[policy-charter] IIW session notes for AuthZEN

[Gerry Gebel]

Here is a summary of the discussion points from the IIW in-person session
on Oct 12:

Attendees (from the sign up sheet, we may have missed a few):
Atul T
David B
Mark B
Alex B
Omri G
Roland B
Andrew H
Phil H
Darin M
Eve M
Allan F
Jacob I
Mark H
Bjorn H
Matt M
Nancy C-W
Xingiun C
Judith F
Daniel L
Ashkan S
Gerry G

Since we had some new folks in the room, Atul and Omri reviewed the
presentation that was shown at the OIDF workshop on Monday of this week.
Allan also recounted the two Identiverse meetings that led to the formation
of AuthZEN.

We also talked about the initial work that has been scoped out so far,
namely the PEP to PDP flow and transport of policies from admin service to
decision engine. Other aspects such as management of data used by
decision engines was also mentioned. In addition, there was agreement that
we need to document use cases, deployment patterns, best practices, and
guidance.

How will the output of AuthZEN relate to OAuth 2.0? There was quite a bit
of discussion on this topic since OAuth is used in so many access control
scenarios, whether this group approves of that approach or not. Ultimately,
the use case and recommended patterns that AuthZEN produces must clearly
articulate situations where and how fine grained or externalized authZ
systems work with OAuth based models.

Who is the audience, stakeholder, buyer that we should be thinking about?
Are they developers, product owners, CISO, auditors, other? Eve suggested
that we think like a startup and what is the product market fit for any new
standard.

Community outreach and evangelism will be important. Enterprises like
Netflix, Airbnb and Workday were mentioned as possible collaborators that
can help get the word out into the industry. Typical drivers are to make
money, save money or reduce risk - we need to map to these motivations.

*Logistics and next steps:*
- Weekly zoom meetings will start on Oct 17
- We will attempt to record meetings
- Once OIDF formally approves AuthZEN, there will be a new email list and
all participants must sign an agreement regarding IP
- There is an OIDF Slack channel, but is not ready for us to use yet
- More details to follow as we learn them.


Feel free to add or comment on anything that I missed
Gerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20231013/d465d0d8/attachment.html>