From gerry at strata.io Wed Jul 26 14:55:53 2023 From: gerry at strata.io (Gerry Gebel) Date: Wed, 26 Jul 2023 07:55:53 -0700 Subject: [policy-charter] reminder: Admin Policy Push call tomorrow Message-ID: Hi all - This is just a reminder for our call in 24 hours Talk to you then, Gerry https://us06web.zoom.us/j/4284593682 -------------- next part -------------- An HTML attachment was scrubbed... URL: From blhjelm at gmail.com Wed Jul 26 17:42:27 2023 From: blhjelm at gmail.com (Bjorn Hjelm) Date: Wed, 26 Jul 2023 10:42:27 -0700 Subject: [policy-charter] reminder: Admin Policy Push call tomorrow In-Reply-To: References: Message-ID: Was there a meeting invite sent out for this call? Kind Regards, Bjotn On Wed, Jul 26, 2023 at 7:56?AM Gerry Gebel via policy-charter < policy-charter at lists.openid.net> wrote: > Hi all - > > This is just a reminder for our call in 24 hours > > Talk to you then, > Gerry > > > https://us06web.zoom.us/j/4284593682 > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -- ---------------------------------------------------------- From the desk of... Bjorn Hjelm Brymas Hjelm & Assciates Mobile: (678) 687-6187 E-mail: bjorn.hjelm at ieee.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerry at strata.io Wed Jul 26 18:25:34 2023 From: gerry at strata.io (Gerry Gebel) Date: Wed, 26 Jul 2023 11:25:34 -0700 Subject: [policy-charter] reminder: Admin Policy Push call tomorrow In-Reply-To: References: Message-ID: Hi Bjorn - Yes, the invite was sent to this email list Regards, Gerry On Wed, Jul 26, 2023 at 10:42?AM Bjorn Hjelm wrote: > Was there a meeting invite sent out for this call? > > Kind Regards, > Bjotn > > On Wed, Jul 26, 2023 at 7:56?AM Gerry Gebel via policy-charter < > policy-charter at lists.openid.net> wrote: > >> Hi all - >> >> This is just a reminder for our call in 24 hours >> >> Talk to you then, >> Gerry >> >> >> https://us06web.zoom.us/j/4284593682 >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > > > -- > ---------------------------------------------------------- From the > desk of... Bjorn Hjelm Brymas Hjelm & Assciates Mobile: (678) 687-6187 > E-mail: bjorn.hjelm at ieee.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vittorio.bertocci at okta.com Wed Jul 26 18:11:39 2023 From: vittorio.bertocci at okta.com (Vittorio Bertocci) Date: Wed, 26 Jul 2023 11:11:39 -0700 Subject: [policy-charter] reminder: Admin Policy Push call tomorrow In-Reply-To: References: Message-ID: There was. You are on it, but with your ieee address On Wed, Jul 26, 2023 at 10:42 Bjorn Hjelm via policy-charter < policy-charter at lists.openid.net> wrote: > *This message originated outside your organization.* > > ------------------------------ > > Was there a meeting invite sent out for this call? > > Kind Regards, > Bjotn > > On Wed, Jul 26, 2023 at 7:56?AM Gerry Gebel via policy-charter < > policy-charter at lists.openid.net> wrote: > >> Hi all - >> >> This is just a reminder for our call in 24 hours >> >> Talk to you then, >> Gerry >> >> >> https://us06web.zoom.us/j/4284593682 >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> >> > > > -- > ---------------------------------------------------------- From the > desk of... Bjorn Hjelm Brymas Hjelm & Assciates Mobile: (678) 687-6187 > E-mail: bjorn.hjelm at ieee.org > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mike.leszcz at oidf.org Wed Jul 26 18:56:38 2023 From: mike.leszcz at oidf.org (Mike Leszcz) Date: Wed, 26 Jul 2023 18:56:38 +0000 Subject: [policy-charter] reminder: Admin Policy Push call tomorrow In-Reply-To: References: Message-ID: Hello all, I have added Bjorn's Gmail address to the list. If meetings are going to occur on a regular basis, please let me know the details so that I can add to the OIDF calendar. Thank you, Mike ________________________________ From: policy-charter on behalf of Vittorio Bertocci via policy-charter Sent: Wednesday, July 26, 2023 2:11 PM To: Policy Charter Mail List ; bjorn.hjelm at ieee.org Cc: vittorio_fwd ; Bjorn Hjelm Subject: Re: [policy-charter] reminder: Admin Policy Push call tomorrow There was. You are on it, but with your ieee address On Wed, Jul 26, 2023 at 10:42 Bjorn Hjelm via policy-charter > wrote: This message originated outside your organization. ________________________________ Was there a meeting invite sent out for this call? Kind Regards, Bjotn On Wed, Jul 26, 2023 at 7:56?AM Gerry Gebel via policy-charter > wrote: Hi all - This is just a reminder for our call in 24 hours Talk