From my reading, “a common security policy” is singular here to represent a functional stance, an authority, a delimited zone of control.
Technically this security policy can be represented by multiple technical policies (decentralized, centralized, *BAC) that can apply and not, and if it does that could lead to a greenlight to process, a red light to stop, or a step up process. Which one is the outcome depends on the context of the request: which caller, which callee, for which purpose, under which conditions. But I respect that I might be too close to it to see an issue. Jean-François “Jeff” Lombardo | Amazon Web Services Architecte Principal de Solutions, Spécialiste de Sécurité Principal Solution Architect, Security Specialist Montréal, Canada ( +1 514 778 5565 Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. From: Watson Ladd <[email protected]> Sent: August 14, 2025 6:05 PM To: Atul Tulshibagwale <[email protected]> Cc: oauth <[email protected]> Subject: [EXT] [OAUTH-WG] Re: WGLC for Transaction Tokens CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque. Astra mortemque praestare gradatim On Mon, Aug 11, 2025, 8:21 PM Atul Tulshibagwale <[email protected]<mailto:[email protected]>> wrote: Hi Watson, The spec has the following definition of a Trust Domain in Section 4: "A collection of systems, applications, or workloads that share a common security policy. In practice this may include a virtually or physically separated network, which contains two or more workloads. The workloads within a Trust Domain may be invoked only through published interfaces." The idea is that a service receiving an invocation from another service within the same trust domain can verify the transaction token details to prevent "unfettered access". I think I understand what we want to say here. I just don't think that the words in the doc actually say that clearly. In particular a common security policy is a pretty nebulous thing; does it mean they all need to authorize the same set of operations by the same people? Perhaps we should say trust domain is the domain of services that trust a transaction token issuer, and explicitly say different services have different policies about what is allowed in it. Hope this helps, Atul On Tue, Aug 12, 2025 at 7:42 AM Watson Ladd <[email protected]<mailto:[email protected]>> wrote: On Mon, Aug 11, 2025, 3:08 PM Brian Campbell <[email protected]<mailto:[email protected]>> wrote: Note that I hope/plan to do an actual review again (it's been awhile) for this WGCL but did want to jump in on one point below. On Mon, Aug 11, 2025 at 3:01 PM Watson Ladd <[email protected]<mailto:[email protected]>> wrote: I have some concerns: - Requiring the requesting service to be in the Trust Domain of the token seems backwards to me. Surely we want these tokens to cross trust domains. No, I believe transaction tokens are, and have been since their inception, appropriately scoped to be an "internal" construct for use within a single trust domain. Maybe the term trust domain has a connotation I'm missing but I would think that we're creating these precisely because service A can't be given unfettered access to all the things service B has access to, hence different trust domain. But maybe what I mean is not what was meant by trust domain. CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you. _______________________________________________ OAuth mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
