<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.gmailsignatureprefix
{mso-style-name:gmail_signature_prefix;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1029335729;
mso-list-template-ids:-1085212446;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1386950930;
mso-list-template-ids:1425554780;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi David, the difference between the direct and indirect requests are interesting. The Direct request feels like a request for a decision while the indirect request feels like policy retrieval (with
some parameters to scope retrieval of policies as it relate to Alice and claims). Can you describe the use cases for when the direct vs when the indirect approach is used?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> policy-charter <policy-charter-bounces@lists.openid.net>
<b>On Behalf Of </b>David Brossard via policy-charter<br>
<b>Sent:</b> Tuesday, June 27, 2023 4:17 PM<br>
<b>To:</b> Policy Charter Mail List <policy-charter@lists.openid.net><br>
<b>Cc:</b> David Brossard <david.brossard@gmail.com><br>
<b>Subject:</b> Re: [policy-charter] PEP-PDP Group<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">I agree with Allan. There's another aspect to runtime authZ: it eliminates the need to define entitlements up front. It eliminates the need for role, permissions, and entitlements engineering, and consequently provisioning and de-provisioning.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This makes me think another area of investigation for this WG is bridging the runtime authz world (XACML, OPA...) with the non-runtime authz world (OAuth scopes & claims, SCIM entitlements...) AuthZ frameworks should be capable of generating
dynamic claims that are fed into a token. CAEP could be used to update/revoke/enrich such tokens.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This means we need different ways to query a policy. And perhaps different ways to write policies. Let's assume a business authz policy:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
<b><span style="color:black;background:#FFE599">Policy</span></b>: Claims processors can approve a claim in their region if the amount claimed is less than the approver's limit.<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
<b><span style="color:black;background:#FFE599">Direct request</span></b>: Can Alice approve claim #123? (in the background, attribute retrieval is run to figure out who Alice is and what claim 123's region and amount are)<o:p></o:p></li></ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level2 lfo1">
Answer: Permit/Deny + obligations<o:p></o:p></li></ul>
</ul>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
<b><span style="color:black;background:#FFE599">Indirect request</span></b>: tell me what Alice can do on claims<o:p></o:p></li></ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level2 lfo1">
Answer: approve + claim amount < $500 + region = Moose Jaw.<o:p></o:p></li></ul>
</ul>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, Jun 14, 2023 at 8:15 AM Allan Foster via policy-charter <<a href="mailto:policy-charter@lists.openid.net">policy-charter@lists.openid.net</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><img border="0" width="1" height="1" style="width:.0104in;height:.0104in" id="_x0000_i1026" src="https://receipts.canarymail.io/track/AE980BFE3A76DE71B7ADC1325DB56676_AD07948957141DF08A5D6A4ADB81455C.png"></span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<div id="m_-414447914740678160CanaryBody">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Alex, I am not sure I fully agree with your statement!<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Although you might not use a PEP to protect those resources, There is still a reasonable use case to treat the spec as the API and transport for those resources
to call out to a centralized AuthZ server.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">I think there are at least two use cases for standardization (as we discussed at IDentiverse)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">1. A standardized interface between PEPs or agents and the PDP. This would allow de-weaponization of agents, and interoperability at the agent level…. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">2. A standardization athe policy level so that IF the PDP cannot be centralized, the interop would be at the Policy level. Enabling the Policy Management to
be centralized. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">A SaaS might not be willing to call out to a central PDP for AuthZ (and all the performance problems that brings) but might well be willing to accept the Policy
definition into its own AuthZ system<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">I see these as complimentary.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">On another note, We want to ensure that whatever we do at the PEP/PDP level, we allow for real time decisions. AuthZ decisions are not necessarily entitlements,
and the decision may well depend on environmental issues at the time of the request. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Allan<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
<div id="m_-414447914740678160CanarySig">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" id="m_-414447914740678160CanaryBlockquote">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">On Tuesday, Jun 13, 2023 at 11:45, Alex Babeanu <<a href="mailto:alex@3edges.com" target="_blank">alex@3edges.com</a>> wrote:<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">This is a good discussion, that said a PEP is actually
<b>not</b> mandated in all cases. For example you would <b>not</b> use a PEP to secure GraphQL APIs nor COTS software.<br>
<br>
I'm going to share soon a doc, to all contribute on, that lists common authorization design patterns. I think it would be a good basis for discussion, and at least to scope what we're trying to do...<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">./\lex.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">On Tue, Jun 13, 2023 at 11:30 AM Allan Foster via policy-charter <<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a>>
wrote:<o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">So I am thinking we also want to set some scope of what we want to cover?