to you then, Gerry https://us06web.zoom.us/j/4284593682 -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -- ---------------------------------------------------------- From the desk of... Bjorn Hjelm Brymas Hjelm & Assciates Mobile: (678) 687-6187 E-mail: bjorn.hjelm at ieee.org -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -------------- next part -------------- An HTML attachment was scrubbed... URL: From blhjelm at gmail.com Thu Jul 27 03:52:16 2023 From: blhjelm at gmail.com (Bjorn Hjelm) Date: Wed, 26 Jul 2023 20:52:16 -0700 Subject: [policy-charter] reminder: Admin Policy Push call tomorrow In-Reply-To: References: Message-ID: Vittorio, Ok, thanks. I don't know why my old ieee address is appearing rather than my gmail address. Kind Regards, Bjorn On Wed, Jul 26, 2023 at 11:11?AM Vittorio Bertocci < vittorio.bertocci at okta.com> wrote: > There was. You are on it, but with your ieee address > > On Wed, Jul 26, 2023 at 10:42 Bjorn Hjelm via policy-charter < > policy-charter at lists.openid.net> wrote: > >> *This message originated outside your organization.* >> >> ------------------------------ >> >> Was there a meeting invite sent out for this call? >> >> Kind Regards, >> Bjotn >> >> On Wed, Jul 26, 2023 at 7:56?AM Gerry Gebel via policy-charter < >> policy-charter at lists.openid.net> wrote: >> >>> Hi all - >>> >>> This is just a reminder for our call in 24 hours >>> >>> Talk to you then, >>> Gerry >>> >>> >>> https://us06web.zoom.us/j/4284593682 >>> -- >>> policy-charter mailing list >>> policy-charter at lists.openid.net >>> https://lists.openid.net/mailman/listinfo/policy-charter >>> >>> >> >> >> -- >> ---------------------------------------------------------- From the >> desk of... Bjorn Hjelm Brymas Hjelm & Assciates Mobile: (678) 687-6187 >> E-mail: bjorn.hjelm at ieee.org >> -- >> policy-charter mailing list >> policy-charter at lists.openid.net >> https://lists.openid.net/mailman/listinfo/policy-charter >> > -- ---------------------------------------------------------- From the desk of... Bjorn Hjelm Brymas Hjelm & Assciates Mobile: (678) 687-6187 E-mail: bjorn.hjelm at ieee.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From mike.kiser at sailpoint.com Thu Jul 27 13:51:03 2023 From: mike.kiser at sailpoint.com (Mike Kiser) Date: Thu, 27 Jul 2023 13:51:03 +0000 Subject: [policy-charter] reminder: Admin Policy Push call tomorrow In-Reply-To: References: Message-ID: I?m currently in transit in Europe, headed back to the States. Will try to make the call today, if not, I?ll follow up any comments I might have on the mail list. Thanks for the reminder, Gerry. -Mike _______________________ Mike Kiser Director of Strategy and Standards mike.kiser at sailpoint.com From: policy-charter on behalf of Gerry Gebel via policy-charter Date: Wednesday, July 26, 2023 at 16:56 To: Policy Charter Mail List Cc: Gerry Gebel Subject: [policy-charter] reminder: Admin Policy Push call tomorrow Hi all - This is just a reminder for our call in 24 hours Talk to you then, Gerry https:?//us06web.?zoom.?us/j/4284593682 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Hi all - This is just a reminder for our call in 24 hours Talk to you then, Gerry https://us06web.zoom.us/j/4284593682 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pieter.kasselman at microsoft.com Thu Jul 27 18:12:54 2023 From: pieter.kasselman at microsoft.com (Pieter Kasselman) Date: Thu, 27 Jul 2023 18:12:54 +0000 Subject: [policy-charter] Workload Identity in Multi-Service Environments (WIMSE) Message-ID: Hi folks, There is a new IETF mailing list for discussion on workload identities named Workload Identity in Multi-Service Environment - WIMSE (it's pronounced "wimsey"). Authorization will probably be part of the discussion, so flagging here for folks who may be interested in that conversation. Evan Gilman, Justin Richer, Joe Soloway and I have been working on a couple of use cases which we will share on the list in the next week or so. We are also planning a Birds-of-a-Feather session at IETF 118 in Prague in November, in case your in the neighbourhood. You can see Justin's presentation at IETF Dispatch earlier this week here: https://youtu.be/KT3mMX9CMdA?t=316 You can sign-up here: Wimse Info Page (ietf.org) Cheers Pieter -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerry at strata.io Thu Jul 27 18:25:44 2023 From: gerry at strata.io (Gerry Gebel) Date: Thu, 27 Jul 2023 11:25:44 -0700 Subject: [policy-charter] July 27 call