWGu0$>
>> Prenez vos pr?cautions sur Internet:
>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>> <https://urldefense.com/v3/__http://www.securite-informatique.gouv.fr/gp_rubrique34.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzo5yrZAg$>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/cb3d8e28/attachment-0001.html>

From alex at 3edges.com  Tue Jun 27 15:42:27 2023
From: alex at 3edges.com (Alex Babeanu)
Date: Tue, 27 Jun 2023 08:42:27 -0700
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CAJO7GQ_Y5Nu1aR4BEw+DgS5cwjYGOd58ZM_wcxiOELr1uoL8YA@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
 <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
 <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>
 <CALVhW9P2e-VtErszdjCZVwgFEL9qWN-+PhdoGjDuy1e7EOYQGg@mail.gmail.com>
 <CAJO7GQ_Y5Nu1aR4BEw+DgS5cwjYGOd58ZM_wcxiOELr1uoL8YA@mail.gmail.com>
Message-ID: <CAOFyxEO9efOCFaARB7GcAga43+E6BQzN9LSJas+HtCemHkF8Sw@mail.gmail.com>

Also, are we deciding to completely ignore NGAC?  I think that should be
considered as well, considering it's the latest standard for authorization
out there...
https://standards.incits.org/apps/group_public/project/details.php?project_id=2328

./\.

On Tue, Jun 27, 2023 at 8:40?AM David Brossard via policy-charter <
policy-charter at lists.openid.net> wrote:

> We totally should! It is an oversight on my part because I am so policy
> biased. Sorry!
>
> On Tue, Jun 27, 2023, 8:25 AM Andres Aguiar <andres.aguiar at okta.com>
> wrote:
>
>> Hi all!
>>
>> Any reason not to include Google Zanzibar-inspired AuthZ implementations
>> (e.g. OpenFGA, Topaz, SpiceDB, Permify, etc) as part of the scope of this
>> effort?
>>
>> Regards,
>>
>> Andres
>>
>>
>> On Tue, Jun 27, 2023 at 12:09?PM David Brossard via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> *This message originated outside your organization.*
>>>
>>> ------------------------------
>>>
>>> I added notes and comments in the Google Doc
>>> <https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?pli=1>.
>>> I think it is worth highlighting we're not after yet another standard
>>> <https://urldefense.com/v3/__https://xkcd.com/927/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzOe8cLp8$>.
>>> We want to:
>>>
>>>    1. increase interoperability between existing standards. In my mind,
>>>    the four horsemen of the ap-authz-calypse are ALFA, Cedar, OPA, and IDQL.
>>>       1. interop from a policy management perspective
>>>       2. interop from a runtime request/response perspective
>>>    2. increase awareness of externalized authz so that software
>>>    developers/owners/SaaS never rebuild their own
>>>       1. Be the OAuth/SAML of authZ
>>>       2. Define and propose standard authZ patterns
>>>          1. use cases
>>>          2. integration patterns
>>>
>>>
>>> On Mon, Jun 26, 2023 at 8:42?AM Alex Babeanu via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> Sounds good to me too.
>>>> Thanks,
>>>>
>>>> ./\.
>>>>
>>>> On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>>> Anyone else want to weigh in on this?
>>>>>
>>>>> I'm onboard with Pieter's suggestion that the attached document
>>>>> describes a deliverable of a larger work group - if so, I'd like to get
>>>>> closure on the description quickly
>>>>>
>>>>> I hope it's a simple and non-controversial deliverable...
>>>>>
>>>>> Andrew Hughes
>>>>> Director - Identity Standards
>>>>> andrewhughes at pingidentity.com
>>>>> Mobile/Signal: +1 250 888 9474
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
>>>>> policy-charter at lists.openid.net> wrote:
>>>>>
>>>>>> My perspective is that we should have one Work Group focused on
>>>>>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>>>>>> example has multiple deliverables) to start with. This way everyone
>>>>>> interested in the authorization topic has visibility into the different
>>>>>> work items and we get the benefit of wider participation and review.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Agreed that something with Authorization in the name would make
>>>>>> sense, something like AuthZEN Framework (AuthoriZation ExchaNge Framework)
>>>>>> or AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>>>>>> Framework)?.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>>>>>> Behalf Of *Allan Foster via policy-charter
>>>>>> *Sent:* Friday, June 16, 2023 10:46 PM
>>>>>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>>>>>> *Cc:* Allan Foster <allan at macguru.com>
>>>>>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter
>>>>>> draft document
>>>>>>
>>>>>>
>>>>>>
>>>>>> So,  I wonder if we should do two different WGs,  or one WG with two
>>>>>> different standards?. (At least,  for now?)
>>>>>>
>>>>>>
>>>>>>
>>>>>> I am inclined to think the WG should be AuthZ something??.   and have
>>>>>> two separate streams?. (or standards?)
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thoughts
>>>>>>
>>>>>>
>>>>>>
>>>>>> Allan
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>
>>>>>> Thanks Andrew!
>>>>>>
>>>>>> Added a first comment in there... The season's open!
>>>>>>
>>>>>>
>>>>>>
>>>>>> ./\.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>
>>>>>> Here is the document I have started - the link puts you into
>>>>>> "suggest" mode. Please add text with self-attribution. Be respectful of
>>>>>> others' contributions.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> [image: Ping Identity]
>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzcNeP4vs$>
>>>>>>
>>>>>> *Andrew Hughes*
>>>>>> Director - Identity Standards
>>>>>> andrewhughes at pingidentity.com
>>>>>>
>>>>>> *Connect with us: *
>>>>>>
>>>>>> [image: Glassdoor logo]
>>>>>> <https://urldefense.com/v3/__https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzWdCjpz4$>[image:
>>>>>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image:
>>>>>> twitter logo]
>>>>>> <https://urldefense.com/v3/__https://twitter.com/pingidentity__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzDUeSi2c$>[image:
>>>>>> facebook logo]
>>>>>> <https://urldefense.com/v3/__https://www.facebook.com/pingidentitypage__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzqt_Q5uo$>[image:
>>>>>> youtube logo]
>>>>>> <https://urldefense.com/v3/__https://www.youtube.com/user/PingIdentityTV__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzayZ0G60$>[image:
>>>>>> Blog logo]
>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/blog.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzBZ_t8is$>
>>>>>>
>>>>>>
>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct*20to*20website&utm_medium=emailsig__;JSU!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzIokbF3o$>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>> If you have received this communication in error, please notify the sender
>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>> your computer. Thank you.*--
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>>>>> attachments hereto, is for the sole use of the intended recipient(s) and
>>>>>> may contain confidential and/or proprietary information.
>>>>>> --
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>> --
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>
>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>> If you have received this communication in error, please notify the sender
>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>> your computer. Thank you.*--
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>
>>>>
>>>>
>>>> --
>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>
>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>>> confidential and/or proprietary information.
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>
>>>
>>>
>>> --
>>> ---
>>> David Brossard
>>> http://www.linkedin.com/in/davidbrossard
>>> http://twitter.com/davidjbrossard
>>> <https://urldefense.com/v3/__http://twitter.com/davidjbrossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQRlFaRU$>
>>> http://about.me/brossard
>>> <https://urldefense.com/v3/__http://about.me/brossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQqI8AE8$>
>>> ---
>>> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
>>> <https://urldefense.com/v3/__http://www.ic3.gov/preventiontips.aspx__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzljfWGu0$>
>>> Prenez vos pr?cautions sur Internet:
>>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>>> <https://urldefense.com/v3/__http://www.securite-informatique.gouv.fr/gp_rubrique34.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzo5yrZAg$>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>


-- 
[image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
Their phone number is +1 604 728 8130.]
<https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments 
hereto, is for the sole use of the intended recipient(s) and may contain 
confidential and/or proprietary information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/477cd11e/attachment-0001.html>

From andrewhughes at pingidentity.com  Tue Jun 27 15:53:10 2023
From: andrewhughes at pingidentity.com (Andrew Hughes)
Date: Tue, 27 Jun 2023 08:53:10 -0700
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CAOFyxEO9efOCFaARB7GcAga43+E6BQzN9LSJas+HtCemHkF8Sw@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
 <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
 <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>
 <CALVhW9P2e-VtErszdjCZVwgFEL9qWN-+PhdoGjDuy1e7EOYQGg@mail.gmail.com>
 <CAJO7GQ_Y5Nu1aR4BEw+DgS5cwjYGOd58ZM_wcxiOELr1uoL8YA@mail.gmail.com>
 <CAOFyxEO9efOCFaARB7GcAga43+E6BQzN9LSJas+HtCemHkF8Sw@mail.gmail.com>
Message-ID: <CALS-csVRP8AVMc8ksB=4-hp81UpAzM+mRzp4ZHQng0vVag5j3w@mail.gmail.com>

C'mon everyone - we are almost at 14 specs! You can do it! only a few more
to go before we need a 15th one!
;-)

[Ref: xkcd comic # something]

Andrew Hughes
Director - Identity Standards
andrewhughes at pingidentity.com
Mobile/Signal: +1 250 888 9474



On Tue, Jun 27, 2023 at 8:42?AM Alex Babeanu via policy-charter <
policy-charter at lists.openid.net> wrote:

> Also, are we deciding to completely ignore NGAC?  I think that should be
> considered as well, considering it's the latest standard for authorization
> out there...
>
> https://standards.incits.org/apps/group_public/project/details.php?project_id=2328
>
> ./\.
>
> On Tue, Jun 27, 2023 at 8:40?AM David Brossard via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> We totally should! It is an oversight on my part because I am so policy
>> biased. Sorry!
>>
>> On Tue, Jun 27, 2023, 8:25 AM Andres Aguiar <andres.aguiar at okta.com>
>> wrote:
>>
>>> Hi all!
>>>
>>> Any reason not to include Google Zanzibar-inspired AuthZ implementations
>>> (e.g. OpenFGA, Topaz, SpiceDB, Permify, etc) as part of the scope of this
>>> effort?
>>>
>>> Regards,
>>>
>>> Andres
>>>
>>>
>>> On Tue, Jun 27, 2023 at 12:09?PM David Brossard via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> *This message originated outside your organization.*
>>>>
>>>> ------------------------------
>>>>
>>>> I added notes and comments in the Google Doc
>>>> <https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?pli=1>.
>>>> I think it is worth highlighting we're not after yet another standard
>>>> <https://urldefense.com/v3/__https://xkcd.com/927/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzOe8cLp8$>.
>>>> We want to:
>>>>
>>>>    1. increase interoperability between existing standards. In my
>>>>    mind, the four horsemen of the ap-authz-calypse are ALFA, Cedar, OPA, and
>>>>    IDQL.
>>>>       1. interop from a policy management perspective
>>>>       2. interop from a runtime request/response perspective
>>>>    2. increase awareness of externalized authz so that software
>>>>    developers/owners/SaaS never rebuild their own
>>>>       1. Be the OAuth/SAML of authZ
>>>>       2. Define and propose standard authZ patterns
>>>>          1. use cases
>>>>          2. integration patterns
>>>>
>>>>
>>>> On Mon, Jun 26, 2023 at 8:42?AM Alex Babeanu via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>>> Sounds good to me too.
>>>>> Thanks,
>>>>>
>>>>> ./\.
>>>>>
>>>>> On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
>>>>> policy-charter at lists.openid.net> wrote:
>>>>>
>>>>>> Anyone else want to weigh in on this?
>>>>>>
>>>>>> I'm onboard with Pieter's suggestion that the attached document
>>>>>> describes a deliverable of a larger work group - if so, I'd like to get
>>>>>> closure on the description quickly
>>>>>>
>>>>>> I hope it's a simple and non-controversial deliverable...
>>>>>>
>>>>>> Andrew Hughes
>>>>>> Director - Identity Standards
>>>>>> andrewhughes at pingidentity.com
>>>>>> Mobile/Signal: +1 250 888 9474
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>
>>>>>>> My perspective is that we should have one Work Group focused on
>>>>>>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>>>>>>> example has multiple deliverables) to start with. This way everyone
>>>>>>> interested in the authorization topic has visibility into the different
>>>>>>> work items and we get the benefit of wider participation and review.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Agreed that something with Authorization in the name would make
>>>>>>> sense, something like AuthZEN Framework (AuthoriZation ExchaNge Framework)
>>>>>>> or AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>>>>>>> Framework)?.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>>>>>>> Behalf Of *Allan Foster via policy-charter
>>>>>>> *Sent:* Friday, June 16, 2023 10:46 PM
>>>>>>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>>>>>>> *Cc:* Allan Foster <allan at macguru.com>
>>>>>>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter
>>>>>>> draft document
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> So,  I wonder if we should do two different WGs,  or one WG with two
>>>>>>> different standards?. (At least,  for now?)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I am inclined to think the WG should be AuthZ something??.   and
>>>>>>> have two separate streams?. (or standards?)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thoughts
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Allan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>
>>>>>>> Thanks Andrew!
>>>>>>>
>>>>>>> Added a first comment in there... The season's open!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ./\.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>
>>>>>>> Here is the document I have started - the link puts you into
>>>>>>> "suggest" mode. Please add text with self-attribution. Be respectful of
>>>>>>> others' contributions.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [image: Ping Identity]
>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzcNeP4vs$>
>>>>>>>
>>>>>>> *Andrew Hughes*
>>>>>>> Director - Identity Standards
>>>>>>> andrewhughes at pingidentity.com
>>>>>>>
>>>>>>> *Connect with us: *
>>>>>>>
>>>>>>> [image: Glassdoor logo]
>>>>>>> <https://urldefense.com/v3/__https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzWdCjpz4$>[image:
>>>>>>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image:
>>>>>>> twitter logo]
>>>>>>> <https://urldefense.com/v3/__https://twitter.com/pingidentity__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzDUeSi2c$>[image:
>>>>>>> facebook logo]
>>>>>>> <https://urldefense.com/v3/__https://www.facebook.com/pingidentitypage__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzqt_Q5uo$>[image:
>>>>>>> youtube logo]
>>>>>>> <https://urldefense.com/v3/__https://www.youtube.com/user/PingIdentityTV__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzayZ0G60$>[image:
>>>>>>> Blog logo]
>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/blog.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzBZ_t8is$>
>>>>>>>
>>>>>>>
>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct*20to*20website&utm_medium=emailsig__;JSU!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzIokbF3o$>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>>> If you have received this communication in error, please notify the sender
>>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>>> your computer. Thank you.*--
>>>>>>> policy-charter mailing list
>>>>>>> policy-charter at lists.openid.net
>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>>>
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>>>>>> attachments hereto, is for the sole use of the intended recipient(s) and
>>>>>>> may contain confidential and/or proprietary information.
>>>>>>> --
>>>>>>> policy-charter mailing list
>>>>>>> policy-charter at lists.openid.net
>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>
>>>>>>> --
>>>>>>> policy-charter mailing list
>>>>>>> policy-charter at lists.openid.net
>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>
>>>>>>
>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>> If you have received this communication in error, please notify the sender
>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>> your computer. Thank you.*--
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>>>> confidential and/or proprietary information.
>>>>> --
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>
>>>>
>>>>
>>>> --
>>>> ---
>>>> David Brossard
>>>> http://www.linkedin.com/in/davidbrossard
>>>> http://twitter.com/davidjbrossard
>>>> <https://urldefense.com/v3/__http://twitter.com/davidjbrossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQRlFaRU$>
>>>> http://about.me/brossard
>>>> <https://urldefense.com/v3/__http://about.me/brossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQqI8AE8$>
>>>> ---
>>>> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
>>>> <https://urldefense.com/v3/__http://www.ic3.gov/preventiontips.aspx__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzljfWGu0$>
>>>> Prenez vos pr?cautions sur Internet:
>>>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>>>> <https://urldefense.com/v3/__http://www.securite-informatique.gouv.fr/gp_rubrique34.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzo5yrZAg$>
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>
>>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
>
> --
> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
> Their phone number is +1 604 728 8130.]
> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
> hereto, is for the sole use of the intended recipient(s) and may contain
> confidential and/or proprietary information.
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.? If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/ac83fdef/attachment-0001.html>

From sehutchinson at gmail.com  Tue Jun 27 16:16:24 2023
From: sehutchinson at gmail.com (Steve Hutchinson)
Date: Tue, 27 Jun 2023 12:16:24 -0400
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CALS-csVRP8AVMc8ksB=4-hp81UpAzM+mRzp4ZHQng0vVag5j3w@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
 <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
 <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>
 <CALVhW9P2e-VtErszdjCZVwgFEL9qWN-+PhdoGjDuy1e7EOYQGg@mail.gmail.com>
 <CAJO7GQ_Y5Nu1aR4BEw+DgS5cwjYGOd58ZM_wcxiOELr1uoL8YA@mail.gmail.com>
 <CAOFyxEO9efOCFaARB7GcAga43+E6BQzN9LSJas+HtCemHkF8Sw@mail.gmail.com>
 <CALS-csVRP8AVMc8ksB=4-hp81UpAzM+mRzp4ZHQng0vVag5j3w@mail.gmail.com>
Message-ID: <CANG1RPkrp+s7QjxWNpv1NMVH1whdzsrvLUaq+yiY2Xx4KGP0UQ@mail.gmail.com>

I thought we were building the 15th one ;-)



On Tue, Jun 27, 2023 at 11:53?AM Andrew Hughes via policy-charter <
policy-charter at lists.openid.net> wrote:

> C'mon everyone - we are almost at 14 specs! You can do it! only a few more
> to go before we need a 15th one!
> ;-)
>
> [Ref: xkcd comic # something]
>
> Andrew Hughes
> Director - Identity Standards
> andrewhughes at pingidentity.com
> Mobile/Signal: +1 250 888 9474
>
>
>
> On Tue, Jun 27, 2023 at 8:42?AM Alex Babeanu via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Also, are we deciding to completely ignore NGAC?  I think that should be
>> considered as well, considering it's the latest standard for authorization
>> out there...
>>
>> https://standards.incits.org/apps/group_public/project/details.php?project_id=2328
>>
>> ./\.
>>
>> On Tue, Jun 27, 2023 at 8:40?AM David Brossard via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> We totally should! It is an oversight on my part because I am so policy
>>> biased. Sorry!
>>>
>>> On Tue, Jun 27, 2023, 8:25 AM Andres Aguiar <andres.aguiar at okta.com>
>>> wrote:
>>>
>>>> Hi all!
>>>>
>>>> Any reason not to include Google Zanzibar-inspired AuthZ
>>>> implementations (e.g. OpenFGA, Topaz, SpiceDB, Permify, etc) as part of the
>>>> scope of this effort?
>>>>
>>>> Regards,
>>>>
>>>> Andres
>>>>
>>>>
>>>> On Tue, Jun 27, 2023 at 12:09?PM David Brossard via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>>> *This message originated outside your organization.*
>>>>>
>>>>> ------------------------------
>>>>>
>>>>> I added notes and comments in the Google Doc
>>>>> <https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?pli=1>.
>>>>> I think it is worth highlighting we're not after yet another standard
>>>>> <https://urldefense.com/v3/__https://xkcd.com/927/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzOe8cLp8$>.
>>>>> We want to:
>>>>>
>>>>>    1. increase interoperability between existing standards. In my
>>>>>    mind, the four horsemen of the ap-authz-calypse are ALFA, Cedar, OPA, and
>>>>>    IDQL.
>>>>>       1. interop from a policy management perspective
>>>>>       2. interop from a runtime request/response perspective
>>>>>    2. increase awareness of externalized authz so that software
>>>>>    developers/owners/SaaS never rebuild their own
>>>>>       1. Be the OAuth/SAML of authZ
>>>>>       2. Define and propose standard authZ patterns
>>>>>          1. use cases
>>>>>          2. integration patterns
>>>>>
>>>>>
>>>>> On Mon, Jun 26, 2023 at 8:42?AM Alex Babeanu via policy-charter <
>>>>> policy-charter at lists.openid.net> wrote:
>>>>>
>>>>>> Sounds good to me too.
>>>>>> Thanks,
>>>>>>
>>>>>> ./\.
>>>>>>
>>>>>> On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>
>>>>>>> Anyone else want to weigh in on this?
>>>>>>>
>>>>>>> I'm onboard with Pieter's suggestion that the attached document
>>>>>>> describes a deliverable of a larger work group - if so, I'd like to get
>>>>>>> closure on the description quickly
>>>>>>>
>>>>>>> I hope it's a simple and non-controversial deliverable...
>>>>>>>
>>>>>>> Andrew Hughes
>>>>>>> Director - Identity Standards
>>>>>>> andrewhughes at pingidentity.com
>>>>>>> Mobile/Signal: +1 250 888 9474
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>
>>>>>>>> My perspective is that we should have one Work Group focused on
>>>>>>>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>>>>>>>> example has multiple deliverables) to start with. This way everyone
>>>>>>>> interested in the authorization topic has visibility into the different
>>>>>>>> work items and we get the benefit of wider participation and review.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Agreed that something with Authorization in the name would make
>>>>>>>> sense, something like AuthZEN Framework (AuthoriZation ExchaNge Framework)
>>>>>>>> or AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>>>>>>>> Framework)?.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>>>>>>>> Behalf Of *Allan Foster via policy-charter
>>>>>>>> *Sent:* Friday, June 16, 2023 10:46 PM
>>>>>>>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>>>>>>>> *Cc:* Allan Foster <allan at macguru.com>
>>>>>>>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter
>>>>>>>> draft document
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> So,  I wonder if we should do two different WGs,  or one WG with
>>>>>>>> two different standards?. (At least,  for now?)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I am inclined to think the WG should be AuthZ something??.   and
>>>>>>>> have two separate streams?. (or standards?)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Thoughts
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Allan
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>>
>>>>>>>> Thanks Andrew!
>>>>>>>>
>>>>>>>> Added a first comment in there... The season's open!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ./\.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>>
>>>>>>>> Here is the document I have started - the link puts you into
>>>>>>>> "suggest" mode. Please add text with self-attribution. Be respectful of
>>>>>>>> others' contributions.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> [image: Ping Identity]
>>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzcNeP4vs$>
>>>>>>>>
>>>>>>>> *Andrew Hughes*
>>>>>>>> Director - Identity Standards
>>>>>>>> andrewhughes at pingidentity.com
>>>>>>>>
>>>>>>>> *Connect with us: *
>>>>>>>>
>>>>>>>> [image: Glassdoor logo]
>>>>>>>> <https://urldefense.com/v3/__https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzWdCjpz4$>[image:
>>>>>>>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image:
>>>>>>>> twitter logo]
>>>>>>>> <https://urldefense.com/v3/__https://twitter.com/pingidentity__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzDUeSi2c$>[image:
>>>>>>>> facebook logo]
>>>>>>>> <https://urldefense.com/v3/__https://www.facebook.com/pingidentitypage__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzqt_Q5uo$>[image:
>>>>>>>> youtube logo]
>>>>>>>> <https://urldefense.com/v3/__https://www.youtube.com/user/PingIdentityTV__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzayZ0G60$>[image:
>>>>>>>> Blog logo]
>>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/blog.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzBZ_t8is$>
>>>>>>>>
>>>>>>>>
>>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct*20to*20website&utm_medium=emailsig__;JSU!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzIokbF3o$>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>>>> If you have received this communication in error, please notify the sender
>>>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>>>> your computer. Thank you.*--
>>>>>>>> policy-charter mailing list
>>>>>>>> policy-charter at lists.openid.net
>>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>>>>
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>>>>>>> attachments hereto, is for the sole use of the intended recipient(s) and
>>>>>>>> may contain confidential and/or proprietary information.
>>>>>>>> --
>>>>>>>> policy-charter mailing list
>>>>>>>> policy-charter at lists.openid.net
>>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>>
>>>>>>>> --
>>>>>>>> policy-charter mailing list
>>>>>>>> policy-charter at lists.openid.net
>>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>>
>>>>>>>
>>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>>> If you have received this communication in error, please notify the sender
>>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>>> your computer. Thank you.*--
>>>>>>> policy-charter mailing list
>>>>>>> policy-charter at lists.openid.net
>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>>>>> attachments hereto, is for the sole use of the intended recipient(s) and
>>>>>> may contain confidential and/or proprietary information.
>>>>>> --
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> ---
>>>>> David Brossard
>>>>> http://www.linkedin.com/in/davidbrossard
>>>>> http://twitter.com/davidjbrossard
>>>>> <https://urldefense.com/v3/__http://twitter.com/davidjbrossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQRlFaRU$>
>>>>> http://about.me/brossard
>>>>> <https://urldefense.com/v3/__http://about.me/brossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQqI8AE8$>
>>>>> ---
>>>>> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
>>>>> <https://urldefense.com/v3/__http://www.ic3.gov/preventiontips.aspx__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzljfWGu0$>
>>>>> Prenez vos pr?cautions sur Internet:
>>>>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>>>>> <https://urldefense.com/v3/__http://www.securite-informatique.gouv.fr/gp_rubrique34.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzo5yrZAg$>
>>>>> --
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>
>>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>
>>
>> --
>> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
>> Their phone number is +1 604 728 8130.]
>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>> hereto, is for the sole use of the intended recipient(s) and may contain
>> confidential and/or proprietary information.
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*--
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/6142b5d4/attachment-0001.html>

