<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;
        font-family:"Calibri",sans-serif;
        mso-ligatures:none;
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi Atul, yes, it is an IETF mailing list:
</span><a href="https://www.ietf.org/mailman/listinfo/wimse">Wimse Info Page (ietf.org)</a><span style="mso-fareast-language:EN-US">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> policy-charter <policy-charter-bounces@lists.openid.net>
<b>On Behalf Of </b>Atul Tulshibagwale via policy-charter<br>
<b>Sent:</b> Thursday, July 27, 2023 11:33 AM<br>
<b>To:</b> Policy Charter Mail List <policy-charter@lists.openid.net><br>
<b>Cc:</b> atul <atul@sgnl.ai><br>
<b>Subject:</b> Re: [policy-charter] July 27 call notes<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi Gerry,<o:p></o:p></p>
<div>
<p class="MsoNormal">Thanks for the detailed notes. I believe the mailing list Pieter mentions is in the IETF and not in OIDF? Can you please clarify?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Atul<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Thu, Jul 27, 2023 at 11:26 AM Gerry Gebel via policy-charter <<a href="mailto:policy-charter@lists.openid.net">policy-charter@lists.openid.net</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We had a very spirited and interesting discussion today in the currently named Admin Policy Push group.The focus was almost entirely on scope, with a short discussion of IIW and a possible charter.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Below is my attempt at capturing the conversation and a list of attendees. As usual, please make any corrections or other changes.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The conversation will continue on a weekly basis until the end of September for now, with likely in person session(s) at IIW in October. Mike from OIDF will send an invite to the email list<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">You are also encouraged to look at the draft charter that Andrew previously shared so that it includes needed context for the Admin work stream. <a href="https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true" target="_blank">https://docs.google.com/document/d/1ijAaymAapYyeV_3qMVjuLtNzoskKsh7R/edit?usp=sharing&ouid=110252403279221684258&rtpof=true&sd=true</a> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Cheers,<br>
Gerry<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">===========================<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">July 27 Admin Policy Push group call<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Attendance<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan F<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Gerry G<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">David B<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Andrew H<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Omri G<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Pieter K<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">S Hutch<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Steve V<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Shayne M<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Guy P<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Atul T<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Aaron C<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Sebastian R<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Roland B<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Notes:<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Review of agenda<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Atul - will there be one group on authZ with 2 sub groups or something else?<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - 2 different streams, don’t know if it needs to be separate charter or not<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Andrew - there is a draft charter for PEP-PDP. If it’s going to the same people, make it one work stream.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - looks like overlap is quite high<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">David, SteveV and Pieter concur<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Scope <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Discussion of relationship data and its importance <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Some concern of widening the scope - could be another work stream<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Some discussion of whether creating a new policy format is a good idea:<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - didn’t think we could take an existing one )OPA, Cedar) and force others to use it<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">David - if we go this path, would want to look at existing and hopefully find that one of these is the super set<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Pieter - so many existing proprietary formats - thought we do this in a way that is language agnostic, rather than picking existing one and creating new one. Not worth spending time on creating
 new one<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - don’t think we want to create new one if we can, agnostic is key<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Hutch - tried to solve this over last couple years, thing we are trying to get to is a policy that all PDPs could use. What Mitsubishi has built is so organizationally specific. Used our own tagging
 strategy and taxonomy. Maybe you could provide guidance on how others could build such a system - what’s the best way . What I see us doing is what CISO or auditor interacts with - build policy, add tags and that system uses the standardized policy language
 to send it to the different PDPs. <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Steve - OPA, Cedar, ALFA are potential targets for us and there is an unbounded problem in that we don’t know what all is out there. How to do this without making an intractable problem.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - agree that we don’t want to set up a natural language interface. While enterprises do things differently, they all have the same intent. We want to propagate a level of policy expression
 that achieves things like “only US employees can view these accounts”<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Hutch - real world policy example, teller can only see client data if member of branch and both are citizens of the same country. This would need to be loaded into a PDP like Axiomatics but also