notes Message-ID: Hi all, We had a very spirited and interesting discussion today in the currently named Admin Policy Push group.The focus was almost entirely on scope, with a short discussion of IIW and a possible charter. Below is my attempt at capturing the conversation and a list of attendees. As usual, please make any corrections or other changes. The conversation will continue on a weekly basis until the end of September for now, with likely in person session(s) at IIW in October. Mike from OIDF will send an invite to the email list You are also encouraged to look at the draft charter that Andrew previously shared so that it includes needed context for the Admin work stream. https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true Cheers, Gerry =========================== July 27 Admin Policy Push group call Attendance Allan F Gerry G David B Andrew H Omri G Pieter K S Hutch Steve V Shayne M Guy P Atul T Aaron C Sebastian R Roland B Notes: Review of agenda Atul - will there be one group on authZ with 2 sub groups or something else? Allan - 2 different streams, don?t know if it needs to be separate charter or not Andrew - there is a draft charter for PEP-PDP. If it?s going to the same people, make it one work stream. Allan - looks like overlap is quite high David, SteveV and Pieter concur Scope Discussion of relationship data and its importance Some concern of widening the scope - could be another work stream Some discussion of whether creating a new policy format is a good idea: Allan - didn?t think we could take an existing one )OPA, Cedar) and force others to use it David - if we go this path, would want to look at existing and hopefully find that one of these is the super set Pieter - so many existing proprietary formats - thought we do this in a way that is language agnostic, rather than picking existing one and creating new one. Not worth spending time on creating new one Allan - don?t think we want to create new one if we can, agnostic is key Hutch - tried to solve this over last couple years, thing we are trying to get to is a policy that all PDPs could use. What Mitsubishi has built is so organizationally specific. Used our own tagging strategy and taxonomy. Maybe you could provide guidance on how others could build such a system - what?s the best way . What I see us doing is what CISO or auditor interacts with - build policy, add tags and that system uses the standardized policy language to send it to the different PDPs. Steve - OPA, Cedar, ALFA are potential targets for us and there is an unbounded problem in that we don?t know what all is out there. How to do this without making an intractable problem. Allan - agree that we don?t want to set up a natural language interface. While enterprises do things differently, they all have the same intent. We want to propagate a level of policy expression that achieves things like ?only US employees can view these accounts? Hutch - real world policy example, teller can only see client data if member of branch and both are citizens of the same country. This would need to be loaded into a PDP like Axiomatics but also conditional access in Azure. Pieter - is term policy term overloaded? It?s not clear to me that we need another policy model given the complexity and chance for adoption. Is this really an effort to define another policy language? Hutch - not concerned with transport protocol, it?s more about how I do that consistently with Axio, Azure, CyberArk, etc. Need to go back and show auditors that it is being implemented consistently. Andrew - maybe skipping ahead 10 steps, but have a meeting in a week 1. Round trip a policy from a virtual PAP into and out of 3 authZ engines - how to confirm it got there 2. What would this look like? See what is really hard to do - let?s talk about something specific If we have a specific thing to work on, we will learn from it - which we could not do with only talking about generalities. Omri - Most consumers don?t control every PEP or PDP in relying parties. My hope is that if we can establish an architecture pattern where if your org has a set of policies, there is a way you can push those policies to relying parties. Question or emphasis is can we establish this pattern - haven?t thought about whether there needs to be a standard policy format. SteveV - picking up on Andrew, pick a set of targets for acme.com has sfdc and aws and internal service - how would we express a policy to cover this use case. Hutch thinks this