From pieter.kasselman at microsoft.com  Tue Jun 27 18:43:41 2023
From: pieter.kasselman at microsoft.com (Pieter Kasselman)
Date: Tue, 27 Jun 2023 18:43:41 +0000
Subject: [policy-charter] PEP-PDP Group
In-Reply-To: <CAJO7GQ_HHvuxS17v1KKJJsPOfg__0bZ-spgP=XfuxmjR9vUX4A@mail.gmail.com>
References: <CALkJ7sWdDSMHo1d5xJY7xZWsfhDfYjk06ePR3zDAnMC3GhPdXw@mail.gmail.com>
 <CAJO7GQ_tQDOcm4FwiZE72rz56-jRscPafL9+1MiQAhCwjJmNnQ@mail.gmail.com>
 <6df4307c-f221-1068-3a3f-5c1672a9eaaf@umbrella.associates>
 <CALkJ7sUMNM8_56i7RvFTcf3EQpnSwdH7rkt=XLcJFprJ8CJUsA@mail.gmail.com>
 <DM8P220MB06530D44226E548E051CC70AF755A@DM8P220MB0653.NAMP220.PROD.OUTLOOK.COM>
 <CAOFyxENvzJ=+DU4vHjVB2ai0MC6MzzfNqxL5jF0Rw1MnQkq_dQ@mail.gmail.com>
 <2a5c3d88-c433-453a-8085-c3e2834ea9c2@Canary>
 <CAJO7GQ_HHvuxS17v1KKJJsPOfg__0bZ-spgP=XfuxmjR9vUX4A@mail.gmail.com>
Message-ID: <DBAPR83MB04229645779376B7769E20AC9127A@DBAPR83MB0422.EURPRD83.prod.outlook.com>

Hi David, the difference between the direct and indirect requests are interesting. The Direct request feels like a  request for a decision while the indirect request feels like policy retrieval (with some parameters to scope retrieval of policies as it relate to Alice and claims). Can you describe the use cases for when the direct vs when the indirect approach is used?

From: policy-charter <policy-charter-bounces at lists.openid.net> On Behalf Of David Brossard via policy-charter
Sent: Tuesday, June 27, 2023 4:17 PM
To: Policy Charter Mail List <policy-charter at lists.openid.net>
Cc: David Brossard <david.brossard at gmail.com>
Subject: Re: [policy-charter] PEP-PDP Group

I agree with Allan. There's another aspect to runtime authZ: it eliminates the need to define entitlements up front. It eliminates the need for role, permissions, and entitlements engineering, and consequently provisioning and de-provisioning.

This makes me think another area of investigation for this WG is bridging the runtime authz world (XACML, OPA...) with the non-runtime authz world (OAuth scopes & claims, SCIM entitlements...) AuthZ frameworks should be capable of generating dynamic claims that are fed into a token. CAEP could be used to update/revoke/enrich such tokens.

This means we need different ways to query a policy. And perhaps different ways to write policies. Let's assume a business authz policy:


  *   Policy: Claims processors can approve a claim in their region if the amount claimed is less than the approver's limit.
  *   Direct request: Can Alice approve claim #123? (in the background, attribute retrieval is run to figure out who Alice is and what claim 123's region and amount are)

     *   Answer: Permit/Deny + obligations

  *   Indirect request: tell me what Alice can do on claims

     *   Answer: approve + claim amount < $500 + region = Moose Jaw.


On Wed, Jun 14, 2023 at 8:15?AM Allan Foster via policy-charter <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>> wrote:


Alex,  I am not sure I fully agree with your statement!

Although you might not use a PEP to protect those resources,  There is still a reasonable use case to treat the spec as the API and transport for those resources to call out to a centralized AuthZ server.

I think there are at least two use cases for standardization (as we discussed at IDentiverse)

1.  A standardized interface between PEPs  or agents and the PDP.  This would allow de-weaponization of agents, and interoperability at the agent level?.
2.  A standardization athe policy level so that IF the PDP cannot be centralized, the interop would be at the Policy level.  Enabling the Policy Management to be centralized.

A SaaS might not be willing to call out to a central PDP for AuthZ (and all the performance problems that brings) but might well be willing to accept the Policy definition into its own AuthZ system

I see these as complimentary.

On another note, We want to ensure that whatever we do at the PEP/PDP level,  we allow for real time decisions.  AuthZ decisions are not necessarily entitlements, and the decision may well depend on environmental issues at the time of the request.

Allan



On Tuesday, Jun 13, 2023 at 11:45, Alex Babeanu <alex at 3edges.com<mailto:alex at 3edges.com>> wrote:
This is a good discussion, that said a PEP is actually not mandated in all cases. For example you would not use a PEP to secure GraphQL APIs nor COTS software.

I'm going to share soon a doc, to all contribute on, that lists common authorization design patterns. I think it would be a good basis for discussion, and at least to scope what we're trying to do...

Thanks,
./\lex.

On Tue, Jun 13, 2023 at 11:30?AM Allan Foster via policy-charter <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>> wrote:
So I am thinking we also want to set some scope of what we want to cover?

Off the top of my head?.   I can put some more context around these if they aren?t clear

The Transport layer
The Envelope Layer
The request/response transaction layer
How meta-data is handled?  (both request and response)
Extension mechanisms
Exception mechanism

Allan



From: policy-charter <policy-charter-bounces at lists.openid.net<mailto:policy-charter-bounces at lists.openid.net>> on behalf of Omri Gazitt via policy-charter <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>>
Date: Tuesday, June 13, 2023 at 10:54
To: Policy Charter Mail List <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>>
Cc: Omri Gazitt <omri at aserto.com<mailto:omri at aserto.com>>
Subject: Re: [policy-charter] PEP-PDP Group
I agree with David that looking at existing systems is a good place to start. If the idea is that PDPs can add a "standard" API that PEPs can call, then it would be good if the API supports the existing message exchange patterns (and doesn't mandate things that aren't supported).

Here are three examples, to get us started:

  *   OPA is interesting in the sense that its primary REST API is very document-oriented - you have a set of rules that are defined in a JSON-style hierarchy and you issue a GET or POST on that resource in the hierarchy to evaluate the rule that is rooted there. This seems like a special case. OPA does have a generic query<https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query> API, which allows you to pass input and evaluate a rego query based on the loaded policy document and the input.
  *   Auth0 FGA (one of the zanzibar implementations) has a check<https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query> API that takes a JSON payload containing a user key, relation name, and object key, and returns an allowed decision (true or false). Most zanzibar implementations seem to do something similar - e.g. SpiceDB has a check<https://www.postman.com/authzed/workspace/spicedb/documentation/21043612-9786e5f3-2014-4b31-86c1-39335236c0e2?entity=request-c58c40ff-9fc7-4c3e-9cca-f017160ba5b8> API that takes a resource, permission, and subject.
  *   Topaz (Aserto's OSS authorizer) has a query<https://aserto.readme.io/reference/authorizerquery-1> API that takes an identity and policy (rule/decisions to evaluate), and optionally a resource context and additional input, and returns what OPA would return. It also has a simpler is<https://aserto.readme.io/reference/authorizeris-1> API that evaluates a policy (rule/decisions) with an identity and resource context.


On Tue, Jun 13, 2023 at 1:54?AM Roland Baum via policy-charter <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>> wrote:
I'm in as well :-D



Roland Baum
umbrella.associates GmbH


--
policy-charter mailing list
policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>
https://lists.openid.net/mailman/listinfo/policy-charter
--
policy-charter mailing list
policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>
https://lists.openid.net/mailman/listinfo/policy-charter


--
[This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.]<https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information.
--
policy-charter mailing list
policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>
https://lists.openid.net/mailman/listinfo/policy-charter


--
---
David Brossard
http://www.linkedin.com/in/davidbrossard
http://twitter.com/davidjbrossard
http://about.me/brossard
---
Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
Prenez vos pr?cautions sur Internet: http://www.securite-informatique.gouv.fr/gp_rubrique34.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/0a8c44b3/attachment-0001.html>

From atul at sgnl.ai  Tue Jun 27 23:37:58 2023
From: atul at sgnl.ai (Atul Tulshibagwale)
Date: Tue, 27 Jun 2023 16:37:58 -0700
Subject: [policy-charter] Authorization API Proposal
Message-ID: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>

Hi all,

Here's a proposal of an Authorization API that we would like to contribute
to this group (in its current form or if / when we find a home in a
standards body). This is similar to at least a few vendors' current
offerings, so I hope everyone finds this helpful, and we can accelerate our
standardization efforts as a result.

You can read the proposal in HTML format here:
https://sgnl-ai.github.io/authzapi/

The sources (under the MIT License) are here:
https://github.com/SGNL-ai/authzapi

- Atul Tulshibagwale, Erik Gustavson and Marc Jordan

-- 

<https://sgnl.ai>

Atul Tulshibagwale

CTO

<https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
<atul at sgnl.ai>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/9a202a39/attachment.html>

From omri at aserto.com  Wed Jun 28 01:57:31 2023
From: omri at aserto.com (Omri Gazitt)
Date: Tue, 27 Jun 2023 18:57:31 -0700
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CAJO7GQ_Y5Nu1aR4BEw+DgS5cwjYGOd58ZM_wcxiOELr1uoL8YA@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
 <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
 <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>
 <CALVhW9P2e-VtErszdjCZVwgFEL9qWN-+PhdoGjDuy1e7EOYQGg@mail.gmail.com>
 <CAJO7GQ_Y5Nu1aR4BEw+DgS5cwjYGOd58ZM_wcxiOELr1uoL8YA@mail.gmail.com>
Message-ID: <CALkJ7sXYXrU3LTjsC86n1kTpPiV8=Hpg_GDZn_9WcbreLxZGuA@mail.gmail.com>

Cool - and I completely agree that the scope ought to include systems that
support a relationship (and/or graph) model.

So perhaps more horsemen :)

Is there a new charter document that includes this as a requirement?

On Tue, Jun 27, 2023 at 8:40?AM David Brossard via policy-charter <
policy-charter at lists.openid.net> wrote:

> We totally should! It is an oversight on my part because I am so policy
> biased. Sorry!
>
> On Tue, Jun 27, 2023, 8:25 AM Andres Aguiar <andres.aguiar at okta.com>
> wrote:
>
>> Hi all!
>>
>> Any reason not to include Google Zanzibar-inspired AuthZ implementations
>> (e.g. OpenFGA, Topaz, SpiceDB, Permify, etc) as part of the scope of this
>> effort?
>>
>> Regards,
>>
>> Andres
>>
>>
>> On Tue, Jun 27, 2023 at 12:09?PM David Brossard via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> *This message originated outside your organization.*
>>>
>>> ------------------------------
>>>
>>> I added notes and comments in the Google Doc
>>> <https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?pli=1>.
>>> I think it is worth highlighting we're not after yet another standard
>>> <https://urldefense.com/v3/__https://xkcd.com/927/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzOe8cLp8$>.
>>> We want to:
>>>
>>>    1. increase interoperability between existing standards. In my mind,
>>>    the four horsemen of the ap-authz-calypse are ALFA, Cedar, OPA, and IDQL.
>>>       1. interop from a policy management perspective
>>>       2. interop from a runtime request/response perspective
>>>    2. increase awareness of externalized authz so that software
>>>    developers/owners/SaaS never rebuild their own
>>>       1. Be the OAuth/SAML of authZ
>>>       2. Define and propose standard authZ patterns
>>>          1. use cases
>>>          2. integration patterns
>>>
>>>
>>> On Mon, Jun 26, 2023 at 8:42?AM Alex Babeanu via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> Sounds good to me too.
>>>> Thanks,
>>>>
>>>> ./\.
>>>>
>>>> On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>>> Anyone else want to weigh in on this?
>>>>>
>>>>> I'm onboard with Pieter's suggestion that the attached document
>>>>> describes a deliverable of a larger work group - if so, I'd like to get
>>>>> closure on the description quickly
>>>>>
>>>>> I hope it's a simple and non-controversial deliverable...
>>>>>
>>>>> Andrew Hughes
>>>>> Director - Identity Standards
>>>>> andrewhughes at pingidentity.com
>>>>> Mobile/Signal: +1 250 888 9474
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
>>>>> policy-charter at lists.openid.net> wrote:
>>>>>
>>>>>> My perspective is that we should have one Work Group focused on
>>>>>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>>>>>> example has multiple deliverables) to start with. This way everyone
>>>>>> interested in the authorization topic has visibility into the different
>>>>>> work items and we get the benefit of wider participation and review.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Agreed that something with Authorization in the name would make
>>>>>> sense, something like AuthZEN Framework (AuthoriZation ExchaNge Framework)
>>>>>> or AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>>>>>> Framework)?.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>>>>>> Behalf Of *Allan Foster via policy-charter
>>>>>> *Sent:* Friday, June 16, 2023 10:46 PM
>>>>>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>>>>>> *Cc:* Allan Foster <allan at macguru.com>
>>>>>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter
>>>>>> draft document
>>>>>>
>>>>>>
>>>>>>
>>>>>> So,  I wonder if we should do two different WGs,  or one WG with two
>>>>>> different standards?. (At least,  for now?)
>>>>>>
>>>>>>
>>>>>>
>>>>>> I am inclined to think the WG should be AuthZ something??.   and have
>>>>>> two separate streams?. (or standards?)
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thoughts
>>>>>>
>>>>>>
>>>>>>
>>>>>> Allan
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>
>>>>>> Thanks Andrew!
>>>>>>
>>>>>> Added a first comment in there... The season's open!
>>>>>>
>>>>>>
>>>>>>
>>>>>> ./\.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>
>>>>>> Here is the document I have started - the link puts you into
>>>>>> "suggest" mode. Please add text with self-attribution. Be respectful of
>>>>>> others' contributions.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> [image: Ping Identity]
>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzcNeP4vs$>
>>>>>>
>>>>>> *Andrew Hughes*
>>>>>> Director - Identity Standards
>>>>>> andrewhughes at pingidentity.com
>>>>>>
>>>>>> *Connect with us: *
>>>>>>
>>>>>> [image: Glassdoor logo]
>>>>>> <https://urldefense.com/v3/__https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzWdCjpz4$>[image:
>>>>>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image:
>>>>>> twitter logo]
>>>>>> <https://urldefense.com/v3/__https://twitter.com/pingidentity__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzDUeSi2c$>[image:
>>>>>> facebook logo]
>>>>>> <https://urldefense.com/v3/__https://www.facebook.com/pingidentitypage__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzqt_Q5uo$>[image:
>>>>>> youtube logo]
>>>>>> <https://urldefense.com/v3/__https://www.youtube.com/user/PingIdentityTV__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzayZ0G60$>[image:
>>>>>> Blog logo]
>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/blog.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzBZ_t8is$>
>>>>>>
>>>>>>
>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct*20to*20website&utm_medium=emailsig__;JSU!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzIokbF3o$>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>> If you have received this communication in error, please notify the sender
>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>> your computer. Thank you.*--
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>>>>> attachments hereto, is for the sole use of the intended recipient(s) and
>>>>>> may contain confidential and/or proprietary information.
>>>>>> --
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>> --
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>
>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>> If you have received this communication in error, please notify the sender
>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>> your computer. Thank you.*--
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>
>>>>
>>>>
>>>> --
>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>
>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>>> confidential and/or proprietary information.
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>
>>>
>>>
>>> --
>>> ---
>>> David Brossard
>>> http://www.linkedin.com/in/davidbrossard
>>> http://twitter.com/davidjbrossard
>>> <https://urldefense.com/v3/__http://twitter.com/davidjbrossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQRlFaRU$>
>>> http://about.me/brossard
>>> <https://urldefense.com/v3/__http://about.me/brossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQqI8AE8$>
>>> ---
>>> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
>>> <https://urldefense.com/v3/__http://www.ic3.gov/preventiontips.aspx__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzljfWGu0$>
>>> Prenez vos pr?cautions sur Internet:
>>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>>> <https://urldefense.com/v3/__http://www.securite-informatique.gouv.fr/gp_rubrique34.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzo5yrZAg$>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/9dd25e40/attachment-0001.html>

From omri at aserto.com  Wed Jun 28 02:07:34 2023
From: omri at aserto.com (Omri Gazitt)
Date: Tue, 27 Jun 2023 19:07:34 -0700
Subject: [policy-charter] PEP-PDP Group
In-Reply-To: <DBAPR83MB04229645779376B7769E20AC9127A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
References: <CALkJ7sWdDSMHo1d5xJY7xZWsfhDfYjk06ePR3zDAnMC3GhPdXw@mail.gmail.com>
 <CAJO7GQ_tQDOcm4FwiZE72rz56-jRscPafL9+1MiQAhCwjJmNnQ@mail.gmail.com>
 <6df4307c-f221-1068-3a3f-5c1672a9eaaf@umbrella.associates>
 <CALkJ7sUMNM8_56i7RvFTcf3EQpnSwdH7rkt=XLcJFprJ8CJUsA@mail.gmail.com>
 <DM8P220MB06530D44226E548E051CC70AF755A@DM8P220MB0653.NAMP220.PROD.OUTLOOK.COM>
 <CAOFyxENvzJ=+DU4vHjVB2ai0MC6MzzfNqxL5jF0Rw1MnQkq_dQ@mail.gmail.com>
 <2a5c3d88-c433-453a-8085-c3e2834ea9c2@Canary>
 <CAJO7GQ_HHvuxS17v1KKJJsPOfg__0bZ-spgP=XfuxmjR9vUX4A@mail.gmail.com>
 <DBAPR83MB04229645779376B7769E20AC9127A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
Message-ID: <CALkJ7sXtgv5=G96pDZj=wDT8jJgDpb4XHMEYnqsKc8riwcfzuw@mail.gmail.com>

In my experience, what you call "direct request" is used for making
authorization decisions which are fully specified (subject,
action/relationship/permission, object).

An "indirect request" can be used to filter results, which is a very
adjacent scenario to authorization.