</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black"> </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">Off the top of my head…. I can put some more context around these if they aren’t clear</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black"> </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">The Transport layer</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">The Envelope Layer</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">The request/response transaction layer</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">How meta-data is handled? (both request and response)</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">Extension mechanisms</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">Exception mechanism</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black"> </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">Allan</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black"> </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black"> </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black"> </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><b><span lang="EN-US" style="font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black">From:
</span></b><span lang="EN-US" style="font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black">policy-charter <<a href="mailto:policy-charter-bounces@lists.openid.net" target="_blank">policy-charter-bounces@lists.openid.net</a>> on behalf of Omri Gazitt
via policy-charter <<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a>><br>
<b>Date: </b>Tuesday, June 13, 2023 at 10:54<br>
<b>To: </b>Policy Charter Mail List <<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a>><br>
<b>Cc: </b>Omri Gazitt <<a href="mailto:omri@aserto.com" target="_blank">omri@aserto.com</a>><br>
<b>Subject: </b>Re: [policy-charter] PEP-PDP Group</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">I agree with David that looking at existing systems is a good place to start. If the idea is that PDPs
can add a "standard" API that PEPs can call, then it would be good if the API supports the existing message exchange patterns (and doesn't mandate things that aren't supported).</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black"> </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">Here are three examples, to get us started:</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<div>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2">
<span lang="EN-US" style="font-family:"Helvetica",sans-serif">OPA is interesting in the sense that its primary REST API is very document-oriented - you have a set of rules that are defined in a JSON-style hierarchy and you issue a GET or POST on that resource
in the hierarchy to evaluate the rule that is rooted there. This seems like a special case. OPA does have a generic
<a href="https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query" target="_blank">
query</a> API, which allows you to pass input and evaluate a rego query based on the loaded policy document and the input. </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2">
<span lang="EN-US" style="font-family:"Helvetica",sans-serif">Auth0 FGA (one of the zanzibar implementations) has a
<a href="https://www.openpolicyagent.org/docs/latest/rest-api/#execute-an-ad-hoc-query" target="_blank">
check</a> API that takes a JSON payload containing a user key, relation name, and object key, and returns an allowed decision (true or false). Most zanzibar implementations seem to do something similar - e.g. SpiceDB has a
<a href="https://www.postman.com/authzed/workspace/spicedb/documentation/21043612-9786e5f3-2014-4b31-86c1-39335236c0e2?entity=request-c58c40ff-9fc7-4c3e-9cca-f017160ba5b8" target="_blank">
check</a> API that takes a resource, permission, and subject. </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2">
<span lang="EN-US" style="font-family:"Helvetica",sans-serif">Topaz (Aserto's OSS authorizer) has a
<a href="https://aserto.readme.io/reference/authorizerquery-1" target="_blank">query</a> API that takes an identity and policy (rule/decisions to evaluate), and optionally a resource context and additional input, and returns what OPA would return. It also has
a simpler <a href="https://aserto.readme.io/reference/authorizeris-1" target="_blank">is</a> API that evaluates a policy (rule/decisions) with an identity and resource context.</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></li></ul>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black"> </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black"> </span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">On Tue, Jun 13, 2023 at 1:54 AM Roland Baum via policy-charter <<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a>>
wrote:</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-family:"Helvetica",sans-serif;color:black">I'm in as well :-D<br>
<br>
<br>
<br>
Roland Baum<br>
umbrella.associates GmbH<br>
<br>
<br>
-- <br>
policy-charter mailing list<br>
<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/policy-charter" target="_blank">https://lists.openid.net/mailman/listinfo/policy-charter</a></span><span lang="EN-US" style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">--
<br>
policy-charter mailing list<br>
<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/policy-charter" target="_blank">https://lists.openid.net/mailman/listinfo/policy-charter</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><br clear="all">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span class="gmailsignatureprefix"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">--
</span></span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><a href="https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5" target="_blank"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;text-decoration:none"><img border="0" width="360" height="155" style="width:3.75in;height:1.6145in" id="_x0000_i1025" src="https://cdn.hihello.me/cards/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5/signature_logo.png?generated=1653502150176" alt="This is Alexandre Babeanu's card. Their email is alex@3edges.com. Their phone number is +1 604 728 8130."></span></a><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><br>
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information.<o:p></o:p></span></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal">-- <br>
policy-charter mailing list<br>
<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/policy-charter" target="_blank">https://lists.openid.net/mailman/listinfo/policy-charter</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><span class="gmailsignatureprefix">-- </span><o:p></o:p></p>
<div>
<p class="MsoNormal">---<br>
David Brossard<br>
<a href="http://www.linkedin.com/in/davidbrossard" target="_blank">http://www.linkedin.com/in/davidbrossard</a><br>
<a href="http://twitter.com/davidjbrossard" target="_blank">http://twitter.com/davidjbrossard</a><br>
<a href="http://about.me/brossard" target="_blank">http://about.me/brossard</a><br>
---<br>
Stay safe on the Internet: <a href="http://www.ic3.gov/preventiontips.aspx" target="_blank">
http://www.ic3.gov/preventiontips.aspx</a><br>
Prenez vos précautions sur Internet: <a href="http://www.securite-informatique.gouv.fr/gp_rubrique34.html" target="_blank">
http://www.securite-informatique.gouv.fr/gp_rubrique34.html</a><o:p></o:p></p>
</div>
</div>
</body>
</html>