is a good direction to go. Hutch - also thinking about how to work with existing systems, ended up writing their own adapters for apps and infra pieces.It?s not just common language, but having everyone using the same taxonomy - even for attribute semantics. Just doing this for sfdc and Azure was very difficult. Shayne - reflect on difference of Hutch and Omri. Hutch sounds complicated to send policy to existing systems because they are all different. Whereas Omri seemed to be shaping the future a future model that vendors could build to. Hutch - have to build for tomorrow, would not try for today. Pieter - sounds nice, but cannot escape the past Omri - example: sfdc had its own model, but moved to OIDC over time. Coalesce a critical mass in the industry and have anchor tenants moving in the right direction - who are the killer apps here? Aaron - extend Omri - what can we learn from the past? SQL is an example and have all these successful implementations albeit with proprietary extensions. Allan - done this before with authN. Arguments were that we need to do this ourselves, but reached a point where centralizing is the right thing to do. Could do the same with authz Pieter also important to know that they are very different. AuthN was easier to sell, value to customer, IT, CISO, and providers. I worry that the value prop does not exist in the same way. Pulling out years of business logic is going to be a hard sell. Allan - posit that it is easier sell after listening to Hutch. Don?t care how they do policy, but managing how it is done is what is cared about. There will always be pushback for various reasons, but at enterprise level the problem exists. Pieter - agrees on the problem in multi cloud and multi service environments. Concern that inventing another layer of policy language is the best way to go David - authN and authZ have similarities, but need to standardize PEP to PDP. More important to ask request in same way, does not matter what the policy format is. If that is done correctly, we can go to sw vendors and plan for ext authZ in their platforms/services in a standard way. Hutch said policies are unique, however there are cases where there are common policies such as for export control. Some verticals, like gov, defined certain claims for SAML. Could defer policy to OPA, Cedar, or ALFA. Allan - think we?ll have to do multi calls to further refine scope. The forward looking architecture is important, but also have to look at existing environments. Allan - I encourage people to look at the charter that Andrew already started and see if it covers what we want. Allan - IIW is coming up in October and we should plan on a working session there. Pieter - there is a new mailing list on OIDF for workload identity where authZ will also be a topic over there. Anyone interested can check it out. David - should we contact other standards groups about this activity? Outreach: David to OASIS, Omri to OPA, cedar people already know since they were at the Identiverse meeting Given the interest and work to be done, we will schedule weekly calls via OIDF through end of Sep -------------- next part -------------- An HTML attachment was scrubbed... URL: From atul at sgnl.ai Thu Jul 27 18:32:53 2023 From: atul at sgnl.ai (Atul Tulshibagwale) Date: Thu, 27 Jul 2023 11:32:53 -0700 Subject: [policy-charter] July 27 call notes In-Reply-To: References: Message-ID: Hi Gerry, Thanks for the detailed notes. I believe the mailing list Pieter mentions is in the IETF and not in OIDF? Can you please clarify? Thanks, Atul On Thu, Jul 27, 2023 at 11:26?AM Gerry Gebel via policy-charter < policy-charter at lists.openid.net> wrote: > Hi all, > > We had a very spirited and interesting discussion today in the currently > named Admin Policy Push group.The focus was almost entirely on scope, with > a short discussion of IIW and a possible charter. > > Below is my attempt at capturing the conversation and a list of attendees. > As usual, please make any corrections or other changes. > > The conversation will continue on a weekly basis until the end of > September for now, with likely in person session(s) at IIW in October. Mike > from OIDF will send an invite to the email list > > You are also encouraged to look at the draft charter that Andrew > previously shared so that it includes needed context for the Admin work > stream. > https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true > > > Cheers, > Gerry > > =========================== > > July 