   - In OPA, this can be accomplished by issuing a partial query and
   parsing the resulting AST to construct a restriction clause for the
   resource/data service (e.g. a SQL WHERE clause)
   - In Zanzibar-inspired systems, this can be accomplished by using an
   "expand" API to return all the objects of a certain type which have a
   relationship to the subject, which (again) can be used as a restriction
   clause

Atul's document covers both scenarios (evaluation API and search API).


On Tue, Jun 27, 2023 at 11:43?AM Pieter Kasselman via policy-charter <
policy-charter at lists.openid.net> wrote:

> Hi David, the difference between the direct and indirect requests are
> interesting. The Direct request feels like a  request for a decision while
> the indirect request feels like policy retrieval (with some parameters to
> scope retrieval of policies as it relate to Alice and claims). Can you
> describe the use cases for when the direct vs when the indirect approach is
> used?
>
>
>
> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
> Behalf Of *David Brossard via policy-charter
> *Sent:* Tuesday, June 27, 2023 4:17 PM
> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
> *Cc:* David Brossard <david.brossard at gmail.com>
> *Subject:* Re: [policy-charter] PEP-PDP Group
>
>
>
> I agree with Allan. There's another aspect to runtime authZ: it eliminates
> the need to define entitlements up front. It eliminates the need for role,
> permissions, and entitlements engineering, and consequently provisioning
> and de-provisioning.
>
>
>
> This makes me think another area of investigation for this WG is bridging
> the runtime authz world (XACML, OPA...) with the non-runtime authz world
> (OAuth scopes & claims, SCIM entitlements...) AuthZ frameworks should be
> capable of generating dynamic claims that are fed into a token. CAEP could
> be used to update/revoke/enrich such tokens.
>
>
>
> This means we need different ways to query a policy. And perhaps different
> ways to write policies. Let's assume a business authz policy:
>
>
>
>    - *Policy*: Claims processors can approve a claim in their region if
>    the amount claimed is less than the approver's limit.
>    - *Direct request*: Can Alice approve claim #123? (in the background,
>    attribute retrieval is run to figure out who Alice is and what claim 123's
>    region and amount are)
>
>
>    - Answer: Permit/Deny + obligations
>
>
>    - *Indirect request*: tell me what Alice can do on claims
>
>
>    - Answer: approve + claim amount < $500 + region = Moose Jaw.
>
>
>
>
>
> On Wed, Jun 14, 2023 at 8:15?AM Allan Foster via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>
>
> Alex,  I am not sure I fully agree with your statement!
>
>
>
> Although you might not use a PEP to protect those resources,  There is
> still a reasonable use case to treat the spec as the API and transport for
> those resources to call out to a centralized AuthZ server.
>
>
>
> I think there are at least two use cases for standardization (as we
> discussed at IDentiverse)
>
>
>
> 1.  A standardized interface between PEPs  or agents and the PDP.  This
> would allow de-weaponization of agents, and interoperability at the agent
> level?.
>
> 2.  A standardization athe policy level so that IF the PDP cannot be
> centralized, the interop would be at the Policy level.  Enabling the Policy
> Management to be centralized.
>
>
>
> A SaaS might not be willing to call out to a central PDP for AuthZ (and
> all the performance problems that brings) but might well be willing to
> accept the Policy definition into its own AuthZ system
>
>
>
> I see these as complimentary.
>
>
>
> On another note, We want to ensure that whatever we do at the PEP/PDP
> level,  we allow for real time decisions.  AuthZ decisions are not
> necessarily entitlements, and the decision may well depend on environmental
> issues at the time of the request.
>
>
>
> Allan
>
>
>
>
>
>
>
> On Tuesday, Jun 13, 2023 at 11:45, Alex Babeanu <alex at 3edges.com> wrote:
>
> This is a good discussion, that said a PEP is actually *not* mandated in
> all cases. For example you would *not* use a PEP to secure GraphQL APIs
> nor COTS software.
>
> I'm going to share soon a doc, to all contribute on, that lists common
> authorization design patterns. I think it would be a good basis for
> discussion, and at least to scope what we're trying to do...
>
>
>
> Thanks,
>
> ./\lex.
>
>
>
> On Tue, Jun 13, 2023 at 11:30?AM Allan Foster via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
> So I am thinking we also want to set some scope of what we want to cover?
>
>
>
> Off the top of my head?.   I can put some more context around these if
> they aren?t clear
>
>
>
> The Transport layer
>
> The Envelope Layer
>
> The request/response transaction layer
>
> How meta-data is handled?  (both request and response)
>
> Extension mechanisms
>
> Exception mechanism
>
>
>
> Allan
>
>
>
>
>
>
>
> *From: *policy-charter <policy-charter-bounces at lists.openid.net> on
> behalf of Omri Gazitt via policy-charter <policy-charter at lists.openid.net>
> *Date: *Tuesday, June 13, 2023 at 10:54
> *To: *Policy Charter Mail List <policy-charter at lists.openid.net>
> *Cc: *Omri Gazitt <omri at aserto.com>
> *Subject: *Re: [policy-charter] PEP-PDP Group
>
> I agree with David that looking at existing systems is a good place to
> start. If the idea is that PDPs can add a "standard" API that PEPs can
> call, then it would be good if the API supports the existing message
> exchange patterns (and doesn't mandate things that aren't supported).
>
>
>
> Here are three examples, to get us started:
>
>    - OPA is interesting in the sense that its primary REST API is very
>    document-oriented - you have a set of rules that are defined in a
>    JSON-style hierarchy and you issue a GET or POST on that resource in the
>    hierarchy to evaluate the rule that is rooted there. This seems like a
>    special case. OPA does have a generic query
>    <https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query>
>    API, which allows you to pass input and evaluate a rego query based on the
>    loaded policy document and the input.
>    - Auth0 FGA (one of the zanzibar implementations) has a check
>    <https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query> API
>    that takes a JSON payload containing a user key, relation name, and object
>    key, and returns an allowed decision (true or false). Most zanzibar
>    implementations seem to do something similar - e.g. SpiceDB has a check
>    <https://www.postman.com/authzed/workspace/spicedb/documentation/21043612-9786e5f3-2014-4b31-86c1-39335236c0e2?entity=request-c58c40ff-9fc7-4c3e-9cca-f017160ba5b8>
>    API that takes a resource, permission, and subject.
>    - Topaz (Aserto's OSS authorizer) has a query
>    <https://aserto.readme.io/reference/authorizerquery-1> API that takes
>    an identity and policy (rule/decisions to evaluate), and optionally a
>    resource context and additional input, and returns what OPA would return.
>    It also has a simpler is
>    <https://aserto.readme.io/reference/authorizeris-1> API that evaluates
>    a policy (rule/decisions) with an identity and resource context.
>
>
>
>
>
> On Tue, Jun 13, 2023 at 1:54?AM Roland Baum via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
> I'm in as well :-D
>
>
>
> Roland Baum
> umbrella.associates GmbH
>
>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
>
>
>
> --
>
> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
> Their phone number is +1 604 728 8130.]
> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
> hereto, is for the sole use of the intended recipient(s) and may contain
> confidential and/or proprietary information.
>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
>
>
>
> --
>
> ---
> David Brossard
> http://www.linkedin.com/in/davidbrossard
> http://twitter.com/davidjbrossard
> http://about.me/brossard
> ---
> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
> Prenez vos pr?cautions sur Internet:
> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/d29cbfb6/attachment-0001.html>

From andrewhughes at pingidentity.com  Wed Jun 28 02:46:39 2023
From: andrewhughes at pingidentity.com (Andrew Hughes)
Date: Tue, 27 Jun 2023 19:46:39 -0700
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CALkJ7sXYXrU3LTjsC86n1kTpPiV8=Hpg_GDZn_9WcbreLxZGuA@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
 <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
 <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>
 <CALVhW9P2e-VtErszdjCZVwgFEL9qWN-+PhdoGjDuy1e7EOYQGg@mail.gmail.com>
 <CAJO7GQ_Y5Nu1aR4BEw+DgS5cwjYGOd58ZM_wcxiOELr1uoL8YA@mail.gmail.com>
 <CALkJ7sXYXrU3LTjsC86n1kTpPiV8=Hpg_GDZn_9WcbreLxZGuA@mail.gmail.com>
Message-ID: <CALS-csWdcLrp+CaLAXV0xSuPnjFcXhP0PFsvctxQ21mXbDfHmg@mail.gmail.com>

Add your comments to the existing document if it?s for the pep PDP
deliverable

On Tue, Jun 27, 2023 at 6:57 PM Omri Gazitt via policy-charter <
policy-charter at lists.openid.net> wrote:

> Cool - and I completely agree that the scope ought to include systems that
> support a relationship (and/or graph) model.
>
> So perhaps more horsemen :)
>
> Is there a new charter document that includes this as a requirement?
>
> On Tue, Jun 27, 2023 at 8:40?AM David Brossard via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> We totally should! It is an oversight on my part because I am so policy
>> biased. Sorry!
>>
>> On Tue, Jun 27, 2023, 8:25 AM Andres Aguiar <andres.aguiar at okta.com>
>> wrote:
>>
>>> Hi all!
>>>
>>> Any reason not to include Google Zanzibar-inspired AuthZ implementations
>>> (e.g. OpenFGA, Topaz, SpiceDB, Permify, etc) as part of the scope of this
>>> effort?
>>>
>>> Regards,
>>>
>>> Andres
>>>
>>>
>>> On Tue, Jun 27, 2023 at 12:09?PM David Brossard via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> *This message originated outside your organization.*
>>>>
>>>> ------------------------------
>>>>
>>>> I added notes and comments in the Google Doc
>>>> <https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?pli=1>.
>>>> I think it is worth highlighting we're not after yet another standard
>>>> <https://urldefense.com/v3/__https://xkcd.com/927/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzOe8cLp8$>.
>>>> We want to:
>>>>
>>>>    1. increase interoperability between existing standards. In my
>>>>    mind, the four horsemen of the ap-authz-calypse are ALFA, Cedar, OPA, and
>>>>    IDQL.
>>>>       1. interop from a policy management perspective
>>>>       2. interop from a runtime request/response perspective
>>>>    2. increase awareness of externalized authz so that software
>>>>    developers/owners/SaaS never rebuild their own
>>>>       1. Be the OAuth/SAML of authZ
>>>>       2. Define and propose standard authZ patterns
>>>>          1. use cases
>>>>          2. integration patterns
>>>>
>>>>
>>>> On Mon, Jun 26, 2023 at 8:42?AM Alex Babeanu via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>>> Sounds good to me too.
>>>>> Thanks,
>>>>>
>>>>> ./\.
>>>>>
>>>>> On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
>>>>> policy-charter at lists.openid.net> wrote:
>>>>>
>>>>>> Anyone else want to weigh in on this?
>>>>>>
>>>>>> I'm onboard with Pieter's suggestion that the attached document
>>>>>> describes a deliverable of a larger work group - if so, I'd like to get
>>>>>> closure on the description quickly
>>>>>>
>>>>>> I hope it's a simple and non-controversial deliverable...
>>>>>>
>>>>>> Andrew Hughes
>>>>>> Director - Identity Standards
>>>>>> andrewhughes at pingidentity.com
>>>>>> Mobile/Signal: +1 250 888 9474
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>
>>>>>>> My perspective is that we should have one Work Group focused on
>>>>>>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>>>>>>> example has multiple deliverables) to start with. This way everyone
>>>>>>> interested in the authorization topic has visibility into the different
>>>>>>> work items and we get the benefit of wider participation and review.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Agreed that something with Authorization in the name would make
>>>>>>> sense, something like AuthZEN Framework (AuthoriZation ExchaNge Framework)
>>>>>>> or AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>>>>>>> Framework)?.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>>>>>>> Behalf Of *Allan Foster via policy-charter
>>>>>>> *Sent:* Friday, June 16, 2023 10:46 PM
>>>>>>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>>>>>>> *Cc:* Allan Foster <allan at macguru.com>
>>>>>>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter
>>>>>>> draft document
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> So,  I wonder if we should do two different WGs,  or one WG with two
>>>>>>> different standards?. (At least,  for now?)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I am inclined to think the WG should be AuthZ something??.   and
>>>>>>> have two separate streams?. (or standards?)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thoughts
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Allan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>
>>>>>>> Thanks Andrew!
>>>>>>>
>>>>>>> Added a first comment in there... The season's open!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ./\.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>
>>>>>>> Here is the document I have started - the link puts you into
>>>>>>> "suggest" mode. Please add text with self-attribution. Be respectful of
>>>>>>> others' contributions.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [image: Ping Identity]
>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzcNeP4vs$>
>>>>>>>
>>>>>>> *Andrew Hughes*
>>>>>>> Director - Identity Standards
>>>>>>> andrewhughes at pingidentity.com
>>>>>>>
>>>>>>> *Connect with us: *
>>>>>>>
>>>>>>> [image: Glassdoor logo]
>>>>>>> <https://urldefense.com/v3/__https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzWdCjpz4$>[image:
>>>>>>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image:
>>>>>>> twitter logo]
>>>>>>> <https://urldefense.com/v3/__https://twitter.com/pingidentity__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzDUeSi2c$>[image:
>>>>>>> facebook logo]
>>>>>>> <https://urldefense.com/v3/__https://www.facebook.com/pingidentitypage__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzqt_Q5uo$>[image:
>>>>>>> youtube logo]
>>>>>>> <https://urldefense.com/v3/__https://www.youtube.com/user/PingIdentityTV__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzayZ0G60$>[image:
>>>>>>> Blog logo]
>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/blog.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzBZ_t8is$>
>>>>>>>
>>>>>>>
>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct*20to*20website&utm_medium=emailsig__;JSU!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzIokbF3o$>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>>> If you have received this communication in error, please notify the sender
>>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>>> your computer. Thank you.*--
>>>>>>> policy-charter mailing list
>>>>>>> policy-charter at lists.openid.net
>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>>>
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>>>>>> attachments hereto, is for the sole use of the intended recipient(s) and
>>>>>>> may contain confidential and/or proprietary information.
>>>>>>> --
>>>>>>> policy-charter mailing list
>>>>>>> policy-charter at lists.openid.net
>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>
>>>>>>> --
>>>>>>> policy-charter mailing list
>>>>>>> policy-charter at lists.openid.net
>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>
>>>>>>
>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>> If you have received this communication in error, please notify the sender
>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>> your computer. Thank you.*--
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>>>> confidential and/or proprietary information.
>>>>> --
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>
>>>>
>>>>
>>>> --
>>>> ---
>>>> David Brossard
>>>> http://www.linkedin.com/in/davidbrossard
>>>> http://twitter.com/davidjbrossard
>>>> <https://urldefense.com/v3/__http://twitter.com/davidjbrossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQRlFaRU$>
>>>> http://about.me/brossard
>>>> <https://urldefense.com/v3/__http://about.me/brossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQqI8AE8$>
>>>> ---
>>>> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
>>>> <https://urldefense.com/v3/__http://www.ic3.gov/preventiontips.aspx__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzljfWGu0$>
>>>> Prenez vos pr?cautions sur Internet:
>>>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>>>> <https://urldefense.com/v3/__http://www.securite-informatique.gouv.fr/gp_rubrique34.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzo5yrZAg$>
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>
>>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
-- 
Andrew Hughes
Director, Identity Standards
Ping Identity
Signal/Mobile: +12508889474

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.? If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/71a86758/attachment-0001.html>

From david.brossard at gmail.com  Wed Jun 28 05:04:41 2023
From: david.brossard at gmail.com (David Brossard)
Date: Tue, 27 Jun 2023 22:04:41 -0700
Subject: [policy-charter] PEP-PDP Group
In-Reply-To: <DBAPR83MB04229645779376B7769E20AC9127A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
References: <CALkJ7sWdDSMHo1d5xJY7xZWsfhDfYjk06ePR3zDAnMC3GhPdXw@mail.gmail.com>
 <CAJO7GQ_tQDOcm4FwiZE72rz56-jRscPafL9+1MiQAhCwjJmNnQ@mail.gmail.com>
 <6df4307c-f221-1068-3a3f-5c1672a9eaaf@umbrella.associates>
 <CALkJ7sUMNM8_56i7RvFTcf3EQpnSwdH7rkt=XLcJFprJ8CJUsA@mail.gmail.com>
 <DM8P220MB06530D44226E548E051CC70AF755A@DM8P220MB0653.NAMP220.PROD.OUTLOOK.COM>
 <CAOFyxENvzJ=+DU4vHjVB2ai0MC6MzzfNqxL5jF0Rw1MnQkq_dQ@mail.gmail.com>
 <2a5c3d88-c433-453a-8085-c3e2834ea9c2@Canary>
 <CAJO7GQ_HHvuxS17v1KKJJsPOfg__0bZ-spgP=XfuxmjR9vUX4A@mail.gmail.com>
 <DBAPR83MB04229645779376B7769E20AC9127A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
Message-ID: <CAJO7GQ_ZkiXN1sbQyBOqGGLF=xFVRdYsx8BjGENKripE5Fzn4Q@mail.gmail.com>

Omri's email is pretty much on point. Here's my experience.

At Axiomatics, we realized over time that authorization could be grouped
into (at least) 3 buckets:

   - functional: can a given user print (as a whole)? This is useful when
   building UIs, basic entitlements, or possibly even claims inside a token
   - transactional: can a given user do a given action on a given item?
   E.g. can Alice view transaction #123?
   - data-centric: this one is a variant of the transactional case but at
   scale. Essentially, which transactions can Alice view? You want to address
   this type of question for data filtering.

The XACML core spec doesn't address the latter type which is why we came up
with partial evaluation and an API called "reverse query". It's identical
in spirit to what Omri states OPA contains. I'm guessing it's also similar
to the "expand API" in Zanzibar.

And then you realize reverse querying/partial evaluation is not just about
data filtering. It can be for testing, access review, policy reports, gap
analyses... You can ask broader to narrower questions e.g.

   - What can happen?
   - What can Alice do?
   - What can Alice view?
   - What can Alice view in the sales department on a Monday?

You get the point.

I think we need to document this type of API because it's fundamental to
being able to deploy a successful authorization framework. While the
traditional permit/deny API is easy to understand and implement, it's not
enough to address filtering, access reviews, etc...

Additionally, there are 2 types of policies we may want to consider:

   - business policies: they reflect exactly what you want to do e.g.
   "managers can edit documents in their department if the status is draft".
   This is the sort of policy XACML/ALFA were born to tackle.
   - entitlements policies: they are here to grant entitlements to users
   e.g. "managers in the sales department can have the claim editDoc". Those
   are not my cup of tea and should only be written when you're dealing with a
   system that cannot handle the richness of ABAC policies

@Omri Gazitt <omri at aserto.com> , can you share a link to @Atul Tulshibagwale
<atul at sgnl.ai>'s document? Thanks!