 conditional access in Azure. <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Pieter - is term policy term overloaded? It’s not clear to me that we need another policy model given the complexity and chance for adoption. Is this really an effort to define another policy
 language?<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Hutch - not concerned with transport protocol, it’s more about how I do that consistently with Axio, Azure, CyberArk, etc. Need to go back and show auditors that it is being implemented consistently.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Andrew - maybe skipping ahead 10 steps, but have a meeting in a week<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">1. Round trip a policy from a virtual PAP into and out of 3 authZ engines - how to confirm it got there<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">2. What would this look like? See what is really hard to do - let’s talk about something specific <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">If we have a specific thing to work on, we will learn from it - which we could not do with only talking about generalities.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Omri - Most consumers don’t control every PEP or PDP in relying parties. My hope is that if we can establish an architecture pattern where if your org has a set of policies, there is a way you
 can push those policies to relying parties. Question or emphasis is can we establish this pattern - haven’t thought about whether there needs to be a standard policy format. <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">SteveV - picking up on Andrew, pick a set of targets for
</span><a href="http://acme.com/" target="_blank"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">acme.com</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> has sfdc and aws and internal service - how would we express
 a policy to cover this use case. Hutch thinks this is a good direction to go. <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Hutch - also thinking about how to work with existing systems, ended up writing their own adapters for apps and infra pieces.It’s not just common language, but having everyone using the same taxonomy
 - even for attribute semantics. Just doing this for sfdc and Azure was very difficult.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Shayne - reflect on difference of Hutch and Omri. Hutch sounds complicated to send policy to existing systems because they are all different. Whereas Omri seemed to be shaping the future a future
 model that vendors could build to.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Hutch - have to build for tomorrow, would not try for today. <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Pieter - sounds nice, but cannot escape the past<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Omri - example: sfdc had its own model, but moved to OIDC over time. Coalesce a critical mass in the industry and have anchor tenants moving in the right direction - who are the killer apps here?<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Aaron - extend Omri - what can we learn from the past? SQL is an example and have all these successful implementations albeit with proprietary extensions.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - done this before with authN. Arguments were that we need to do this ourselves, but reached a point where centralizing is the right thing to do. Could do the same with authz<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Pieter also important to know that they are very different. AuthN was easier to sell, value to customer, IT, CISO, and providers. I worry that the value prop does not exist in the same way. Pulling
 out years of business logic is going to be a hard sell.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - posit that it is easier sell after listening to Hutch. Don’t care how they do policy, but managing how it is done is what is cared about. There will always be pushback for various reasons,
 but at enterprise level the problem exists.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Pieter - agrees on the problem in multi cloud and multi service environments. Concern that inventing another layer of policy language is the best way to go<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">David - authN and authZ have similarities, but need to standardize PEP to PDP. More important to ask request in same way, does not matter what the policy format is. If that is done correctly,
 we can go to sw vendors and plan for ext authZ in their platforms/services in a standard way. Hutch said policies are unique, however there are cases where there are common policies such as for export control. Some verticals, like gov, defined certain claims
 for SAML. Could defer policy to OPA, Cedar, or ALFA. <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - think we’ll have to do multi calls to further refine scope. The forward looking architecture is important, but also have to look at existing environments. <o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - I encourage people to look at the charter that Andrew already started and see if it covers what we want.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Allan - IIW is coming up in October and we should plan on a working session there.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Pieter - there is a new mailing list on OIDF for workload identity where authZ will also be a topic over there. Anyone interested can check it out.<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">David - should we contact other standards groups about this activity?<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Outreach: David to OASIS, Omri to OPA, cedar people already know since they were at the Identiverse meeting<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Given the interest and work to be done, we will schedule weekly calls via OIDF through end of Sep<o:p></o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p style="margin:0cm;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;min-height:14px">
<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal">-- <br>
policy-charter mailing list<br>
<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/policy-charter" target="_blank">https://lists.openid.net/mailman/listinfo/policy-charter</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</body>
</html>