27 Admin Policy Push group call > > > Attendance > > Allan F > > Gerry G > > David B > > Andrew H > > Omri G > > Pieter K > > S Hutch > > Steve V > > Shayne M > > Guy P > > Atul T > > Aaron C > > Sebastian R > > Roland B > > > Notes: > > > Review of agenda > > > Atul - will there be one group on authZ with 2 sub groups or something > else? > > Allan - 2 different streams, don?t know if it needs to be separate charter > or not > > Andrew - there is a draft charter for PEP-PDP. If it?s going to the same > people, make it one work stream. > > Allan - looks like overlap is quite high > > David, SteveV and Pieter concur > > > Scope > > > Discussion of relationship data and its importance > > Some concern of widening the scope - could be another work stream > > > Some discussion of whether creating a new policy format is a good idea: > > Allan - didn?t think we could take an existing one )OPA, Cedar) and force > others to use it > > David - if we go this path, would want to look at existing and hopefully > find that one of these is the super set > > Pieter - so many existing proprietary formats - thought we do this in a > way that is language agnostic, rather than picking existing one and > creating new one. Not worth spending time on creating new one > > Allan - don?t think we want to create new one if we can, agnostic is key > > Hutch - tried to solve this over last couple years, thing we are trying to > get to is a policy that all PDPs could use. What Mitsubishi has built is so > organizationally specific. Used our own tagging strategy and taxonomy. > Maybe you could provide guidance on how others could build such a system - > what?s the best way . What I see us doing is what CISO or auditor interacts > with - build policy, add tags and that system uses the standardized policy > language to send it to the different PDPs. > > > Steve - OPA, Cedar, ALFA are potential targets for us and there is an > unbounded problem in that we don?t know what all is out there. How to do > this without making an intractable problem. > > > Allan - agree that we don?t want to set up a natural language interface. > While enterprises do things differently, they all have the same intent. We > want to propagate a level of policy expression that achieves things like > ?only US employees can view these accounts? > > > Hutch - real world policy example, teller can only see client data if > member of branch and both are citizens of the same country. This would need > to be loaded into a PDP like Axiomatics but also conditional access in > Azure. > > > Pieter - is term policy term overloaded? It?s not clear to me that we need > another policy model given the complexity and chance for adoption. Is this > really an effort to define another policy language? > > > Hutch - not concerned with transport protocol, it?s more about how I do > that consistently with Axio, Azure, CyberArk, etc. Need to go back and show > auditors that it is being implemented consistently. > > > Andrew - maybe skipping ahead 10 steps, but have a meeting in a week > > 1. Round trip a policy from a virtual PAP into and out of 3 authZ engines > - how to confirm it got there > > 2. What would this look like? See what is really hard to do - let?s talk > about something specific > > If we have a specific thing to work on, we will learn from it - which we > could not do with only talking about generalities. > > > Omri - Most consumers don?t control every PEP or PDP in relying parties. > My hope is that if we can establish an architecture pattern where if your > org has a set of policies, there is a way you can push those policies to > relying parties. Question or emphasis is can we establish this pattern - > haven?t thought about whether there needs to be a standard policy format. > > > SteveV - picking up on Andrew, pick a set of targets for acme.com has > sfdc and aws and internal service - how would we express a policy to cover > this use case. Hutch thinks this is a good direction to go. > > > Hutch - also thinking about how to work with existing systems, ended up > writing their own adapters for apps and infra pieces.It?s not just common > language, but having everyone using the same taxonomy - even for attribute > semantics. Just doing this for sfdc and Azure was very difficult. > > > Shayne - reflect on difference of Hutch and Omri. Hutch sounds complicated > to send policy to existing systems because they are all different. Whereas > Omri seemed to be shaping the future a