David

On Tue, Jun 27, 2023 at 11:43?AM Pieter Kasselman <
pieter.kasselman at microsoft.com> wrote:

> Hi David, the difference between the direct and indirect requests are
> interesting. The Direct request feels like a  request for a decision while
> the indirect request feels like policy retrieval (with some parameters to
> scope retrieval of policies as it relate to Alice and claims). Can you
> describe the use cases for when the direct vs when the indirect approach is
> used?
>
>
>
> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
> Behalf Of *David Brossard via policy-charter
> *Sent:* Tuesday, June 27, 2023 4:17 PM
> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
> *Cc:* David Brossard <david.brossard at gmail.com>
> *Subject:* Re: [policy-charter] PEP-PDP Group
>
>
>
> I agree with Allan. There's another aspect to runtime authZ: it eliminates
> the need to define entitlements up front. It eliminates the need for role,
> permissions, and entitlements engineering, and consequently provisioning
> and de-provisioning.
>
>
>
> This makes me think another area of investigation for this WG is bridging
> the runtime authz world (XACML, OPA...) with the non-runtime authz world
> (OAuth scopes & claims, SCIM entitlements...) AuthZ frameworks should be
> capable of generating dynamic claims that are fed into a token. CAEP could
> be used to update/revoke/enrich such tokens.
>
>
>
> This means we need different ways to query a policy. And perhaps different
> ways to write policies. Let's assume a business authz policy:
>
>
>
>    - *Policy*: Claims processors can approve a claim in their region if
>    the amount claimed is less than the approver's limit.
>    - *Direct request*: Can Alice approve claim #123? (in the background,
>    attribute retrieval is run to figure out who Alice is and what claim 123's
>    region and amount are)
>
>
>    - Answer: Permit/Deny + obligations
>
>
>    - *Indirect request*: tell me what Alice can do on claims
>
>
>    - Answer: approve + claim amount < $500 + region = Moose Jaw.
>
>
>
>
>
> On Wed, Jun 14, 2023 at 8:15?AM Allan Foster via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>
>
> Alex,  I am not sure I fully agree with your statement!
>
>
>
> Although you might not use a PEP to protect those resources,  There is
> still a reasonable use case to treat the spec as the API and transport for
> those resources to call out to a centralized AuthZ server.
>
>
>
> I think there are at least two use cases for standardization (as we
> discussed at IDentiverse)
>
>
>
> 1.  A standardized interface between PEPs  or agents and the PDP.  This
> would allow de-weaponization of agents, and interoperability at the agent
> level?.
>
> 2.  A standardization athe policy level so that IF the PDP cannot be
> centralized, the interop would be at the Policy level.  Enabling the Policy
> Management to be centralized.
>
>
>
> A SaaS might not be willing to call out to a central PDP for AuthZ (and
> all the performance problems that brings) but might well be willing to
> accept the Policy definition into its own AuthZ system
>
>
>
> I see these as complimentary.
>
>
>
> On another note, We want to ensure that whatever we do at the PEP/PDP
> level,  we allow for real time decisions.  AuthZ decisions are not
> necessarily entitlements, and the decision may well depend on environmental
> issues at the time of the request.
>
>
>
> Allan
>
>
>
>
>
>
>
> On Tuesday, Jun 13, 2023 at 11:45, Alex Babeanu <alex at 3edges.com> wrote:
>
> This is a good discussion, that said a PEP is actually *not* mandated in
> all cases. For example you would *not* use a PEP to secure GraphQL APIs
> nor COTS software.
>
> I'm going to share soon a doc, to all contribute on, that lists common
> authorization design patterns. I think it would be a good basis for
> discussion, and at least to scope what we're trying to do...
>
>
>
> Thanks,
>
> ./\lex.
>
>
>
> On Tue, Jun 13, 2023 at 11:30?AM Allan Foster via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
> So I am thinking we also want to set some scope of what we want to cover?
>
>
>
> Off the top of my head?.   I can put some more context around these if
> they aren?t clear
>
>
>
> The Transport layer
>
> The Envelope Layer
>
> The request/response transaction layer
>
> How meta-data is handled?  (both request and response)
>
> Extension mechanisms
>
> Exception mechanism
>
>
>
> Allan
>
>
>
>
>
>
>
> *From: *policy-charter <policy-charter-bounces at lists.openid.net> on
> behalf of Omri Gazitt via policy-charter <policy-charter at lists.openid.net>
> *Date: *Tuesday, June 13, 2023 at 10:54
> *To: *Policy Charter Mail List <policy-charter at lists.openid.net>
> *Cc: *Omri Gazitt <omri at aserto.com>
> *Subject: *Re: [policy-charter] PEP-PDP Group
>
> I agree with David that looking at existing systems is a good place to
> start. If the idea is that PDPs can add a "standard" API that PEPs can
> call, then it would be good if the API supports the existing message
> exchange patterns (and doesn't mandate things that aren't supported).
>
>
>
> Here are three examples, to get us started:
>
>    - OPA is interesting in the sense that its primary REST API is very
>    document-oriented - you have a set of rules that are defined in a
>    JSON-style hierarchy and you issue a GET or POST on that resource in the
>    hierarchy to evaluate the rule that is rooted there. This seems like a
>    special case. OPA does have a generic query
>    <https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query>
>    API, which allows you to pass input and evaluate a rego query based on the
>    loaded policy document and the input.
>    - Auth0 FGA (one of the zanzibar implementations) has a check
>    <https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query> API
>    that takes a JSON payload containing a user key, relation name, and object
>    key, and returns an allowed decision (true or false). Most zanzibar
>    implementations seem to do something similar - e.g. SpiceDB has a check
>    <https://www.postman.com/authzed/workspace/spicedb/documentation/21043612-9786e5f3-2014-4b31-86c1-39335236c0e2?entity=request-c58c40ff-9fc7-4c3e-9cca-f017160ba5b8>
>    API that takes a resource, permission, and subject.
>    - Topaz (Aserto's OSS authorizer) has a query
>    <https://aserto.readme.io/reference/authorizerquery-1> API that takes
>    an identity and policy (rule/decisions to evaluate), and optionally a
>    resource context and additional input, and returns what OPA would return.
>    It also has a simpler is
>    <https://aserto.readme.io/reference/authorizeris-1> API that evaluates
>    a policy (rule/decisions) with an identity and resource context.
>
>
>
>
>
> On Tue, Jun 13, 2023 at 1:54?AM Roland Baum via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
> I'm in as well :-D
>
>
>
> Roland Baum
> umbrella.associates GmbH
>
>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
>
>
>
> --
>
> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
> Their phone number is +1 604 728 8130.]
> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
> hereto, is for the sole use of the intended recipient(s) and may contain
> confidential and/or proprietary information.
>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
>
>
>
> --
>
> ---
> David Brossard
> http://www.linkedin.com/in/davidbrossard
> http://twitter.com/davidjbrossard
> http://about.me/brossard
> ---
> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
> Prenez vos pr?cautions sur Internet:
> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>


-- 
---
David Brossard
http://www.linkedin.com/in/davidbrossard
http://twitter.com/davidjbrossard
http://about.me/brossard
---
Stay safe on the Internet: IC3 Prevention Tips
<https://www.capefearnetworks.com/wp-content/uploads/2017/05/Internet-Fraud-Prevention-Tips-IC3.pdf>
Prenez vos pr?cautions sur Internet:
http://www.securite-informatique.gouv.fr/gp_rubrique34.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/5d8a26c2/attachment-0001.html>

From omri at aserto.com  Wed Jun 28 05:47:46 2023
From: omri at aserto.com (Omri Gazitt)
Date: Tue, 27 Jun 2023 22:47:46 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
Message-ID: <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>

Thanks Atul - it's clear you and the SGNL team put some thought into this.

I'm still looking through this but I like that you're specifying both a
"check" function (Access Evaluation) and an "expand" function (Search
API).  Both are important, but perhaps only the Access Evaluation API ought
to be required.

I'm not sure what is the best way to provide feedback. Github issues? PRs?
put it in a google doc and use comments?

Here are some thoughts (sorry, no particular order):

> Policy Distribution Point
Nit - this should be "Policy Decision Point" (which you name correctly in
other places in the doc)

> The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
<https://sgnl-ai.github.io/authzapi/#RFC6749>])
I think this is overspecified. I can certainly see clients that call an
Authorization API using an API key.

> Terminology
A bit of a quibble, but perhaps we tip the hat to XACML and use the terms
"subject" and "resource" instead of "principal" and "asset". I'm not
religious about these terms, but "asset" in particular seems less common
than "object" or "resource".

> Principals
In many systems, subjects will be extracted from a JWT "sub" claim, which
is a string. I'm not sure that specifying that this must be a JSON
structure, and further specifying two optional fields (ipAddress and
deviceId) is necessary, and feels overspecified.

> Assets
Having a type and id makes sense, but could these be specified in a single
string?  For example, zanzibar defines these as type:id

I do like having the ability to pass in properties in addition to the
object identifier - but it seems like this should be a json object
(key:value pairs), not just an array of attribute names.

> Actions
It's not clear to me that separating actions into "standard" and "custom"
is useful. I think the types of actions you list (CRUD) are common examples
but should not be normative.

I do think it's possible to use the generic concept of "Action" to
encompass permissions and relations.

> Queries (as array)
I think that allowing a set of decisions to be requested at once is
valuable, but IMO the spec should not mandate that implementations must
support more than one query at a time. Some PDPs don't support that
semantic and it should be considered optional.




On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
policy-charter at lists.openid.net> wrote:

> Hi all,
>
> Here's a proposal of an Authorization API that we would like to contribute
> to this group (in its current form or if / when we find a home in a
> standards body). This is similar to at least a few vendors' current
> offerings, so I hope everyone finds this helpful, and we can accelerate our
> standardization efforts as a result.
>
> You can read the proposal in HTML format here:
> https://sgnl-ai.github.io/authzapi/
>
> The sources (under the MIT License) are here:
> https://github.com/SGNL-ai/authzapi
>
> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>
> --
>
> <https://sgnl.ai>
>
> Atul Tulshibagwale
>
> CTO
>
> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
> <atul at sgnl.ai>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/a682fe0d/attachment.html>

From omri at aserto.com  Wed Jun 28 05:49:10 2023
From: omri at aserto.com (Omri Gazitt)
Date: Tue, 27 Jun 2023 22:49:10 -0700
Subject: [policy-charter] PEP-PDP Group
In-Reply-To: <CAJO7GQ_ZkiXN1sbQyBOqGGLF=xFVRdYsx8BjGENKripE5Fzn4Q@mail.gmail.com>
References: <CALkJ7sWdDSMHo1d5xJY7xZWsfhDfYjk06ePR3zDAnMC3GhPdXw@mail.gmail.com>
 <CAJO7GQ_tQDOcm4FwiZE72rz56-jRscPafL9+1MiQAhCwjJmNnQ@mail.gmail.com>
 <6df4307c-f221-1068-3a3f-5c1672a9eaaf@umbrella.associates>
 <CALkJ7sUMNM8_56i7RvFTcf3EQpnSwdH7rkt=XLcJFprJ8CJUsA@mail.gmail.com>
 <DM8P220MB06530D44226E548E051CC70AF755A@DM8P220MB0653.NAMP220.PROD.OUTLOOK.COM>
 <CAOFyxENvzJ=+DU4vHjVB2ai0MC6MzzfNqxL5jF0Rw1MnQkq_dQ@mail.gmail.com>
 <2a5c3d88-c433-453a-8085-c3e2834ea9c2@Canary>
 <CAJO7GQ_HHvuxS17v1KKJJsPOfg__0bZ-spgP=XfuxmjR9vUX4A@mail.gmail.com>
 <DBAPR83MB04229645779376B7769E20AC9127A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CAJO7GQ_ZkiXN1sbQyBOqGGLF=xFVRdYsx8BjGENKripE5Fzn4Q@mail.gmail.com>
Message-ID: <CALkJ7sUZRK=B9Y75PoWR+8HYw+VQ0F+KmtZJsv2cABYSXGqK+Q@mail.gmail.com>

It's on another thread on policy-charter

https://sgnl-ai.github.io/authzapi/


On Tue, Jun 27, 2023 at 10:04?PM David Brossard <david.brossard at gmail.com>
wrote:

> Omri's email is pretty much on point. Here's my experience.
>
> At Axiomatics, we realized over time that authorization could be grouped
> into (at least) 3 buckets:
>
>    - functional: can a given user print (as a whole)? This is useful when
>    building UIs, basic entitlements, or possibly even claims inside a token
>    - transactional: can a given user do a given action on a given item?
>    E.g. can Alice view transaction #123?
>    - data-centric: this one is a variant of the transactional case but at
>    scale. Essentially, which transactions can Alice view? You want to address
>    this type of question for data filtering.
>
> The XACML core spec doesn't address the latter type which is why we came
> up with partial evaluation and an API called "reverse query". It's
> identical in spirit to what Omri states OPA contains. I'm guessing it's
> also similar to the "expand API" in Zanzibar.
>
> And then you realize reverse querying/partial evaluation is not just about
> data filtering. It can be for testing, access review, policy reports, gap
> analyses... You can ask broader to narrower questions e.g.
>
>    - What can happen?
>    - What can Alice do?
>    - What can Alice view?
>    - What can Alice view in the sales department on a Monday?
>
> You get the point.
>
> I think we need to document this type of API because it's fundamental to
> being able to deploy a successful authorization framework. While the
> traditional permit/deny API is easy to understand and implement, it's not
> enough to address filtering, access reviews, etc...
>
> Additionally, there are 2 types of policies we may want to consider:
>
>    - business policies: they reflect exactly what you want to do e.g.
>    "managers can edit documents in their department if the status is draft".
>    This is the sort of policy XACML/ALFA were born to tackle.
>    - entitlements policies: they are here to grant entitlements to users
>    e.g. "managers in the sales department can have the claim editDoc". Those
>    are not my cup of tea and should only be written when you're dealing with a
>    system that cannot handle the richness of ABAC policies
>
> @Omri Gazitt <omri at aserto.com> , can you share a link to @Atul
> Tulshibagwale <atul at sgnl.ai>'s document? Thanks!
>
> David
>
> On Tue, Jun 27, 2023 at 11:43?AM Pieter Kasselman <
> pieter.kasselman at microsoft.com> wrote:
>
>> Hi David, the difference between the direct and indirect requests are
>> interesting. The Direct request feels like a  request for a decision while
>> the indirect request feels like policy retrieval (with some parameters to
>> scope retrieval of policies as it relate to Alice and claims). Can you
>> describe the use cases for when the direct vs when the indirect approach is
>> used?
>>
>>
>>
>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>> Behalf Of *David Brossard via policy-charter
>> *Sent:* Tuesday, June 27, 2023 4:17 PM
>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>> *Cc:* David Brossard <david.brossard at gmail.com>
>> *Subject:* Re: [policy-charter] PEP-PDP Group
>>
>>
>>
>> I agree with Allan. There's another aspect to runtime authZ: it
>> eliminates the need to define entitlements up front. It eliminates the need
>> for role, permissions, and entitlements engineering, and consequently
>> provisioning and de-provisioning.
>>
>>
>>
>> This makes me think another area of investigation for this WG is bridging
>> the runtime authz world (XACML, OPA...) with the non-runtime authz world
>> (OAuth scopes & claims, SCIM entitlements...) AuthZ frameworks should be
>> capable of generating dynamic claims that are fed into a token. CAEP could
>> be used to update/revoke/enrich such tokens.
>>
>>
>>
>> This means we need different ways to query a policy. And perhaps
>> different ways to write policies. Let's assume a business authz policy:
>>
>>
>>
>>    - *Policy*: Claims processors can approve a claim in their region if
>>    the amount claimed is less than the approver's limit.
>>    - *Direct request*: Can Alice approve claim #123? (in the background,
>>    attribute retrieval is run to figure out who Alice is and what claim 123's
>>    region and amount are)
>>
>>
>>    - Answer: Permit/Deny + obligations
>>
>>
>>    - *Indirect request*: tell me what Alice can do on claims
>>
>>
>>    - Answer: approve + claim amount < $500 + region = Moose Jaw.
>>
>>
>>
>>
>>
>> On Wed, Jun 14, 2023 at 8:15?AM Allan Foster via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>
>>
>> Alex,  I am not sure I fully agree with your statement!
>>
>>
>>
>> Although you might not use a PEP to protect those resources,  There is
>> still a reasonable use case to treat the spec as the API and transport for
>> those resources to call out to a centralized AuthZ server.
>>
>>
>>
>> I think there are at least two use cases for standardization (as we
>> discussed at IDentiverse)
>>
>>
>>
>> 1.  A standardized interface between PEPs  or agents and the PDP.  This
>> would allow de-weaponization of agents, and interoperability at the agent
>> level?.
>>
>> 2.  A standardization athe policy level so that IF the PDP cannot be
>> centralized, the interop would be at the Policy level.  Enabling the Policy
>> Management to be centralized.
>>
>>
>>
>> A SaaS might not be willing to call out to a central PDP for AuthZ (and
>> all the performance problems that brings) but might well be willing to
>> accept the Policy definition into its own AuthZ system
>>
>>
>>
>> I see these as complimentary.
>>
>>
>>
>> On another note, We want to ensure that whatever we do at the PEP/PDP
>> level,  we allow for real time decisions.  AuthZ decisions are not
>> necessarily entitlements, and the decision may well depend on environmental
>> issues at the time of the request.
>>
>>
>>
>> Allan
>>
>>
>>
>>
>>
>>
>>
>> On Tuesday, Jun 13, 2023 at 11:45, Alex Babeanu <alex at 3edges.com> wrote:
>>
>> This is a good discussion, that said a PEP is actually *not* mandated in
>> all cases. For example you would *not* use a PEP to secure GraphQL APIs
>> nor COTS software.
>>
>> I'm going to share soon a doc, to all contribute on, that lists common
>> authorization design patterns. I think it would be a good basis for
>> discussion, and at least to scope what we're trying to do...
>>
>>
>>
>> Thanks,
>>
>> ./\lex.
>>
>>
>>
>> On Tue, Jun 13, 2023 at 11:30?AM Allan Foster via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>> So I am thinking we also want to set some scope of what we want to
>> cover?
>>
>>
>>
>> Off the top of my head?.   I can put some more context around these if
>> they aren?t clear
>>
>>
>>
>> The Transport layer
>>
>> The Envelope Layer
>>
>> The request/response transaction layer
>>
>> How meta-data is handled?  (both request and response)
>>
>> Extension mechanisms
>>
>> Exception mechanism
>>
>>
>>
>> Allan
>>
>>
>>
>>
>>
>>
>>
>> *From: *policy-charter <policy-charter-bounces at lists.openid.net> on
>> behalf of Omri Gazitt via policy-charter <policy-charter at lists.openid.net
>> >
>> *Date: *Tuesday, June 13, 2023 at 10:54
>> *To: *Policy Charter Mail List <policy-charter at lists.openid.net>
>> *Cc: *Omri Gazitt <omri at aserto.com>
>> *Subject: *Re: [policy-charter] PEP-PDP Group
>>
>> I agree with David that looking at existing systems is a good place to
>> start. If the idea is that PDPs can add a "standard" API that PEPs can
>> call, then it would be good if the API supports the existing message
>> exchange patterns (and doesn't mandate things that aren't supported).
>>
>>
>>
>> Here are three examples, to get us started:
>>
>>    - OPA is interesting in the sense that its primary REST API is very
>>    document-oriented - you have a set of rules that are defined in a
>>    JSON-style hierarchy and you issue a GET or POST on that resource in the
>>    hierarchy to evaluate the rule that is rooted there. This seems like a
>>    special case. OPA does have a generic query
>>    <https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query>
>>    API, which allows you to pass input and evaluate a rego query based on the
>>    loaded policy document and the input.
>>    - Auth0 FGA (one of the zanzibar implementations) has a check
>>    <https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query> API
>>    that takes a JSON payload containing a user key, relation name, and object
>>    key, and returns an allowed decision (true or false). Most zanzibar
>>    implementations seem to do something similar - e.g. SpiceDB has a
>>    check
>>    <https://www.postman.com/authzed/workspace/spicedb/documentation/21043612-9786e5f3-2014-4b31-86c1-39335236c0e2?entity=request-c58c40ff-9fc7-4c3e-9cca-f017160ba5b8>
>>    API that takes a resource, permission, and subject.
>>    - Topaz (Aserto's OSS authorizer) has a query
>>    <https://aserto.readme.io/reference/authorizerquery-1> API that takes
>>    an identity and policy (rule/decisions to evaluate), and optionally a
>>    resource context and additional input, and returns what OPA would return.
>>    It also has a simpler is
>>    <https://aserto.readme.io/reference/authorizeris-1> API that
>>    evaluates a policy (rule/decisions) with an identity and resource context.
>>
>>
>>
>>
>>
>> On Tue, Jun 13, 2023 at 1:54?AM Roland Baum via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>> I'm in as well :-D
>>
>>
>>
>> Roland Baum
>> umbrella.associates GmbH
>>
>>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>>
>>
>>
>> --
>>
>> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
>> Their phone number is +1 604 728 8130.]
>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>> hereto, is for the sole use of the intended recipient(s) and may contain
>> confidential and/or proprietary information.
>>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>>
>>
>>
>> --
>>
>> ---
>> David Brossard
>> http://www.linkedin.com/in/davidbrossard
>> http://twitter.com/davidjbrossard
>> http://about.me/brossard
>> ---
>> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
>> Prenez vos pr?cautions sur Internet:
>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>>
>
>
> --
> ---
> David Brossard
> http://www.linkedin.com/in/davidbrossard
> http://twitter.com/davidjbrossard
> http://about.me/brossard
> ---
> Stay safe on the Internet: IC3 Prevention Tips
> <https://www.capefearnetworks.com/wp-content/uploads/2017/05/Internet-Fraud-Prevention-Tips-IC3.pdf>
> Prenez vos pr?cautions sur Internet:
> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230627/2716a154/attachment-0001.html>

From atul at sgnl.ai  Wed Jun 28 16:49:53 2023
From: atul at sgnl.ai (Atul Tulshibagwale)
Date: Wed, 28 Jun 2023 09:49:53 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
Message-ID: <CANtBS9eG9OFvRs6LdJviNVFGXdQGLLHfib3CK2ZY_q8f5Hu1YQ@mail.gmail.com>

Hi Omri,
Thanks for your feedback here. I think GitHub issues are a good way to
provide feedback. I'll be happy to add you as a collaborator in the repo
(and anyone else who would like to collaborate in updating / editing the
draft). Please send me your GitHub ID.

Thanks,
Atul

On Tue, Jun 27, 2023 at 10:47?PM Omri Gazitt <omri at aserto.com> wrote:

> Thanks Atul - it's clear you and the SGNL team put some thought into this.
>
> I'm still looking through this but I like that you're specifying both a
> "check" function (Access Evaluation) and an "expand" function (Search
> API).  Both are important, but perhaps only the Access Evaluation API ought
> to be required.
>
> I'm not sure what is the best way to provide feedback. Github issues? PRs?
> put it in a google doc and use comments?
>
> Here are some thoughts (sorry, no particular order):
>
> > Policy Distribution Point
> Nit - this should be "Policy Decision Point" (which you name correctly in
> other places in the doc)
>
> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
> I think this is overspecified. I can certainly see clients that call an
> Authorization API using an API key.
>
> > Terminology
> A bit of a quibble, but perhaps we tip the hat to XACML and use the terms
> "subject" and "resource" instead of "principal" and "asset". I'm not
> religious about these terms, but "asset" in particular seems less common
> than "object" or "resource".
>
> > Principals
> In many systems, subjects will be extracted from a JWT "sub" claim, which
> is a string. I'm not sure that specifying that this must be a JSON
> structure, and further specifying two optional fields (ipAddress and
> deviceId) is necessary, and feels overspecified.
>
> > Assets
> Having a type and id makes sense, but could these be specified in a single
> string?  For example, zanzibar defines these as type:id
>
> I do like having the ability to pass in properties in addition to the
> object identifier - but it seems like this should be a json object
> (key:value pairs), not just an array of attribute names.
>
> > Actions
> It's not clear to me that separating actions into "standard" and "custom"
> is useful. I think the types of actions you list (CRUD) are common examples
> but should not be normative.
>
> I do think it's possible to use the generic concept of "Action" to
> encompass permissions and relations.
>
> > Queries (as array)
> I think that allowing a set of decisions to be requested at once is
> valuable, but IMO the spec should not mandate that implementations must
> support more than one query at a time. Some PDPs don't support that
> semantic and it should be considered optional.
>
>
>
>
> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Hi all,
>>
>> Here's a proposal of an Authorization API that we would like to
>> contribute to this group (in its current form or if / when we find a home
>> in a standards body). This is similar to at least a few vendors' current
>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>> standardization efforts as a result.
>>
>> You can read the proposal in HTML format here:
>> https://sgnl-ai.github.io/authzapi/
>>
>> The sources (under the MIT License) are here:
>> https://github.com/SGNL-ai/authzapi
>>
>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>
>> --
>>
>> <https://sgnl.ai>
>>
>> Atul Tulshibagwale
>>
>> CTO
>>
>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>> <atul at sgnl.ai>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/3d91d3bb/attachment.html>

From alex at 3edges.com  Wed Jun 28 16:51:49 2023
From: alex at 3edges.com (Alex Babeanu)
Date: Wed, 28 Jun 2023 09:51:49 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CANtBS9eG9OFvRs6LdJviNVFGXdQGLLHfib3CK2ZY_q8f5Hu1YQ@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CANtBS9eG9OFvRs6LdJviNVFGXdQGLLHfib3CK2ZY_q8f5Hu1YQ@mail.gmail.com>
Message-ID: <CAOFyxEMwBfVo4XU9eRtZMRKgxmx8BFLC9DmqDr-4jzGihogY6A@mail.gmail.com>

Hi Atul, I'm crafting some feedback on this now, please add me too: GitHub
ID = "baboulebou"

Many thanks,

./\.

On Wed, Jun 28, 2023 at 9:50?AM Atul Tulshibagwale via policy-charter <
policy-charter at lists.openid.net> wrote:

> Hi Omri,
> Thanks for your feedback here. I think GitHub issues are a good way to
> provide feedback. I'll be happy to add you as a collaborator in the repo
> (and anyone else who would like to collaborate in updating / editing the
> draft). Please send me your GitHub ID.
>
> Thanks,
> Atul
>
> On Tue, Jun 27, 2023 at 10:47?PM Omri Gazitt <omri at aserto.com> wrote:
>
>> Thanks Atul - it's clear you and the SGNL team put some thought into this.
>>
>> I'm still looking through this but I like that you're specifying both a
>> "check" function (Access Evaluation) and an "expand" function (Search
>> API).  Both are important, but perhaps only the Access Evaluation API ought
>> to be required.
>>
>> I'm not sure what is the best way to provide feedback. Github issues?
>> PRs? put it in a google doc and use comments?
>>
>> Here are some thoughts (sorry, no particular order):
>>
>> > Policy Distribution Point
>> Nit - this should be "Policy Decision Point" (which you name correctly in
>> other places in the doc)
>>
>> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
>> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
>> I think this is overspecified. I can certainly see clients that call an
>> Authorization API using an API key.
>>
>> > Terminology
>> A bit of a quibble, but perhaps we tip the hat to XACML and use the terms
>> "subject" and "resource" instead of "principal" and "asset". I'm not
>> religious about these terms, but "asset" in particular seems less common
>> than "object" or "resource".
>>
>> > Principals
>> In many systems, subjects will be extracted from a JWT "sub" claim, which
>> is a string. I'm not sure that specifying that this must be a JSON
>> structure, and further specifying two optional fields (ipAddress and
>> deviceId) is necessary, and feels overspecified.
>>
>> > Assets
>> Having a type and id makes sense, but could these be specified in a
>> single string?  For example, zanzibar defines these as type:id
>>
>> I do like having the ability to pass in properties in addition to the
>> object identifier - but it seems like this should be a json object
>> (key:value pairs), not just an array of attribute names.
>>
>> > Actions
>> It's not clear to me that separating actions into "standard" and "custom"
>> is useful. I think the types of actions you list (CRUD) are common examples
>> but should not be normative.
>>
>> I do think it's possible to use the generic concept of "Action" to
>> encompass permissions and relations.
>>
>> > Queries (as array)
>> I think that allowing a set of decisions to be requested at once is
>> valuable, but IMO the spec should not mandate that implementations must
>> support more than one query at a time. Some PDPs don't support that
>> semantic and it should be considered optional.
>>
>>
>>
>>
>> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Hi all,
>>>
>>> Here's a proposal of an Authorization API that we would like to
>>> contribute to this group (in its current form or if / when we find a home
>>> in a standards body). This is similar to at least a few vendors' current
>>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>>> standardization efforts as a result.
>>>
>>> You can read the proposal in HTML format here:
>>> https://sgnl-ai.github.io/authzapi/
>>>
>>> The sources (under the MIT License) are here:
>>> https://github.com/SGNL-ai/authzapi
>>>
>>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>>
>>> --
>>>
>>> <https://sgnl.ai>
>>>
>>> Atul Tulshibagwale
>>>
>>> CTO
>>>
>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>> <atul at sgnl.ai>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>


-- 
[image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
Their phone number is +1 604 728 8130.]
<https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments 
hereto, is for the sole use of the intended recipient(s) and may contain 
confidential and/or proprietary information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/2850f067/attachment-0001.html>

From pieter.kasselman at microsoft.com  Wed Jun 28 17:32:10 2023
From: pieter.kasselman at microsoft.com (Pieter Kasselman)
Date: Wed, 28 Jun 2023 17:32:10 +0000
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CAOFyxEMwBfVo4XU9eRtZMRKgxmx8BFLC9DmqDr-4jzGihogY6A@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CANtBS9eG9OFvRs6LdJviNVFGXdQGLLHfib3CK2ZY_q8f5Hu1YQ@mail.gmail.com>
 <CAOFyxEMwBfVo4XU9eRtZMRKgxmx8BFLC9DmqDr-4jzGihogY6A@mail.gmail.com>
Message-ID: <DBAPR83MB0422E6FEB8E4B5835766DD319124A@DBAPR83MB0422.EURPRD83.prod.outlook.com>

Thanks for sharing this Atul. If you add me to the repository I will open issues there.

One question I had was whether the Search API could also return a policy in a ?native? format. I.e. instead of returning the detailed ?decisions? array, could it return an array containing policies expressed in a format the PEP already understands?

Cheers

Pieter

From: policy-charter <policy-charter-bounces at lists.openid.net> On Behalf Of Alex Babeanu via policy-charter
Sent: Wednesday, June 28, 2023 5:52 PM
To: Policy Charter Mail List <policy-charter at lists.openid.net>
Cc: Alex Babeanu <alex at 3edges.com>; Erik Gustavson <erik at sgnl.ai>; Marc Jordan <marc at sgnl.ai>; Gert Drapers <gert at aserto.com>
Subject: Re: [policy-charter] Authorization API Proposal

Hi Atul, I'm crafting some feedback on this now, please add me too: GitHub ID = "baboulebou"

Many thanks,

./\.

On Wed, Jun 28, 2023 at 9:50?AM Atul Tulshibagwale via policy-charter <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>> wrote:
Hi Omri,
Thanks for your feedback here. I think GitHub issues are a good way to provide feedback. I'll be happy to add you as a collaborator in the repo (and anyone else who would like to collaborate in updating / editing the draft). Please send me your GitHub ID.

Thanks,
Atul

On Tue, Jun 27, 2023 at 10:47?PM Omri Gazitt <omri at aserto.com<mailto:omri at aserto.com>> wrote:
Thanks Atul - it's clear you and the SGNL team put some thought into this.

I'm still looking through this but I like that you're specifying both a "check" function (Access Evaluation) and an "expand" function (Search API).  Both are important, but perhaps only the Access Evaluation API ought to be required.

I'm not sure what is the best way to provide feedback. Github issues? PRs? put it in a google doc and use comments?

Here are some thoughts (sorry, no particular order):

> Policy Distribution Point
Nit - this should be "Policy Decision Point" (which you name correctly in other places in the doc)

> The Authorization API is itself authorized using OAuth 2.0 ([RFC6749<https://sgnl-ai.github.io/authzapi/#RFC6749>])
I think this is overspecified. I can certainly see clients that call an Authorization API using an API key.

> Terminology
A bit of a quibble, but perhaps we tip the hat to XACML and use the terms "subject" and "resource" instead of "principal" and "asset". I'm not religious about these terms, but "asset" in particular seems less common than "object" or "resource".

> Principals
In many systems, subjects will be extracted from a JWT "sub" claim, which is a string. I'm not sure that specifying that this must be a JSON structure, and further specifying two optional fields (ipAddress and deviceId) is necessary, and feels overspecified.

> Assets
Having a type and id makes sense, but could these be specified in a single string?  For example, zanzibar defines these as type:id

I do like having the ability to pass in properties in addition to the object identifier - but it seems like this should be a json object (key:value pairs), not just an array of attribute names.

> Actions
It's not clear to me that separating actions into "standard" and "custom" is useful. I think the types of actions you list (CRUD) are common examples but should not be normative.

I do think it's possible to use the generic concept of "Action" to encompass permissions and relations.

> Queries (as array)
I think that allowing a set of decisions to be requested at once is valuable, but IMO the spec should not mandate that implementations must support more than one query at a time. Some PDPs don't support that semantic and it should be considered optional.




On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>> wrote:
Hi all,

Here's a proposal of an Authorization API that we would like to contribute to this group (in its current form or if / when we find a home in a standards body). This is similar to at least a few vendors' current offerings, so I hope everyone finds this helpful, and we can accelerate our standardization efforts as a result.

You can read the proposal in HTML format here: https://sgnl-ai.github.io/authzapi/

The sources (under the MIT License) are here: https://github.com/SGNL-ai/authzapi

- Atul Tulshibagwale, Erik Gustavson and Marc Jordan

--

[Image removed by sender.]<https://sgnl.ai/>

Atul Tulshibagwale

CTO

[Image removed by sender.]<https://linkedin.com/in/tulshi>[Image removed by sender.]<https://twitter.com/zirotrust>[Image removed by sender.]<mailto:atul at sgnl.ai>
--
policy-charter mailing list
policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>
https://lists.openid.net/mailman/listinfo/policy-charter
--
policy-charter mailing list
policy-charter at lists.openid.net<mailto:policy-charter at lists.openid.net>
https://lists.openid.net/mailman/listinfo/policy-charter


--
[Image removed by sender. This is Alexandre Babeanu's card. Their email is alex at 3edges.com. Their phone number is +1 604 728 8130.]<https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/42e178b0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD0180.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD0180.jpg
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/42e178b0/attachment-0001.jpg>

From alex at 3edges.com  Wed Jun 28 17:50:51 2023
From: alex at 3edges.com (Alex Babeanu)
Date: Wed, 28 Jun 2023 10:50:51 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
Message-ID: <CAOFyxEPx1mhyj1+qzFWZ4jNDymoYVZQTqSXEqODP=uFZSFVoHQ@mail.gmail.com>

Thanks for sharing this Atul,

Some additional comments:

> Re: Oauth2, I agree with Omri: I think this spec should just state that
authentication is required, but out of scope of the doc. We could suggest
Oauth2 that being said...

> I would also prefer to stick to "Subject" and "Resource"

3.5 - Principals ("Subjects")
> An ID should indeed suffice. Now it's probably a good idea to also
*optionally* add some Subject claims here that the PDP can use (thinking
JWT claims coming into the PEP, or environmental values for example). But
in that case it should not be just "IP" and "DeviceID", but rather an array
of "key"="Value" claim pairs, which may be completely custom and
use-case-specific.

> It would be good to also have a Subject Type - make it optional if not
needed (but we would need it for example).

3.6 - Assets
> ID should be mandatory I think.

3.7 - Actions
--> Omri, if "Action" is enough to represent relationships in your world,
it isn't in mine. Just think of "HAS_FRIEND" relationships for example...
Anyway, there's probably no point in adding any graph-modelling to this
doc...

3.12.2 - Evaluation response
> I don't think we need an `exp` value: we can't "predict" how long an
access rule would be true for: that's a business decision! Besides, in the
spirit of Zero Trust, a decision is just made at 1 point in time, the next
access request may yield a completely different response. Up to the PDP to
do caching or whatever to speed-up processing.

> I don't think it's a good idea to reply with all language strings, this
could be a huge response and it would probably slow-down the PDP too.
Instead, have the client PEP request the language it wants its responses
in, and just return that 1 reason string.

3.13 - Search API
> We also need the reverse query, i.e., who can access this given Resource ?
> Again, I don't think we need `exp` here.

Regards,

./\.

On Tue, Jun 27, 2023 at 10:48?PM Omri Gazitt via policy-charter <
policy-charter at lists.openid.net> wrote:

> Thanks Atul - it's clear you and the SGNL team put some thought into this.
>
> I'm still looking through this but I like that you're specifying both a
> "check" function (Access Evaluation) and an "expand" function (Search
> API).  Both are important, but perhaps only the Access Evaluation API ought
> to be required.
>
> I'm not sure what is the best way to provide feedback. Github issues? PRs?
> put it in a google doc and use comments?
>
> Here are some thoughts (sorry, no particular order):
>
> > Policy Distribution Point
> Nit - this should be "Policy Decision Point" (which you name correctly in
> other places in the doc)
>
> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
> I think this is overspecified. I can certainly see clients that call an
> Authorization API using an API key.
>
> > Terminology
> A bit of a quibble, but perhaps we tip the hat to XACML and use the terms
> "subject" and "resource" instead of "principal" and "asset". I'm not
> religious about these terms, but "asset" in particular seems less common
> than "object" or "resource".
>
> > Principals
> In many systems, subjects will be extracted from a JWT "sub" claim, which
> is a string. I'm not sure that specifying that this must be a JSON
> structure, and further specifying two optional fields (ipAddress and
> deviceId) is necessary, and feels overspecified.
>
> > Assets
> Having a type and id makes sense, but could these be specified in a single
> string?  For example, zanzibar defines these as type:id
>
> I do like having the ability to pass in properties in addition to the
> object identifier - but it seems like this should be a json object
> (key:value pairs), not just an array of attribute names.
>
> > Actions
> It's not clear to me that separating actions into "standard" and "custom"
> is useful. I think the types of actions you list (CRUD) are common examples
> but should not be normative.
>
> I do think it's possible to use the generic concept of "Action" to
> encompass permissions and relations.
>
> > Queries (as array)
> I think that allowing a set of decisions to be requested at once is
> valuable, but IMO the spec should not mandate that implementations must
> support more than one query at a time. Some PDPs don't support that
> semantic and it should be considered optional.
>
>
>
>
> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Hi all,
>>
>> Here's a proposal of an Authorization API that we would like to
>> contribute to this group (in its current form or if / when we find a home
>> in a standards body). This is similar to at least a few vendors' current
>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>> standardization efforts as a result.
>>
>> You can read the proposal in HTML format here:
>> https://sgnl-ai.github.io/authzapi/
>>
>> The sources (under the MIT License) are here:
>> https://github.com/SGNL-ai/authzapi
>>
>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>
>> --
>>
>> <https://sgnl.ai>
>>
>> Atul Tulshibagwale
>>
>> CTO
>>
>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>> <atul at sgnl.ai>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>


-- 
[image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
Their phone number is +1 604 728 8130.]
<https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments 
hereto, is for the sole use of the intended recipient(s) and may contain 
confidential and/or proprietary information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/5ed70995/attachment.html>

From atul at sgnl.ai  Wed Jun 28 18:19:38 2023
From: atul at sgnl.ai (Atul Tulshibagwale)
Date: Wed, 28 Jun 2023 11:19:38 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CAOFyxEPx1mhyj1+qzFWZ4jNDymoYVZQTqSXEqODP=uFZSFVoHQ@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CAOFyxEPx1mhyj1+qzFWZ4jNDymoYVZQTqSXEqODP=uFZSFVoHQ@mail.gmail.com>
Message-ID: <CANtBS9fjX5+dteJnsCSHxpgm872tKgFnxtJQVQy6TS8rSV99Fg@mail.gmail.com>

Thanks all for your feedback and willingness to contribute. I've added
Gert, Alex and Pieter as collaborators (based on the requests so far).

On Wed, Jun 28, 2023 at 10:51?AM Alex Babeanu via policy-charter <
policy-charter at lists.openid.net> wrote:

> Thanks for sharing this Atul,
>
> Some additional comments:
>
> > Re: Oauth2, I agree with Omri: I think this spec should just state that
> authentication is required, but out of scope of the doc. We could suggest
> Oauth2 that being said...
>
> > I would also prefer to stick to "Subject" and "Resource"
>
> 3.5 - Principals ("Subjects")
> > An ID should indeed suffice. Now it's probably a good idea to also
> *optionally* add some Subject claims here that the PDP can use (thinking
> JWT claims coming into the PEP, or environmental values for example). But
> in that case it should not be just "IP" and "DeviceID", but rather an array
> of "key"="Value" claim pairs, which may be completely custom and
> use-case-specific.
>
> > It would be good to also have a Subject Type - make it optional if not
> needed (but we would need it for example).
>
> 3.6 - Assets
> > ID should be mandatory I think.
>
> 3.7 - Actions
> --> Omri, if "Action" is enough to represent relationships in your world,
> it isn't in mine. Just think of "HAS_FRIEND" relationships for example...
> Anyway, there's probably no point in adding any graph-modelling to this
> doc...
>
> 3.12.2 - Evaluation response
> > I don't think we need an `exp` value: we can't "predict" how long an
> access rule would be true for: that's a business decision! Besides, in the
> spirit of Zero Trust, a decision is just made at 1 point in time, the next
> access request may yield a completely different response. Up to the PDP to
> do caching or whatever to speed-up processing.
>
> > I don't think it's a good idea to reply with all language strings, this
> could be a huge response and it would probably slow-down the PDP too.
> Instead, have the client PEP request the language it wants its responses
> in, and just return that 1 reason string.
>
> 3.13 - Search API
> > We also need the reverse query, i.e., who can access this given Resource
> ?
> > Again, I don't think we need `exp` here.
>
> Regards,
>
> ./\.
>
> On Tue, Jun 27, 2023 at 10:48?PM Omri Gazitt via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Thanks Atul - it's clear you and the SGNL team put some thought into this.
>>
>> I'm still looking through this but I like that you're specifying both a
>> "check" function (Access Evaluation) and an "expand" function (Search
>> API).  Both are important, but perhaps only the Access Evaluation API ought
>> to be required.
>>
>> I'm not sure what is the best way to provide feedback. Github issues?
>> PRs? put it in a google doc and use comments?
>>
>> Here are some thoughts (sorry, no particular order):
>>
>> > Policy Distribution Point
>> Nit - this should be "Policy Decision Point" (which you name correctly in
>> other places in the doc)
>>
>> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
>> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
>> I think this is overspecified. I can certainly see clients that call an
>> Authorization API using an API key.
>>
>> > Terminology
>> A bit of a quibble, but perhaps we tip the hat to XACML and use the terms
>> "subject" and "resource" instead of "principal" and "asset". I'm not
>> religious about these terms, but "asset" in particular seems less common
>> than "object" or "resource".
>>
>> > Principals
>> In many systems, subjects will be extracted from a JWT "sub" claim, which
>> is a string. I'm not sure that specifying that this must be a JSON
>> structure, and further specifying two optional fields (ipAddress and
>> deviceId) is necessary, and feels overspecified.
>>
>> > Assets
>> Having a type and id makes sense, but could these be specified in a
>> single string?  For example, zanzibar defines these as type:id
>>
>> I do like having the ability to pass in properties in addition to the
>> object identifier - but it seems like this should be a json object
>> (key:value pairs), not just an array of attribute names.
>>
>> > Actions
>> It's not clear to me that separating actions into "standard" and "custom"
>> is useful. I think the types of actions you list (CRUD) are common examples
>> but should not be normative.
>>
>> I do think it's possible to use the generic concept of "Action" to
>> encompass permissions and relations.
>>
>> > Queries (as array)
>> I think that allowing a set of decisions to be requested at once is
>> valuable, but IMO the spec should not mandate that implementations must
>> support more than one query at a time. Some PDPs don't support that
>> semantic and it should be considered optional.
>>
>>
>>
>>
>> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Hi all,
>>>
>>> Here's a proposal of an Authorization API that we would like to
>>> contribute to this group (in its current form or if / when we find a home
>>> in a standards body). This is similar to at least a few vendors' current
>>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>>> standardization efforts as a result.
>>>
>>> You can read the proposal in HTML format here:
>>> https://sgnl-ai.github.io/authzapi/
>>>
>>> The sources (under the MIT License) are here:
>>> https://github.com/SGNL-ai/authzapi
>>>
>>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>>
>>> --
>>>
>>> <https://sgnl.ai>
>>>
>>> Atul Tulshibagwale
>>>
>>> CTO
>>>
>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>> <atul at sgnl.ai>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
>
> --
> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
> Their phone number is +1 604 728 8130.]
> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
> hereto, is for the sole use of the intended recipient(s) and may contain
> confidential and/or proprietary information.
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/dc5ce44f/attachment-0001.html>

From alex at 3edges.com  Wed Jun 28 18:33:43 2023
From: alex at 3edges.com (Alex Babeanu)
Date: Wed, 28 Jun 2023 11:33:43 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CANtBS9fjX5+dteJnsCSHxpgm872tKgFnxtJQVQy6TS8rSV99Fg@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CAOFyxEPx1mhyj1+qzFWZ4jNDymoYVZQTqSXEqODP=uFZSFVoHQ@mail.gmail.com>
 <CANtBS9fjX5+dteJnsCSHxpgm872tKgFnxtJQVQy6TS8rSV99Fg@mail.gmail.com>
Message-ID: <CAOFyxEMW4midqncutH4Cdv8jEEV4K+ha=2BOVH73jK5FAjBs5A@mail.gmail.com>

So Atul, what's the process there?All comments become "Issues" in BitBucket?
Or create branches with suggested edits?
Or... ?