future model that vendors could > build to. > > > Hutch - have to build for tomorrow, would not try for today. > > Pieter - sounds nice, but cannot escape the past > > Omri - example: sfdc had its own model, but moved to OIDC over time. > Coalesce a critical mass in the industry and have anchor tenants moving in > the right direction - who are the killer apps here? > > > Aaron - extend Omri - what can we learn from the past? SQL is an example > and have all these successful implementations albeit with proprietary > extensions. > > Allan - done this before with authN. Arguments were that we need to do > this ourselves, but reached a point where centralizing is the right thing > to do. Could do the same with authz > > > Pieter also important to know that they are very different. AuthN was > easier to sell, value to customer, IT, CISO, and providers. I worry that > the value prop does not exist in the same way. Pulling out years of > business logic is going to be a hard sell. > > > Allan - posit that it is easier sell after listening to Hutch. Don?t care > how they do policy, but managing how it is done is what is cared about. > There will always be pushback for various reasons, but at enterprise level > the problem exists. > > > Pieter - agrees on the problem in multi cloud and multi service > environments. Concern that inventing another layer of policy language is > the best way to go > > > David - authN and authZ have similarities, but need to standardize PEP to > PDP. More important to ask request in same way, does not matter what the > policy format is. If that is done correctly, we can go to sw vendors and > plan for ext authZ in their platforms/services in a standard way. Hutch > said policies are unique, however there are cases where there are common > policies such as for export control. Some verticals, like gov, defined > certain claims for SAML. Could defer policy to OPA, Cedar, or ALFA. > > > Allan - think we?ll have to do multi calls to further refine scope. The > forward looking architecture is important, but also have to look at > existing environments. > > > Allan - I encourage people to look at the charter that Andrew already > started and see if it covers what we want. > > > Allan - IIW is coming up in October and we should plan on a working > session there. > > > Pieter - there is a new mailing list on OIDF for workload identity where > authZ will also be a topic over there. Anyone interested can check it out. > > > David - should we contact other standards groups about this activity? > > Outreach: David to OASIS, Omri to OPA, cedar people already know since > they were at the Identiverse meeting > > > Given the interest and work to be done, we will schedule weekly calls via > OIDF through end of Sep > > > > -- > policy-charter mailing list > policy-charter at lists.openid.net > https://lists.openid.net/mailman/listinfo/policy-charter > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pieter.kasselman at microsoft.com Thu Jul 27 18:36:25 2023 From: pieter.kasselman at microsoft.com (Pieter Kasselman) Date: Thu, 27 Jul 2023 18:36:25 +0000 Subject: [policy-charter] July 27 call notes In-Reply-To: References:

Message-ID: Hi Atul, yes, it is an IETF mailing list: Wimse Info Page (ietf.org) From: policy-charter On Behalf Of Atul Tulshibagwale via policy-charter Sent: Thursday, July 27, 2023 11:33 AM To: Policy Charter Mail List Cc: atul Subject: Re: [policy-charter] July 27 call notes Hi Gerry, Thanks for the detailed notes. I believe the mailing list Pieter mentions is in the IETF and not in OIDF? Can you please clarify? Thanks, Atul On Thu, Jul 27, 2023 at 11:26?AM Gerry Gebel via policy-charter > wrote: Hi all, We had a very spirited and interesting discussion today in the currently named Admin Policy Push group.The focus was almost entirely on scope, with a short discussion of IIW and a possible charter. Below is my attempt at capturing the conversation and a list of attendees. As usual, please make any corrections or other changes. The conversation will continue on a weekly basis until the end of September for now, with likely in person session(s) at IIW in October. Mike from OIDF will send an invite to the email list You are also encouraged to look at the draft charter that Andrew previously shared so that it includes needed context for the Admin work stream. https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true Cheers, Gerry =========================== July 27 Admin Policy Push group call