Cheers,

./\.

On Wed, Jun 28, 2023 at 11:19?AM Atul Tulshibagwale <atul at sgnl.ai> wrote:

> Thanks all for your feedback and willingness to contribute. I've added
> Gert, Alex and Pieter as collaborators (based on the requests so far).
>
> On Wed, Jun 28, 2023 at 10:51?AM Alex Babeanu via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Thanks for sharing this Atul,
>>
>> Some additional comments:
>>
>> > Re: Oauth2, I agree with Omri: I think this spec should just state that
>> authentication is required, but out of scope of the doc. We could suggest
>> Oauth2 that being said...
>>
>> > I would also prefer to stick to "Subject" and "Resource"
>>
>> 3.5 - Principals ("Subjects")
>> > An ID should indeed suffice. Now it's probably a good idea to also
>> *optionally* add some Subject claims here that the PDP can use (thinking
>> JWT claims coming into the PEP, or environmental values for example). But
>> in that case it should not be just "IP" and "DeviceID", but rather an array
>> of "key"="Value" claim pairs, which may be completely custom and
>> use-case-specific.
>>
>> > It would be good to also have a Subject Type - make it optional if not
>> needed (but we would need it for example).
>>
>> 3.6 - Assets
>> > ID should be mandatory I think.
>>
>> 3.7 - Actions
>> --> Omri, if "Action" is enough to represent relationships in your world,
>> it isn't in mine. Just think of "HAS_FRIEND" relationships for example...
>> Anyway, there's probably no point in adding any graph-modelling to this
>> doc...
>>
>> 3.12.2 - Evaluation response
>> > I don't think we need an `exp` value: we can't "predict" how long an
>> access rule would be true for: that's a business decision! Besides, in the
>> spirit of Zero Trust, a decision is just made at 1 point in time, the next
>> access request may yield a completely different response. Up to the PDP to
>> do caching or whatever to speed-up processing.
>>
>> > I don't think it's a good idea to reply with all language strings, this
>> could be a huge response and it would probably slow-down the PDP too.
>> Instead, have the client PEP request the language it wants its responses
>> in, and just return that 1 reason string.
>>
>> 3.13 - Search API
>> > We also need the reverse query, i.e., who can access this given
>> Resource ?
>> > Again, I don't think we need `exp` here.
>>
>> Regards,
>>
>> ./\.
>>
>> On Tue, Jun 27, 2023 at 10:48?PM Omri Gazitt via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Thanks Atul - it's clear you and the SGNL team put some thought into
>>> this.
>>>
>>> I'm still looking through this but I like that you're specifying both a
>>> "check" function (Access Evaluation) and an "expand" function (Search
>>> API).  Both are important, but perhaps only the Access Evaluation API ought
>>> to be required.
>>>
>>> I'm not sure what is the best way to provide feedback. Github issues?
>>> PRs? put it in a google doc and use comments?
>>>
>>> Here are some thoughts (sorry, no particular order):
>>>
>>> > Policy Distribution Point
>>> Nit - this should be "Policy Decision Point" (which you name correctly
>>> in other places in the doc)
>>>
>>> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
>>> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
>>> I think this is overspecified. I can certainly see clients that call an
>>> Authorization API using an API key.
>>>
>>> > Terminology
>>> A bit of a quibble, but perhaps we tip the hat to XACML and use the
>>> terms "subject" and "resource" instead of "principal" and "asset". I'm not
>>> religious about these terms, but "asset" in particular seems less common
>>> than "object" or "resource".
>>>
>>> > Principals
>>> In many systems, subjects will be extracted from a JWT "sub" claim,
>>> which is a string. I'm not sure that specifying that this must be a JSON
>>> structure, and further specifying two optional fields (ipAddress and
>>> deviceId) is necessary, and feels overspecified.
>>>
>>> > Assets
>>> Having a type and id makes sense, but could these be specified in a
>>> single string?  For example, zanzibar defines these as type:id
>>>
>>> I do like having the ability to pass in properties in addition to the
>>> object identifier - but it seems like this should be a json object
>>> (key:value pairs), not just an array of attribute names.
>>>
>>> > Actions
>>> It's not clear to me that separating actions into "standard" and
>>> "custom" is useful. I think the types of actions you list (CRUD) are common
>>> examples but should not be normative.
>>>
>>> I do think it's possible to use the generic concept of "Action" to
>>> encompass permissions and relations.
>>>
>>> > Queries (as array)
>>> I think that allowing a set of decisions to be requested at once is
>>> valuable, but IMO the spec should not mandate that implementations must
>>> support more than one query at a time. Some PDPs don't support that
>>> semantic and it should be considered optional.
>>>
>>>
>>>
>>>
>>> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Here's a proposal of an Authorization API that we would like to
>>>> contribute to this group (in its current form or if / when we find a home
>>>> in a standards body). This is similar to at least a few vendors' current
>>>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>>>> standardization efforts as a result.
>>>>
>>>> You can read the proposal in HTML format here:
>>>> https://sgnl-ai.github.io/authzapi/
>>>>
>>>> The sources (under the MIT License) are here:
>>>> https://github.com/SGNL-ai/authzapi
>>>>
>>>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>>>
>>>> --
>>>>
>>>> <https://sgnl.ai>
>>>>
>>>> Atul Tulshibagwale
>>>>
>>>> CTO
>>>>
>>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>>> <atul at sgnl.ai>
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>
>>
>> --
>> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
>> Their phone number is +1 604 728 8130.]
>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>> hereto, is for the sole use of the intended recipient(s) and may contain
>> confidential and/or proprietary information.
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>

-- 
[image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
Their phone number is +1 604 728 8130.]
<https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments 
hereto, is for the sole use of the intended recipient(s) and may contain 
confidential and/or proprietary information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/a22ee884/attachment.html>

From atul at sgnl.ai  Wed Jun 28 18:39:05 2023
From: atul at sgnl.ai (Atul Tulshibagwale)
Date: Wed, 28 Jun 2023 11:39:05 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CAOFyxEMW4midqncutH4Cdv8jEEV4K+ha=2BOVH73jK5FAjBs5A@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CAOFyxEPx1mhyj1+qzFWZ4jNDymoYVZQTqSXEqODP=uFZSFVoHQ@mail.gmail.com>
 <CANtBS9fjX5+dteJnsCSHxpgm872tKgFnxtJQVQy6TS8rSV99Fg@mail.gmail.com>
 <CAOFyxEMW4midqncutH4Cdv8jEEV4K+ha=2BOVH73jK5FAjBs5A@mail.gmail.com>
Message-ID: <CANtBS9dogjLPMEt20Aa1ypwWK-050OaUXP=8bdK7PscqWVnp1A@mail.gmail.com>

Hi Alex,
When you select a line in the file, three dots (ellipses) appear in a
column to the left of the line numbers. If you click there, you see a
"Reference this line in a new issue". You can use that to reference code in
a new issue you create, or you can just create a new issue by going to the
"issues" tab.

Atul

On Wed, Jun 28, 2023 at 11:33?AM Alex Babeanu <alex at 3edges.com> wrote:

> So Atul, what's the process there?All comments become "Issues" in
> BitBucket?
> Or create branches with suggested edits?
> Or... ?
>
> Cheers,
>
> ./\.
>
> On Wed, Jun 28, 2023 at 11:19?AM Atul Tulshibagwale <atul at sgnl.ai> wrote:
>
>> Thanks all for your feedback and willingness to contribute. I've added
>> Gert, Alex and Pieter as collaborators (based on the requests so far).
>>
>> On Wed, Jun 28, 2023 at 10:51?AM Alex Babeanu via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Thanks for sharing this Atul,
>>>
>>> Some additional comments:
>>>
>>> > Re: Oauth2, I agree with Omri: I think this spec should just state
>>> that authentication is required, but out of scope of the doc. We could
>>> suggest Oauth2 that being said...
>>>
>>> > I would also prefer to stick to "Subject" and "Resource"
>>>
>>> 3.5 - Principals ("Subjects")
>>> > An ID should indeed suffice. Now it's probably a good idea to also
>>> *optionally* add some Subject claims here that the PDP can use
>>> (thinking JWT claims coming into the PEP, or environmental values for
>>> example). But in that case it should not be just "IP" and "DeviceID", but
>>> rather an array of "key"="Value" claim pairs, which may be
>>> completely custom and use-case-specific.
>>>
>>> > It would be good to also have a Subject Type - make it optional if not
>>> needed (but we would need it for example).
>>>
>>> 3.6 - Assets
>>> > ID should be mandatory I think.
>>>
>>> 3.7 - Actions
>>> --> Omri, if "Action" is enough to represent relationships in your
>>> world, it isn't in mine. Just think of "HAS_FRIEND" relationships for
>>> example... Anyway, there's probably no point in adding any graph-modelling
>>> to this doc...
>>>
>>> 3.12.2 - Evaluation response
>>> > I don't think we need an `exp` value: we can't "predict" how long an
>>> access rule would be true for: that's a business decision! Besides, in the
>>> spirit of Zero Trust, a decision is just made at 1 point in time, the next
>>> access request may yield a completely different response. Up to the PDP to
>>> do caching or whatever to speed-up processing.
>>>
>>> > I don't think it's a good idea to reply with all language strings,
>>> this could be a huge response and it would probably slow-down the PDP too.
>>> Instead, have the client PEP request the language it wants its responses
>>> in, and just return that 1 reason string.
>>>
>>> 3.13 - Search API
>>> > We also need the reverse query, i.e., who can access this given
>>> Resource ?
>>> > Again, I don't think we need `exp` here.
>>>
>>> Regards,
>>>
>>> ./\.
>>>
>>> On Tue, Jun 27, 2023 at 10:48?PM Omri Gazitt via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> Thanks Atul - it's clear you and the SGNL team put some thought into
>>>> this.
>>>>
>>>> I'm still looking through this but I like that you're specifying both a
>>>> "check" function (Access Evaluation) and an "expand" function (Search
>>>> API).  Both are important, but perhaps only the Access Evaluation API ought
>>>> to be required.
>>>>
>>>> I'm not sure what is the best way to provide feedback. Github issues?
>>>> PRs? put it in a google doc and use comments?
>>>>
>>>> Here are some thoughts (sorry, no particular order):
>>>>
>>>> > Policy Distribution Point
>>>> Nit - this should be "Policy Decision Point" (which you name correctly
>>>> in other places in the doc)
>>>>
>>>> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
>>>> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
>>>> I think this is overspecified. I can certainly see clients that call
>>>> an Authorization API using an API key.
>>>>
>>>> > Terminology
>>>> A bit of a quibble, but perhaps we tip the hat to XACML and use the
>>>> terms "subject" and "resource" instead of "principal" and "asset". I'm not
>>>> religious about these terms, but "asset" in particular seems less common
>>>> than "object" or "resource".
>>>>
>>>> > Principals
>>>> In many systems, subjects will be extracted from a JWT "sub" claim,
>>>> which is a string. I'm not sure that specifying that this must be a JSON
>>>> structure, and further specifying two optional fields (ipAddress and
>>>> deviceId) is necessary, and feels overspecified.
>>>>
>>>> > Assets
>>>> Having a type and id makes sense, but could these be specified in a
>>>> single string?  For example, zanzibar defines these as type:id
>>>>
>>>> I do like having the ability to pass in properties in addition to the
>>>> object identifier - but it seems like this should be a json object
>>>> (key:value pairs), not just an array of attribute names.
>>>>
>>>> > Actions
>>>> It's not clear to me that separating actions into "standard" and
>>>> "custom" is useful. I think the types of actions you list (CRUD) are common
>>>> examples but should not be normative.
>>>>
>>>> I do think it's possible to use the generic concept of "Action" to
>>>> encompass permissions and relations.
>>>>
>>>> > Queries (as array)
>>>> I think that allowing a set of decisions to be requested at once is
>>>> valuable, but IMO the spec should not mandate that implementations must
>>>> support more than one query at a time. Some PDPs don't support that
>>>> semantic and it should be considered optional.
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> Here's a proposal of an Authorization API that we would like to
>>>>> contribute to this group (in its current form or if / when we find a home
>>>>> in a standards body). This is similar to at least a few vendors' current
>>>>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>>>>> standardization efforts as a result.
>>>>>
>>>>> You can read the proposal in HTML format here:
>>>>> https://sgnl-ai.github.io/authzapi/
>>>>>
>>>>> The sources (under the MIT License) are here:
>>>>> https://github.com/SGNL-ai/authzapi
>>>>>
>>>>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>>>>
>>>>> --
>>>>>
>>>>> <https://sgnl.ai>
>>>>>
>>>>> Atul Tulshibagwale
>>>>>
>>>>> CTO
>>>>>
>>>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>>>> <atul at sgnl.ai>
>>>>> --
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>
>>>
>>>
>>> --
>>> [image: This is Alexandre Babeanu's card. Their email is
>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>>
>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>> confidential and/or proprietary information.
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>
>
> --
> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
> Their phone number is +1 604 728 8130.]
> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
> hereto, is for the sole use of the intended recipient(s) and may contain
> confidential and/or proprietary information.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/34e018e4/attachment-0001.html>

From atul at sgnl.ai  Wed Jun 28 18:39:47 2023
From: atul at sgnl.ai (Atul Tulshibagwale)
Date: Wed, 28 Jun 2023 11:39:47 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CANtBS9dogjLPMEt20Aa1ypwWK-050OaUXP=8bdK7PscqWVnp1A@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CAOFyxEPx1mhyj1+qzFWZ4jNDymoYVZQTqSXEqODP=uFZSFVoHQ@mail.gmail.com>
 <CANtBS9fjX5+dteJnsCSHxpgm872tKgFnxtJQVQy6TS8rSV99Fg@mail.gmail.com>
 <CAOFyxEMW4midqncutH4Cdv8jEEV4K+ha=2BOVH73jK5FAjBs5A@mail.gmail.com>
 <CANtBS9dogjLPMEt20Aa1ypwWK-050OaUXP=8bdK7PscqWVnp1A@mail.gmail.com>
Message-ID: <CANtBS9eagwwCTCGc+L=ZvY9d6w=yMf=aF2ejX=Nah1X-AAA=2g@mail.gmail.com>

You can also use the "discussion" feature if you just want to discuss
something, and not call it an issue (yet)

On Wed, Jun 28, 2023 at 11:39?AM Atul Tulshibagwale <atul at sgnl.ai> wrote:

> Hi Alex,
> When you select a line in the file, three dots (ellipses) appear in a
> column to the left of the line numbers. If you click there, you see a
> "Reference this line in a new issue". You can use that to reference code in
> a new issue you create, or you can just create a new issue by going to the
> "issues" tab.
>
> Atul
>
> On Wed, Jun 28, 2023 at 11:33?AM Alex Babeanu <alex at 3edges.com> wrote:
>
>> So Atul, what's the process there?All comments become "Issues" in
>> BitBucket?
>> Or create branches with suggested edits?
>> Or... ?
>>
>> Cheers,
>>
>> ./\.
>>
>> On Wed, Jun 28, 2023 at 11:19?AM Atul Tulshibagwale <atul at sgnl.ai> wrote:
>>
>>> Thanks all for your feedback and willingness to contribute. I've added
>>> Gert, Alex and Pieter as collaborators (based on the requests so far).
>>>
>>> On Wed, Jun 28, 2023 at 10:51?AM Alex Babeanu via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> Thanks for sharing this Atul,
>>>>
>>>> Some additional comments:
>>>>
>>>> > Re: Oauth2, I agree with Omri: I think this spec should just state
>>>> that authentication is required, but out of scope of the doc. We could
>>>> suggest Oauth2 that being said...
>>>>
>>>> > I would also prefer to stick to "Subject" and "Resource"
>>>>
>>>> 3.5 - Principals ("Subjects")
>>>> > An ID should indeed suffice. Now it's probably a good idea to also
>>>> *optionally* add some Subject claims here that the PDP can use
>>>> (thinking JWT claims coming into the PEP, or environmental values for
>>>> example). But in that case it should not be just "IP" and "DeviceID", but
>>>> rather an array of "key"="Value" claim pairs, which may be
>>>> completely custom and use-case-specific.
>>>>
>>>> > It would be good to also have a Subject Type - make it optional if
>>>> not needed (but we would need it for example).
>>>>
>>>> 3.6 - Assets
>>>> > ID should be mandatory I think.
>>>>
>>>> 3.7 - Actions
>>>> --> Omri, if "Action" is enough to represent relationships in your
>>>> world, it isn't in mine. Just think of "HAS_FRIEND" relationships for
>>>> example... Anyway, there's probably no point in adding any graph-modelling
>>>> to this doc...
>>>>
>>>> 3.12.2 - Evaluation response
>>>> > I don't think we need an `exp` value: we can't "predict" how long an
>>>> access rule would be true for: that's a business decision! Besides, in the
>>>> spirit of Zero Trust, a decision is just made at 1 point in time, the next
>>>> access request may yield a completely different response. Up to the PDP to
>>>> do caching or whatever to speed-up processing.
>>>>
>>>> > I don't think it's a good idea to reply with all language strings,
>>>> this could be a huge response and it would probably slow-down the PDP too.
>>>> Instead, have the client PEP request the language it wants its responses
>>>> in, and just return that 1 reason string.
>>>>
>>>> 3.13 - Search API
>>>> > We also need the reverse query, i.e., who can access this given
>>>> Resource ?
>>>> > Again, I don't think we need `exp` here.
>>>>
>>>> Regards,
>>>>
>>>> ./\.
>>>>
>>>> On Tue, Jun 27, 2023 at 10:48?PM Omri Gazitt via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>>> Thanks Atul - it's clear you and the SGNL team put some thought into
>>>>> this.
>>>>>
>>>>> I'm still looking through this but I like that you're specifying both
>>>>> a "check" function (Access Evaluation) and an "expand" function (Search
>>>>> API).  Both are important, but perhaps only the Access Evaluation API ought
>>>>> to be required.
>>>>>
>>>>> I'm not sure what is the best way to provide feedback. Github issues?
>>>>> PRs? put it in a google doc and use comments?
>>>>>
>>>>> Here are some thoughts (sorry, no particular order):
>>>>>
>>>>> > Policy Distribution Point
>>>>> Nit - this should be "Policy Decision Point" (which you name correctly
>>>>> in other places in the doc)
>>>>>
>>>>> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
>>>>> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
>>>>> I think this is overspecified. I can certainly see clients that call
>>>>> an Authorization API using an API key.
>>>>>
>>>>> > Terminology
>>>>> A bit of a quibble, but perhaps we tip the hat to XACML and use the
>>>>> terms "subject" and "resource" instead of "principal" and "asset". I'm not
>>>>> religious about these terms, but "asset" in particular seems less common
>>>>> than "object" or "resource".
>>>>>
>>>>> > Principals
>>>>> In many systems, subjects will be extracted from a JWT "sub" claim,
>>>>> which is a string. I'm not sure that specifying that this must be a JSON
>>>>> structure, and further specifying two optional fields (ipAddress and
>>>>> deviceId) is necessary, and feels overspecified.
>>>>>
>>>>> > Assets
>>>>> Having a type and id makes sense, but could these be specified in a
>>>>> single string?  For example, zanzibar defines these as type:id
>>>>>
>>>>> I do like having the ability to pass in properties in addition to the
>>>>> object identifier - but it seems like this should be a json object
>>>>> (key:value pairs), not just an array of attribute names.
>>>>>
>>>>> > Actions
>>>>> It's not clear to me that separating actions into "standard" and
>>>>> "custom" is useful. I think the types of actions you list (CRUD) are common
>>>>> examples but should not be normative.
>>>>>
>>>>> I do think it's possible to use the generic concept of "Action" to
>>>>> encompass permissions and relations.
>>>>>
>>>>> > Queries (as array)
>>>>> I think that allowing a set of decisions to be requested at once is
>>>>> valuable, but IMO the spec should not mandate that implementations must
>>>>> support more than one query at a time. Some PDPs don't support that
>>>>> semantic and it should be considered optional.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
>>>>> policy-charter at lists.openid.net> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> Here's a proposal of an Authorization API that we would like to
>>>>>> contribute to this group (in its current form or if / when we find a home
>>>>>> in a standards body). This is similar to at least a few vendors' current
>>>>>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>>>>>> standardization efforts as a result.
>>>>>>
>>>>>> You can read the proposal in HTML format here:
>>>>>> https://sgnl-ai.github.io/authzapi/
>>>>>>
>>>>>> The sources (under the MIT License) are here:
>>>>>> https://github.com/SGNL-ai/authzapi
>>>>>>
>>>>>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>>>>>
>>>>>> --
>>>>>>
>>>>>> <https://sgnl.ai>
>>>>>>
>>>>>> Atul Tulshibagwale
>>>>>>
>>>>>> CTO
>>>>>>
>>>>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>>>>> <atul at sgnl.ai>
>>>>>> --
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>
>>>>> --
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>
>>>>
>>>>
>>>> --
>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>>>
>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>>> confidential and/or proprietary information.
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>
>>>
>>
>> --
>> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
>> Their phone number is +1 604 728 8130.]
>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>> hereto, is for the sole use of the intended recipient(s) and may contain
>> confidential and/or proprietary information.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/fd680ba0/attachment-0001.html>

From david.brossard at gmail.com  Wed Jun 28 18:40:05 2023
From: david.brossard at gmail.com (David Brossard)
Date: Wed, 28 Jun 2023 11:40:05 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CAOFyxEPx1mhyj1+qzFWZ4jNDymoYVZQTqSXEqODP=uFZSFVoHQ@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CAOFyxEPx1mhyj1+qzFWZ4jNDymoYVZQTqSXEqODP=uFZSFVoHQ@mail.gmail.com>
Message-ID: <CAJO7GQ-PZcwtcZ2cPY7RzatMvEBFDxhnzSPDVQcC0NknSZgyaQ@mail.gmail.com>

Please add me to the repository as well: davidjbrossard

Good feedback overall. I would argue that everything can be described in
terms of attributes. Historically, in XACML an attribute has a type,
identifier, category, and optionally issuer. For instance, userRole of type
string and category subject.

In retrospect, we realize that specifying the category is overkill.
Oftentimes the identifier will convey the grammatical meaning of the
attribute therefore nulling the need for a category.

Also the original core spec allows for something like 15 plus datatypes
including URI email and so on. In reality most deployments use string,
boolean, number, and date/time. The rest is too much.

I would steer away from terms like principal. In my mind it makes the spec
harder to understand because we do not all agree on what principal is. This
maps nicely to XACML categories.

Alex, I did not see hasFriend as an action but an attribute of the user.

Regarding API authentication, I think it is totally orthogonal to this
spec. If the customer wants to allow anonymous access, let them be. If they
want to use OAuth, so be it...

More to come

On Wed, Jun 28, 2023, 10:51 AM Alex Babeanu via policy-charter <
policy-charter at lists.openid.net> wrote:

> Thanks for sharing this Atul,
>
> Some additional comments:
>
> > Re: Oauth2, I agree with Omri: I think this spec should just state that
> authentication is required, but out of scope of the doc. We could suggest
> Oauth2 that being said...
>
> > I would also prefer to stick to "Subject" and "Resource"
>
> 3.5 - Principals ("Subjects")
> > An ID should indeed suffice. Now it's probably a good idea to also
> *optionally* add some Subject claims here that the PDP can use (thinking
> JWT claims coming into the PEP, or environmental values for example). But
> in that case it should not be just "IP" and "DeviceID", but rather an array
> of "key"="Value" claim pairs, which may be completely custom and
> use-case-specific.
>
> > It would be good to also have a Subject Type - make it optional if not
> needed (but we would need it for example).
>
> 3.6 - Assets
> > ID should be mandatory I think.
>
> 3.7 - Actions
> --> Omri, if "Action" is enough to represent relationships in your world,
> it isn't in mine. Just think of "HAS_FRIEND" relationships for example...
> Anyway, there's probably no point in adding any graph-modelling to this
> doc...
>
> 3.12.2 - Evaluation response
> > I don't think we need an `exp` value: we can't "predict" how long an
> access rule would be true for: that's a business decision! Besides, in the
> spirit of Zero Trust, a decision is just made at 1 point in time, the next
> access request may yield a completely different response. Up to the PDP to
> do caching or whatever to speed-up processing.
>
> > I don't think it's a good idea to reply with all language strings, this
> could be a huge response and it would probably slow-down the PDP too.
> Instead, have the client PEP request the language it wants its responses
> in, and just return that 1 reason string.
>
> 3.13 - Search API
> > We also need the reverse query, i.e., who can access this given Resource
> ?
> > Again, I don't think we need `exp` here.
>
> Regards,
>
> ./\.
>
> On Tue, Jun 27, 2023 at 10:48?PM Omri Gazitt via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Thanks Atul - it's clear you and the SGNL team put some thought into this.
>>
>> I'm still looking through this but I like that you're specifying both a
>> "check" function (Access Evaluation) and an "expand" function (Search
>> API).  Both are important, but perhaps only the Access Evaluation API ought
>> to be required.
>>
>> I'm not sure what is the best way to provide feedback. Github issues?
>> PRs? put it in a google doc and use comments?
>>
>> Here are some thoughts (sorry, no particular order):
>>
>> > Policy Distribution Point
>> Nit - this should be "Policy Decision Point" (which you name correctly in
>> other places in the doc)
>>
>> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
>> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
>> I think this is overspecified. I can certainly see clients that call an
>> Authorization API using an API key.
>>
>> > Terminology
>> A bit of a quibble, but perhaps we tip the hat to XACML and use the terms
>> "subject" and "resource" instead of "principal" and "asset". I'm not
>> religious about these terms, but "asset" in particular seems less common
>> than "object" or "resource".
>>
>> > Principals
>> In many systems, subjects will be extracted from a JWT "sub" claim, which
>> is a string. I'm not sure that specifying that this must be a JSON
>> structure, and further specifying two optional fields (ipAddress and
>> deviceId) is necessary, and feels overspecified.
>>
>> > Assets
>> Having a type and id makes sense, but could these be specified in a
>> single string?  For example, zanzibar defines these as type:id
>>
>> I do like having the ability to pass in properties in addition to the
>> object identifier - but it seems like this should be a json object
>> (key:value pairs), not just an array of attribute names.
>>
>> > Actions
>> It's not clear to me that separating actions into "standard" and "custom"
>> is useful. I think the types of actions you list (CRUD) are common examples
>> but should not be normative.
>>
>> I do think it's possible to use the generic concept of "Action" to
>> encompass permissions and relations.
>>
>> > Queries (as array)
>> I think that allowing a set of decisions to be requested at once is
>> valuable, but IMO the spec should not mandate that implementations must
>> support more than one query at a time. Some PDPs don't support that
>> semantic and it should be considered optional.
>>
>>
>>
>>
>> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Hi all,
>>>
>>> Here's a proposal of an Authorization API that we would like to
>>> contribute to this group (in its current form or if / when we find a home
>>> in a standards body). This is similar to at least a few vendors' current
>>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>>> standardization efforts as a result.
>>>
>>> You can read the proposal in HTML format here:
>>> https://sgnl-ai.github.io/authzapi/
>>>
>>> The sources (under the MIT License) are here:
>>> https://github.com/SGNL-ai/authzapi
>>>
>>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>>
>>> --
>>>
>>> <https://sgnl.ai>
>>>
>>> Atul Tulshibagwale
>>>
>>> CTO
>>>
>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>> <atul at sgnl.ai>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
>
> --
> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
> Their phone number is +1 604 728 8130.]
> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
> hereto, is for the sole use of the intended recipient(s) and may contain
> confidential and/or proprietary information.
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/1dfbb564/attachment.html>

From atul at sgnl.ai  Wed Jun 28 18:43:09 2023
From: atul at sgnl.ai (Atul Tulshibagwale)
Date: Wed, 28 Jun 2023 11:43:09 -0700
Subject: [policy-charter] Autoposting to this mailing list from GitHub
Message-ID: <CANtBS9cetNWKHGdfsZgZS_SNaPN79q99ENgWLHAefmMuBdZyJA@mail.gmail.com>

Hi all,
I'd like to auto-post issues / PRs / merges from the GitHub repo for AuthZ
API <https://github.com/SGNL-ai/authzapi> into this mailing list. If folks
feel this will be too noisy, I can create a separate mailing list. However,
this could be the right forum, since everyone here is interested in
developing a standard for the PDP / PEP communication.

Unless I hear otherwise, I will configure GitHub to post to this mailing
list at the end of my day.

Thanks,
Atul

-- 

<https://sgnl.ai>

Atul Tulshibagwale

CTO

<https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
<atul at sgnl.ai>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/1ce4ac16/attachment-0001.html>

From andrewhughes at pingidentity.com  Wed Jun 28 18:45:57 2023
From: andrewhughes at pingidentity.com (Andrew Hughes)
Date: Wed, 28 Jun 2023 11:45:57 -0700
Subject: [policy-charter] Autoposting to this mailing list from GitHub
In-Reply-To: <CANtBS9cetNWKHGdfsZgZS_SNaPN79q99ENgWLHAefmMuBdZyJA@mail.gmail.com>
References: <CANtBS9cetNWKHGdfsZgZS_SNaPN79q99ENgWLHAefmMuBdZyJA@mail.gmail.com>
Message-ID: <CALS-csXyMGtYAb0-E_Ewb-h-NSH7c4e4N38XkZeT0Y=Te6989Q@mail.gmail.com>

Please don?t.
I understand why it seems good but right now we need more conversations not
repo updates. Other OIDF lists that include repo updates are very hard to
follow

On Wed, Jun 28, 2023 at 11:43 AM Atul Tulshibagwale via policy-charter <
policy-charter at lists.openid.net> wrote:

> Hi all,
> I'd like to auto-post issues / PRs / merges from the GitHub repo for
> AuthZ API <https://github.com/SGNL-ai/authzapi> into this mailing list.
> If folks feel this will be too noisy, I can create a separate mailing list.
> However, this could be the right forum, since everyone here is interested
> in developing a standard for the PDP / PEP communication.
>
> Unless I hear otherwise, I will configure GitHub to post to this mailing
> list at the end of my day.
>
> Thanks,
> Atul
>
> --
>
> <https://sgnl.ai>
>
> Atul Tulshibagwale
>
> CTO
>
> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
> <atul at sgnl.ai>
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>
-- 
Andrew Hughes
Director, Identity Standards
Ping Identity
Signal/Mobile: +12508889474

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.? If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/20ee9ae5/attachment.html>

From andrewhughes at pingidentity.com  Wed Jun 28 18:47:23 2023
From: andrewhughes at pingidentity.com (Andrew Hughes)
Date: Wed, 28 Jun 2023 11:47:23 -0700
Subject: [policy-charter] Autoposting to this mailing list from GitHub
In-Reply-To: <CALS-csXyMGtYAb0-E_Ewb-h-NSH7c4e4N38XkZeT0Y=Te6989Q@mail.gmail.com>
References: <CANtBS9cetNWKHGdfsZgZS_SNaPN79q99ENgWLHAefmMuBdZyJA@mail.gmail.com>
 <CALS-csXyMGtYAb0-E_Ewb-h-NSH7c4e4N38XkZeT0Y=Te6989Q@mail.gmail.com>
Message-ID: <CALS-csWqMDeds+fxWD34rHa043y2CpG3bRxo_vhFjGXdu3=KgQ@mail.gmail.com>

Or, perhaps if it can be a daily digest it could serve well. People active
in the repo can get their own notifications. People not tracking the repo
don?t want/need the volume

On Wed, Jun 28, 2023 at 11:45 AM Andrew Hughes <
andrewhughes at pingidentity.com> wrote:

> Please don?t.
> I understand why it seems good but right now we need more conversations
> not repo updates. Other OIDF lists that include repo updates are very hard
> to follow
>
> On Wed, Jun 28, 2023 at 11:43 AM Atul Tulshibagwale via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Hi all,
>> I'd like to auto-post issues / PRs / merges from the GitHub repo for
>> AuthZ API <https://github.com/SGNL-ai/authzapi> into this mailing list.
>> If folks feel this will be too noisy, I can create a separate mailing list.
>> However, this could be the right forum, since everyone here is interested
>> in developing a standard for the PDP / PEP communication.
>>
>> Unless I hear otherwise, I will configure GitHub to post to this mailing
>> list at the end of my day.
>>
>> Thanks,
>> Atul
>>
>> --
>>
>> <https://sgnl.ai>
>>
>> Atul Tulshibagwale
>>
>> CTO
>>
>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>> <atul at sgnl.ai>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
> --
> Andrew Hughes
> Director, Identity Standards
> Ping Identity
> Signal/Mobile: +12508889474
>
-- 
Andrew Hughes
Director, Identity Standards
Ping Identity
Signal/Mobile: +12508889474

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.? If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/de276063/attachment.html>

From atul at sgnl.ai  Wed Jun 28 19:04:26 2023
From: atul at sgnl.ai (Atul Tulshibagwale)
Date: Wed, 28 Jun 2023 12:04:26 -0700
Subject: [policy-charter] Autoposting to this mailing list from GitHub
In-Reply-To: <CALS-csWqMDeds+fxWD34rHa043y2CpG3bRxo_vhFjGXdu3=KgQ@mail.gmail.com>
References: <CANtBS9cetNWKHGdfsZgZS_SNaPN79q99ENgWLHAefmMuBdZyJA@mail.gmail.com>
 <CALS-csXyMGtYAb0-E_Ewb-h-NSH7c4e4N38XkZeT0Y=Te6989Q@mail.gmail.com>
 <CALS-csWqMDeds+fxWD34rHa043y2CpG3bRxo_vhFjGXdu3=KgQ@mail.gmail.com>
Message-ID: <CANtBS9d7+ch6zbRYthdTkc1xOY3zKsmh+oXqVDT-Ln=2E9fDDw@mail.gmail.com>

Thanks for the suggestion, sending a digest sounds like a great option.

On Wed, Jun 28, 2023 at 11:47?AM Andrew Hughes <
andrewhughes at pingidentity.com> wrote:

> Or, perhaps if it can be a daily digest it could serve well. People active
> in the repo can get their own notifications. People not tracking the repo
> don?t want/need the volume
>
> On Wed, Jun 28, 2023 at 11:45 AM Andrew Hughes <
> andrewhughes at pingidentity.com> wrote:
>
>> Please don?t.
>> I understand why it seems good but right now we need more conversations
>> not repo updates. Other OIDF lists that include repo updates are very hard
>> to follow
>>
>> On Wed, Jun 28, 2023 at 11:43 AM Atul Tulshibagwale via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Hi all,
>>> I'd like to auto-post issues / PRs / merges from the GitHub repo for
>>> AuthZ API <https://github.com/SGNL-ai/authzapi> into this mailing list.
>>> If folks feel this will be too noisy, I can create a separate mailing list.
>>> However, this could be the right forum, since everyone here is interested
>>> in developing a standard for the PDP / PEP communication.
>>>
>>> Unless I hear otherwise, I will configure GitHub to post to this mailing
>>> list at the end of my day.
>>>
>>> Thanks,
>>> Atul
>>>
>>> --
>>>
>>> <https://sgnl.ai>
>>>
>>> Atul Tulshibagwale
>>>
>>> CTO
>>>
>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>> <atul at sgnl.ai>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>> --
>> Andrew Hughes
>> Director, Identity Standards
>> Ping Identity
>> Signal/Mobile: +12508889474
>>
> --
> Andrew Hughes
> Director, Identity Standards
> Ping Identity
> Signal/Mobile: +12508889474
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/b266cf8a/attachment-0001.html>

From alex at 3edges.com  Wed Jun 28 20:54:38 2023
From: alex at 3edges.com (Alex Babeanu)
Date: Wed, 28 Jun 2023 13:54:38 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CAJO7GQ-PZcwtcZ2cPY7RzatMvEBFDxhnzSPDVQcC0NknSZgyaQ@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CAOFyxEPx1mhyj1+qzFWZ4jNDymoYVZQTqSXEqODP=uFZSFVoHQ@mail.gmail.com>
 <CAJO7GQ-PZcwtcZ2cPY7RzatMvEBFDxhnzSPDVQcC0NknSZgyaQ@mail.gmail.com>
Message-ID: <CAOFyxENLk52ZT=hrYyE=yfRCNsPWikcsedD8kinJcfXZpuyStw@mail.gmail.com>

Looks like we agree on some of this stuff... So anyway I've started 8
discussions in Atul's repo, should we continue the convo there?

Re: " I did not see hasFriend as an action but as an attribute of the
user." - different world views :-D. In my world, relationships are primary
citizens, and "Has_Friend" is definitively one.
Which is why we should remain at a (high enough)  level that makes sense
for all of us here...

./\.

On Wed, Jun 28, 2023 at 11:40?AM David Brossard <david.brossard at gmail.com>
wrote:

> Please add me to the repository as well: davidjbrossard
>
> Good feedback overall. I would argue that everything can be described in
> terms of attributes. Historically, in XACML an attribute has a type,
> identifier, category, and optionally issuer. For instance, userRole of type
> string and category subject.
>
> In retrospect, we realize that specifying the category is overkill.
> Oftentimes the identifier will convey the grammatical meaning of the
> attribute therefore nulling the need for a category.
>
> Also the original core spec allows for something like 15 plus datatypes
> including URI email and so on. In reality most deployments use string,
> boolean, number, and date/time. The rest is too much.
>
> I would steer away from terms like principal. In my mind it makes the spec
> harder to understand because we do not all agree on what principal is. This
> maps nicely to XACML categories.
>
> Alex, I did not see hasFriend as an action but an attribute of the user.
>
> Regarding API authentication, I think it is totally orthogonal to this
> spec. If the customer wants to allow anonymous access, let them be. If they
> want to use OAuth, so be it...
>
> More to come
>
> On Wed, Jun 28, 2023, 10:51 AM Alex Babeanu via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Thanks for sharing this Atul,
>>
>> Some additional comments:
>>
>> > Re: Oauth2, I agree with Omri: I think this spec should just state that
>> authentication is required, but out of scope of the doc. We could suggest
>> Oauth2 that being said...
>>
>> > I would also prefer to stick to "Subject" and "Resource"
>>
>> 3.5 - Principals ("Subjects")
>> > An ID should indeed suffice. Now it's probably a good idea to also
>> *optionally* add some Subject claims here that the PDP can use (thinking
>> JWT claims coming into the PEP, or environmental values for example). But
>> in that case it should not be just "IP" and "DeviceID", but rather an array
>> of "key"="Value" claim pairs, which may be completely custom and
>> use-case-specific.
>>
>> > It would be good to also have a Subject Type - make it optional if not
>> needed (but we would need it for example).
>>
>> 3.6 - Assets
>> > ID should be mandatory I think.
>>
>> 3.7 - Actions
>> --> Omri, if "Action" is enough to represent relationships in your world,
>> it isn't in mine. Just think of "HAS_FRIEND" relationships for example...
>> Anyway, there's probably no point in adding any graph-modelling to this
>> doc...
>>
>> 3.12.2 - Evaluation response
>> > I don't think we need an `exp` value: we can't "predict" how long an
>> access rule would be true for: that's a business decision! Besides, in the
>> spirit of Zero Trust, a decision is just made at 1 point in time, the next
>> access request may yield a completely different response. Up to the PDP to
>> do caching or whatever to speed-up processing.
>>
>> > I don't think it's a good idea to reply with all language strings, this
>> could be a huge response and it would probably slow-down the PDP too.
>> Instead, have the client PEP request the language it wants its responses
>> in, and just return that 1 reason string.
>>
>> 3.13 - Search API
>> > We also need the reverse query, i.e., who can access this given
>> Resource ?
>> > Again, I don't think we need `exp` here.
>>
>> Regards,
>>
>> ./\.
>>
>> On Tue, Jun 27, 2023 at 10:48?PM Omri Gazitt via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Thanks Atul - it's clear you and the SGNL team put some thought into
>>> this.
>>>
>>> I'm still looking through this but I like that you're specifying both a
>>> "check" function (Access Evaluation) and an "expand" function (Search
>>> API).  Both are important, but perhaps only the Access Evaluation API ought
>>> to be required.
>>>
>>> I'm not sure what is the best way to provide feedback. Github issues?
>>> PRs? put it in a google doc and use comments?
>>>
>>> Here are some thoughts (sorry, no particular order):
>>>
>>> > Policy Distribution Point
>>> Nit - this should be "Policy Decision Point" (which you name correctly
>>> in other places in the doc)
>>>
>>> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
>>> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
>>> I think this is overspecified. I can certainly see clients that call an
>>> Authorization API using an API key.
>>>
>>> > Terminology
>>> A bit of a quibble, but perhaps we tip the hat to XACML and use the
>>> terms "subject" and "resource" instead of "principal" and "asset". I'm not
>>> religious about these terms, but "asset" in particular seems less common
>>> than "object" or "resource".
>>>
>>> > Principals
>>> In many systems, subjects will be extracted from a JWT "sub" claim,
>>> which is a string. I'm not sure that specifying that this must be a JSON
>>> structure, and further specifying two optional fields (ipAddress and
>>> deviceId) is necessary, and feels overspecified.
>>>
>>> > Assets
>>> Having a type and id makes sense, but could these be specified in a
>>> single string?  For example, zanzibar defines these as type:id
>>>
>>> I do like having the ability to pass in properties in addition to the
>>> object identifier - but it seems like this should be a json object
>>> (key:value pairs), not just an array of attribute names.
>>>
>>> > Actions
>>> It's not clear to me that separating actions into "standard" and
>>> "custom" is useful. I think the types of actions you list (CRUD) are common
>>> examples but should not be normative.
>>>
>>> I do think it's possible to use the generic concept of "Action" to
>>> encompass permissions and relations.
>>>
>>> > Queries (as array)
>>> I think that allowing a set of decisions to be requested at once is
>>> valuable, but IMO the spec should not mandate that implementations must
>>> support more than one query at a time. Some PDPs don't support that
>>> semantic and it should be considered optional.
>>>
>>>
>>>
>>>
>>> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Here's a proposal of an Authorization API that we would like to
>>>> contribute to this group (in its current form or if / when we find a home
>>>> in a standards body). This is similar to at least a few vendors' current
>>>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>>>> standardization efforts as a result.
>>>>
>>>> You can read the proposal in HTML format here:
>>>> https://sgnl-ai.github.io/authzapi/
>>>>
>>>> The sources (under the MIT License) are here:
>>>> https://github.com/SGNL-ai/authzapi
>>>>
>>>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>>>
>>>> --
>>>>
>>>> <https://sgnl.ai>
>>>>
>>>> Atul Tulshibagwale
>>>>
>>>> CTO
>>>>
>>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>>> <atul at sgnl.ai>
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>
>>
>> --
>> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
>> Their phone number is +1 604 728 8130.]
>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>> hereto, is for the sole use of the intended recipient(s) and may contain
>> confidential and/or proprietary information.
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>

-- 
[image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
Their phone number is +1 604 728 8130.]
<https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments 
hereto, is for the sole use of the intended recipient(s) and may contain 
confidential and/or proprietary information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/f1e5bdb4/attachment-0001.html>

From omri at aserto.com  Wed Jun 28 21:42:45 2023
From: omri at aserto.com (Omri Gazitt)
Date: Wed, 28 Jun 2023 14:42:45 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CANtBS9eG9OFvRs6LdJviNVFGXdQGLLHfib3CK2ZY_q8f5Hu1YQ@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CANtBS9eG9OFvRs6LdJviNVFGXdQGLLHfib3CK2ZY_q8f5Hu1YQ@mail.gmail.com>
Message-ID: <CALkJ7sX=QO8hoAYdofBuhnO7-1=kgy_aQ+buS9hfpJMVcTGJzw@mail.gmail.com>

ogazitt

Thanks!