Attendance Allan F Gerry G David B Andrew H Omri G Pieter K S Hutch Steve V Shayne M Guy P Atul T Aaron C Sebastian R Roland B Notes: Review of agenda Atul - will there be one group on authZ with 2 sub groups or something else? Allan - 2 different streams, don?t know if it needs to be separate charter or not Andrew - there is a draft charter for PEP-PDP. If it?s going to the same people, make it one work stream. Allan - looks like overlap is quite high David, SteveV and Pieter concur Scope Discussion of relationship data and its importance Some concern of widening the scope - could be another work stream Some discussion of whether creating a new policy format is a good idea: Allan - didn?t think we could take an existing one )OPA, Cedar) and force others to use it David - if we go this path, would want to look at existing and hopefully find that one of these is the super set Pieter - so many existing proprietary formats - thought we do this in a way that is language agnostic, rather than picking existing one and creating new one. Not worth spending time on creating new one Allan - don?t think we want to create new one if we can, agnostic is key Hutch - tried to solve this over last couple years, thing we are trying to get to is a policy that all PDPs could use. What Mitsubishi has built is so organizationally specific. Used our own tagging strategy and taxonomy. Maybe you could provide guidance on how others could build such a system - what?s the best way . What I see us doing is what CISO or auditor interacts with - build policy, add tags and that system uses the standardized policy language to send it to the different PDPs. Steve - OPA, Cedar, ALFA are potential targets for us and there is an unbounded problem in that we don?t know what all is out there. How to do this without making an intractable problem. Allan - agree that we don?t want to set up a natural language interface. While enterprises do things differently, they all have the same intent. We want to propagate a level of policy expression that achieves things like ?only US employees can view these accounts? Hutch - real world policy example, teller can only see client data if member of branch and both are citizens of the same country. This would need to be loaded into a PDP like Axiomatics but also conditional access in Azure. Pieter - is term policy term overloaded? It?s not clear to me that we need another policy model given the complexity and chance for adoption. Is this really an effort to define another policy language? Hutch - not concerned with transport protocol, it?s more about how I do that consistently with Axio, Azure, CyberArk, etc. Need to go back and show auditors that it is being implemented consistently. Andrew - maybe skipping ahead 10 steps, but have a meeting in a week 1. Round trip a policy from a virtual PAP into and out of 3 authZ engines - how to confirm it got there 2. What would this look like? See what is really hard to do - let?s talk about something specific If we have a specific thing to work on, we will learn from it - which we could not do with only talking about generalities. Omri - Most consumers don?t control every PEP or PDP in relying parties. My hope is that if we can establish an architecture pattern where if your org has a set of policies, there is a way you can push those policies to relying parties. Question or emphasis is can we establish this pattern - haven?t thought about whether there needs to be a standard policy format. SteveV - picking up on Andrew, pick a set of targets for acme.com has sfdc and aws and internal service - how would we express a policy to cover this use case. Hutch thinks this is a good direction to go. Hutch - also thinking about how to work with existing systems, ended up writing their own adapters for apps and infra pieces.It?s not just common language, but having everyone using the same taxonomy - even for attribute semantics. Just doing this for sfdc and Azure was very difficult. Shayne - reflect on difference of Hutch and Omri. Hutch sounds complicated to send policy to existing systems because they are all different. Whereas Omri seemed to be shaping the future a future model that vendors could build to. Hutch - have to build for tomorrow, would not try for today. Pieter - sounds nice, but cannot escape the past Omri - example: sfdc had its own model, but moved to OIDC over time. Coalesce a critical mass in the industry and have anchor tenants moving in the right direction - who are