On Wed, Jun 28, 2023 at 9:50?AM Atul Tulshibagwale <atul at sgnl.ai> wrote:

> Hi Omri,
> Thanks for your feedback here. I think GitHub issues are a good way to
> provide feedback. I'll be happy to add you as a collaborator in the repo
> (and anyone else who would like to collaborate in updating / editing the
> draft). Please send me your GitHub ID.
>
> Thanks,
> Atul
>
> On Tue, Jun 27, 2023 at 10:47?PM Omri Gazitt <omri at aserto.com> wrote:
>
>> Thanks Atul - it's clear you and the SGNL team put some thought into this.
>>
>> I'm still looking through this but I like that you're specifying both a
>> "check" function (Access Evaluation) and an "expand" function (Search
>> API).  Both are important, but perhaps only the Access Evaluation API ought
>> to be required.
>>
>> I'm not sure what is the best way to provide feedback. Github issues?
>> PRs? put it in a google doc and use comments?
>>
>> Here are some thoughts (sorry, no particular order):
>>
>> > Policy Distribution Point
>> Nit - this should be "Policy Decision Point" (which you name correctly in
>> other places in the doc)
>>
>> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
>> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
>> I think this is overspecified. I can certainly see clients that call an
>> Authorization API using an API key.
>>
>> > Terminology
>> A bit of a quibble, but perhaps we tip the hat to XACML and use the terms
>> "subject" and "resource" instead of "principal" and "asset". I'm not
>> religious about these terms, but "asset" in particular seems less common
>> than "object" or "resource".
>>
>> > Principals
>> In many systems, subjects will be extracted from a JWT "sub" claim, which
>> is a string. I'm not sure that specifying that this must be a JSON
>> structure, and further specifying two optional fields (ipAddress and
>> deviceId) is necessary, and feels overspecified.
>>
>> > Assets
>> Having a type and id makes sense, but could these be specified in a
>> single string?  For example, zanzibar defines these as type:id
>>
>> I do like having the ability to pass in properties in addition to the
>> object identifier - but it seems like this should be a json object
>> (key:value pairs), not just an array of attribute names.
>>
>> > Actions
>> It's not clear to me that separating actions into "standard" and "custom"
>> is useful. I think the types of actions you list (CRUD) are common examples
>> but should not be normative.
>>
>> I do think it's possible to use the generic concept of "Action" to
>> encompass permissions and relations.
>>
>> > Queries (as array)
>> I think that allowing a set of decisions to be requested at once is
>> valuable, but IMO the spec should not mandate that implementations must
>> support more than one query at a time. Some PDPs don't support that
>> semantic and it should be considered optional.
>>
>>
>>
>>
>> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Hi all,
>>>
>>> Here's a proposal of an Authorization API that we would like to
>>> contribute to this group (in its current form or if / when we find a home
>>> in a standards body). This is similar to at least a few vendors' current
>>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>>> standardization efforts as a result.
>>>
>>> You can read the proposal in HTML format here:
>>> https://sgnl-ai.github.io/authzapi/
>>>
>>> The sources (under the MIT License) are here:
>>> https://github.com/SGNL-ai/authzapi
>>>
>>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>>
>>> --
>>>
>>> <https://sgnl.ai>
>>>
>>> Atul Tulshibagwale
>>>
>>> CTO
>>>
>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>> <atul at sgnl.ai>
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/aa058607/attachment.html>

From omri at aserto.com  Wed Jun 28 22:34:43 2023
From: omri at aserto.com (Omri Gazitt)
Date: Wed, 28 Jun 2023 15:34:43 -0700
Subject: [policy-charter] Authorization API Proposal
In-Reply-To: <CALkJ7sX=QO8hoAYdofBuhnO7-1=kgy_aQ+buS9hfpJMVcTGJzw@mail.gmail.com>
References: <CANtBS9fNYA-cPsrWNAVNQL0wOzsp=osZrPExcx7goqQ28eOpmw@mail.gmail.com>
 <CALkJ7sV7npFzxA5Z0AwQ8ProzQCwFkax5U2VnqvpcoeyrHNuhQ@mail.gmail.com>
 <CANtBS9eG9OFvRs6LdJviNVFGXdQGLLHfib3CK2ZY_q8f5Hu1YQ@mail.gmail.com>
 <CALkJ7sX=QO8hoAYdofBuhnO7-1=kgy_aQ+buS9hfpJMVcTGJzw@mail.gmail.com>
Message-ID: <CALkJ7sVremHVb2QajJZp5CbHQsjRVLkUX5PS2Ba9-AF4yrVRAw@mail.gmail.com>

Added my comments to the issues Alex opened (thanks!) and also put in a
couple of PRs on things that I hope are not controversial.


On Wed, Jun 28, 2023 at 2:42?PM Omri Gazitt <omri at aserto.com> wrote:

> ogazitt
>
> Thanks!
>
> On Wed, Jun 28, 2023 at 9:50?AM Atul Tulshibagwale <atul at sgnl.ai> wrote:
>
>> Hi Omri,
>> Thanks for your feedback here. I think GitHub issues are a good way to
>> provide feedback. I'll be happy to add you as a collaborator in the repo
>> (and anyone else who would like to collaborate in updating / editing the
>> draft). Please send me your GitHub ID.
>>
>> Thanks,
>> Atul
>>
>> On Tue, Jun 27, 2023 at 10:47?PM Omri Gazitt <omri at aserto.com> wrote:
>>
>>> Thanks Atul - it's clear you and the SGNL team put some thought into
>>> this.
>>>
>>> I'm still looking through this but I like that you're specifying both a
>>> "check" function (Access Evaluation) and an "expand" function (Search
>>> API).  Both are important, but perhaps only the Access Evaluation API ought
>>> to be required.
>>>
>>> I'm not sure what is the best way to provide feedback. Github issues?
>>> PRs? put it in a google doc and use comments?
>>>
>>> Here are some thoughts (sorry, no particular order):
>>>
>>> > Policy Distribution Point
>>> Nit - this should be "Policy Decision Point" (which you name correctly
>>> in other places in the doc)
>>>
>>> > The Authorization API is itself authorized using OAuth 2.0 ([RFC6749
>>> <https://sgnl-ai.github.io/authzapi/#RFC6749>])
>>> I think this is overspecified. I can certainly see clients that call an
>>> Authorization API using an API key.
>>>
>>> > Terminology
>>> A bit of a quibble, but perhaps we tip the hat to XACML and use the
>>> terms "subject" and "resource" instead of "principal" and "asset". I'm not
>>> religious about these terms, but "asset" in particular seems less common
>>> than "object" or "resource".
>>>
>>> > Principals
>>> In many systems, subjects will be extracted from a JWT "sub" claim,
>>> which is a string. I'm not sure that specifying that this must be a JSON
>>> structure, and further specifying two optional fields (ipAddress and
>>> deviceId) is necessary, and feels overspecified.
>>>
>>> > Assets
>>> Having a type and id makes sense, but could these be specified in a
>>> single string?  For example, zanzibar defines these as type:id
>>>
>>> I do like having the ability to pass in properties in addition to the
>>> object identifier - but it seems like this should be a json object
>>> (key:value pairs), not just an array of attribute names.
>>>
>>> > Actions
>>> It's not clear to me that separating actions into "standard" and
>>> "custom" is useful. I think the types of actions you list (CRUD) are common
>>> examples but should not be normative.
>>>
>>> I do think it's possible to use the generic concept of "Action" to
>>> encompass permissions and relations.
>>>
>>> > Queries (as array)
>>> I think that allowing a set of decisions to be requested at once is
>>> valuable, but IMO the spec should not mandate that implementations must
>>> support more than one query at a time. Some PDPs don't support that
>>> semantic and it should be considered optional.
>>>
>>>
>>>
>>>
>>> On Tue, Jun 27, 2023 at 4:38?PM Atul Tulshibagwale via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Here's a proposal of an Authorization API that we would like to
>>>> contribute to this group (in its current form or if / when we find a home
>>>> in a standards body). This is similar to at least a few vendors' current
>>>> offerings, so I hope everyone finds this helpful, and we can accelerate our
>>>> standardization efforts as a result.
>>>>
>>>> You can read the proposal in HTML format here:
>>>> https://sgnl-ai.github.io/authzapi/
>>>>
>>>> The sources (under the MIT License) are here:
>>>> https://github.com/SGNL-ai/authzapi
>>>>
>>>> - Atul Tulshibagwale, Erik Gustavson and Marc Jordan
>>>>
>>>> --
>>>>
>>>> <https://sgnl.ai>
>>>>
>>>> Atul Tulshibagwale
>>>>
>>>> CTO
>>>>
>>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>>> <atul at sgnl.ai>
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/e3a73f51/attachment-0001.html>

From omri at aserto.com  Thu Jun 29 03:54:58 2023
From: omri at aserto.com (Omri Gazitt)
Date: Wed, 28 Jun 2023 20:54:58 -0700
Subject: [policy-charter] Link to PDP-PEP Interop WG Charter draft
 document
In-Reply-To: <CALS-csWdcLrp+CaLAXV0xSuPnjFcXhP0PFsvctxQ21mXbDfHmg@mail.gmail.com>
References: <CALS-csXsKbFVDC0uKa-qWgO_C0bVE2UkSoGpzZB84+Wv=B-NKw@mail.gmail.com>
 <CAOFyxEOwS-rziMMq2fgymbyC4Hn-oRVVp7cay6Fx5sMiZke_0Q@mail.gmail.com>
 <50843d0b-b16c-4e40-abe0-a03c2c1f81c9@Canary>
 <DBAPR83MB0422A6DEA28F60F4A14CCE52915FA@DBAPR83MB0422.EURPRD83.prod.outlook.com>
 <CALS-csUin3YwkP5ZeJqAU5ETkovJMJrh0hQ8mUYMmO=dKxmEhw@mail.gmail.com>
 <CAOFyxEMFpv-o5x8Q0_K6-FX2UD1gXtMT7R-Asqw0y0dxaShc0g@mail.gmail.com>
 <CAJO7GQ-wtJf+yp0QWnN951v9aiKaseUAHU9B1uGXf53Lys8BMQ@mail.gmail.com>
 <CALVhW9P2e-VtErszdjCZVwgFEL9qWN-+PhdoGjDuy1e7EOYQGg@mail.gmail.com>
 <CAJO7GQ_Y5Nu1aR4BEw+DgS5cwjYGOd58ZM_wcxiOELr1uoL8YA@mail.gmail.com>
 <CALkJ7sXYXrU3LTjsC86n1kTpPiV8=Hpg_GDZn_9WcbreLxZGuA@mail.gmail.com>
 <CALS-csWdcLrp+CaLAXV0xSuPnjFcXhP0PFsvctxQ21mXbDfHmg@mail.gmail.com>
Message-ID: <CALkJ7sWDJN6TyHEPkrothOwQF1oqnMKG=2J87b0tRnoLgkytVA@mail.gmail.com>

Sounds good - I did this yesterday.


On Tue, Jun 27, 2023 at 7:46?PM Andrew Hughes <andrewhughes at pingidentity.com>
wrote:

> Add your comments to the existing document if it?s for the pep PDP
> deliverable
>
> On Tue, Jun 27, 2023 at 6:57 PM Omri Gazitt via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Cool - and I completely agree that the scope ought to include systems
>> that support a relationship (and/or graph) model.
>>
>> So perhaps more horsemen :)
>>
>> Is there a new charter document that includes this as a requirement?
>>
>> On Tue, Jun 27, 2023 at 8:40?AM David Brossard via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> We totally should! It is an oversight on my part because I am so policy
>>> biased. Sorry!
>>>
>>> On Tue, Jun 27, 2023, 8:25 AM Andres Aguiar <andres.aguiar at okta.com>
>>> wrote:
>>>
>>>> Hi all!
>>>>
>>>> Any reason not to include Google Zanzibar-inspired AuthZ
>>>> implementations (e.g. OpenFGA, Topaz, SpiceDB, Permify, etc) as part of the
>>>> scope of this effort?
>>>>
>>>> Regards,
>>>>
>>>> Andres
>>>>
>>>>
>>>> On Tue, Jun 27, 2023 at 12:09?PM David Brossard via policy-charter <
>>>> policy-charter at lists.openid.net> wrote:
>>>>
>>>>> *This message originated outside your organization.*
>>>>>
>>>>> ------------------------------
>>>>>
>>>>> I added notes and comments in the Google Doc
>>>>> <https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?pli=1>.
>>>>> I think it is worth highlighting we're not after yet another standard
>>>>> <https://urldefense.com/v3/__https://xkcd.com/927/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzOe8cLp8$>.
>>>>> We want to:
>>>>>
>>>>>    1. increase interoperability between existing standards. In my
>>>>>    mind, the four horsemen of the ap-authz-calypse are ALFA, Cedar, OPA, and
>>>>>    IDQL.
>>>>>       1. interop from a policy management perspective
>>>>>       2. interop from a runtime request/response perspective
>>>>>    2. increase awareness of externalized authz so that software
>>>>>    developers/owners/SaaS never rebuild their own
>>>>>       1. Be the OAuth/SAML of authZ
>>>>>       2. Define and propose standard authZ patterns
>>>>>          1. use cases
>>>>>          2. integration patterns
>>>>>
>>>>>
>>>>> On Mon, Jun 26, 2023 at 8:42?AM Alex Babeanu via policy-charter <
>>>>> policy-charter at lists.openid.net> wrote:
>>>>>
>>>>>> Sounds good to me too.
>>>>>> Thanks,
>>>>>>
>>>>>> ./\.
>>>>>>
>>>>>> On Fri, Jun 23, 2023 at 10:00?AM Andrew Hughes via policy-charter <
>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>
>>>>>>> Anyone else want to weigh in on this?
>>>>>>>
>>>>>>> I'm onboard with Pieter's suggestion that the attached document
>>>>>>> describes a deliverable of a larger work group - if so, I'd like to get
>>>>>>> closure on the description quickly
>>>>>>>
>>>>>>> I hope it's a simple and non-controversial deliverable...
>>>>>>>
>>>>>>> Andrew Hughes
>>>>>>> Director - Identity Standards
>>>>>>> andrewhughes at pingidentity.com
>>>>>>> Mobile/Signal: +1 250 888 9474
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jun 19, 2023 at 4:30?AM Pieter Kasselman via policy-charter <
>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>
>>>>>>>> My perspective is that we should have one Work Group focused on
>>>>>>>> authorization with multiple deliverables (e.g. OpenID Connect and SSF for
>>>>>>>> example has multiple deliverables) to start with. This way everyone
>>>>>>>> interested in the authorization topic has visibility into the different
>>>>>>>> work items and we get the benefit of wider participation and review.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Agreed that something with Authorization in the name would make
>>>>>>>> sense, something like AuthZEN Framework (AuthoriZation ExchaNge Framework)
>>>>>>>> or AuthIT/AuthZIT Framework (Authorization Interoperability Technology
>>>>>>>> Framework)?.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *From:* policy-charter <policy-charter-bounces at lists.openid.net> *On
>>>>>>>> Behalf Of *Allan Foster via policy-charter
>>>>>>>> *Sent:* Friday, June 16, 2023 10:46 PM
>>>>>>>> *To:* Policy Charter Mail List <policy-charter at lists.openid.net>
>>>>>>>> *Cc:* Allan Foster <allan at macguru.com>
>>>>>>>> *Subject:* Re: [policy-charter] Link to PDP-PEP Interop WG Charter
>>>>>>>> draft document
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> So,  I wonder if we should do two different WGs,  or one WG with
>>>>>>>> two different standards?. (At least,  for now?)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I am inclined to think the WG should be AuthZ something??.   and
>>>>>>>> have two separate streams?. (or standards?)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Thoughts
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Allan
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Friday, Jun 16, 2023 at 14:02, Alex Babeanu via policy-charter <
>>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>>
>>>>>>>> Thanks Andrew!
>>>>>>>>
>>>>>>>> Added a first comment in there... The season's open!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ./\.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Jun 16, 2023 at 11:50?AM Andrew Hughes via policy-charter <
>>>>>>>> policy-charter at lists.openid.net> wrote:
>>>>>>>>
>>>>>>>> Here is the document I have started - the link puts you into
>>>>>>>> "suggest" mode. Please add text with self-attribution. Be respectful of
>>>>>>>> others' contributions.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> [image: Ping Identity]
>>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzcNeP4vs$>
>>>>>>>>
>>>>>>>> *Andrew Hughes*
>>>>>>>> Director - Identity Standards
>>>>>>>> andrewhughes at pingidentity.com
>>>>>>>>
>>>>>>>> *Connect with us: *
>>>>>>>>
>>>>>>>> [image: Glassdoor logo]
>>>>>>>> <https://urldefense.com/v3/__https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzWdCjpz4$>[image:
>>>>>>>> LinkedIn logo] <https://www.linkedin.com/company/21870>[image:
>>>>>>>> twitter logo]
>>>>>>>> <https://urldefense.com/v3/__https://twitter.com/pingidentity__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzDUeSi2c$>[image:
>>>>>>>> facebook logo]
>>>>>>>> <https://urldefense.com/v3/__https://www.facebook.com/pingidentitypage__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzqt_Q5uo$>[image:
>>>>>>>> youtube logo]
>>>>>>>> <https://urldefense.com/v3/__https://www.youtube.com/user/PingIdentityTV__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzayZ0G60$>[image:
>>>>>>>> Blog logo]
>>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/blog.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzBZ_t8is$>
>>>>>>>>
>>>>>>>>
>>>>>>>> <https://urldefense.com/v3/__https://www.pingidentity.com/en/company/championing-every-identity/dei.html?utm_source=direct*20to*20website&utm_medium=emailsig__;JSU!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzIokbF3o$>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>>>> If you have received this communication in error, please notify the sender
>>>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>>>> your computer. Thank you.*--
>>>>>>>> policy-charter mailing list
>>>>>>>> policy-charter at lists.openid.net
>>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>>>>
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>>>>>>> attachments hereto, is for the sole use of the intended recipient(s) and
>>>>>>>> may contain confidential and/or proprietary information.
>>>>>>>> --
>>>>>>>> policy-charter mailing list
>>>>>>>> policy-charter at lists.openid.net
>>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>>
>>>>>>>> --
>>>>>>>> policy-charter mailing list
>>>>>>>> policy-charter at lists.openid.net
>>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>>
>>>>>>>
>>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>>> If you have received this communication in error, please notify the sender
>>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>>> your computer. Thank you.*--
>>>>>>> policy-charter mailing list
>>>>>>> policy-charter at lists.openid.net
>>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> [image: This is Alexandre Babeanu's card. Their email is
>>>>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>>>>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzhrCCuoA$>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>>>>> attachments hereto, is for the sole use of the intended recipient(s) and
>>>>>> may contain confidential and/or proprietary information.
>>>>>> --
>>>>>> policy-charter mailing list
>>>>>> policy-charter at lists.openid.net
>>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/policy-charter__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzI-GNWW0$>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> ---
>>>>> David Brossard
>>>>> http://www.linkedin.com/in/davidbrossard
>>>>> http://twitter.com/davidjbrossard
>>>>> <https://urldefense.com/v3/__http://twitter.com/davidjbrossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQRlFaRU$>
>>>>> http://about.me/brossard
>>>>> <https://urldefense.com/v3/__http://about.me/brossard__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzQqI8AE8$>
>>>>> ---
>>>>> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
>>>>> <https://urldefense.com/v3/__http://www.ic3.gov/preventiontips.aspx__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzljfWGu0$>
>>>>> Prenez vos pr?cautions sur Internet:
>>>>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>>>>> <https://urldefense.com/v3/__http://www.securite-informatique.gouv.fr/gp_rubrique34.html__;!!PwKahg!7CiEei7WdBTxJUMqNJFiUZQ9jwPpoNIfxQxrts9bExQWpcmbLO_4TGBB6Dxzr2FYI2K8MlYzykAbVBcqOJdTyOfzo5yrZAg$>
>>>>> --
>>>>> policy-charter mailing list
>>>>> policy-charter at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>>
>>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
> --
> Andrew Hughes
> Director, Identity Standards
> Ping Identity
> Signal/Mobile: +12508889474
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230628/b486aa81/attachment-0001.html>