the killer apps here? Aaron - extend Omri - what can we learn from the past? SQL is an example and have all these successful implementations albeit with proprietary extensions. Allan - done this before with authN. Arguments were that we need to do this ourselves, but reached a point where centralizing is the right thing to do. Could do the same with authz Pieter also important to know that they are very different. AuthN was easier to sell, value to customer, IT, CISO, and providers. I worry that the value prop does not exist in the same way. Pulling out years of business logic is going to be a hard sell. Allan - posit that it is easier sell after listening to Hutch. Don?t care how they do policy, but managing how it is done is what is cared about. There will always be pushback for various reasons, but at enterprise level the problem exists. Pieter - agrees on the problem in multi cloud and multi service environments. Concern that inventing another layer of policy language is the best way to go David - authN and authZ have similarities, but need to standardize PEP to PDP. More important to ask request in same way, does not matter what the policy format is. If that is done correctly, we can go to sw vendors and plan for ext authZ in their platforms/services in a standard way. Hutch said policies are unique, however there are cases where there are common policies such as for export control. Some verticals, like gov, defined certain claims for SAML. Could defer policy to OPA, Cedar, or ALFA. Allan - think we?ll have to do multi calls to further refine scope. The forward looking architecture is important, but also have to look at existing environments. Allan - I encourage people to look at the charter that Andrew already started and see if it covers what we want. Allan - IIW is coming up in October and we should plan on a working session there. Pieter - there is a new mailing list on OIDF for workload identity where authZ will also be a topic over there. Anyone interested can check it out. David - should we contact other standards groups about this activity? Outreach: David to OASIS, Omri to OPA, cedar people already know since they were at the Identiverse meeting Given the interest and work to be done, we will schedule weekly calls via OIDF through end of Sep -- policy-charter mailing list policy-charter at lists.openid.net https://lists.openid.net/mailman/listinfo/policy-charter -------------- next part -------------- An HTML attachment was scrubbed... URL: From atul at sgnl.ai Thu Jul 27 22:30:53 2023 From: atul at sgnl.ai (Atul Tulshibagwale) Date: Thu, 27 Jul 2023 15:30:53 -0700 Subject: [policy-charter] Updates to the charter doc Message-ID: Hi all, FYI: I've suggested changes to the policy charter doc: i've restated the purpose and used the alternate suggested name. Also added the AuthZAPI as a proposed deliverable. Atul -------------- next part -------------- An HTML attachment was scrubbed... URL: From atul at sgnl.ai Fri Jul 28 16:37:45 2023 From: atul at sgnl.ai (Atul Tulshibagwale) Date: Fri, 28 Jul 2023 09:37:45 -0700 Subject: [policy-charter] Updates to the charter doc In-Reply-To: References: Message-ID: Hi all, Someone mentioned to me they didn't know where the charter doc was, so I'm sharing it here: DRAFT Charter Proposal for PDP-PEP Interoperabi... Atul On Thu, Jul 27, 2023 at 3:30?PM Atul Tulshibagwale wrote: > Hi all, > FYI: I've suggested changes to the policy charter doc: i've restated the > purpose and used the alternate suggested name. Also added the AuthZAPI as a > proposed deliverable. > > Atul > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From atul at sgnl.ai Fri Jul 28 16:39:26 2023 From: atul at sgnl.ai (Atul Tulshibagwale) Date: Fri, 28 Jul 2023 09:39:26 -0700 Subject: [policy-charter] Updates to the charter doc In-Reply-To: References:

Message-ID: Also the draft proposal for the PDP-PEP API (AuthZAPI) is here . The GitHub repo for it is here . On Fri, Jul 28, 2023 at 9:37?AM Atul Tulshibagwale wrote: > Hi all, > Someone mentioned to me they didn't know where the charter doc was, so I'm > sharing it here: > > DRAFT Charter Proposal for PDP-PEP Interoperabi... > > > Atul > > On Thu, Jul 27, 2023 at 3:30?PM Atul Tulshibagwale wrote: > >> Hi all, >> FYI: I've suggested changes to the policy charter doc: i've restated the >> purpose and used the alternate suggested name. Also added the AuthZAPI as a >> proposed deliverable. >> >> Atul >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: