A Deranged Greeting Card from Authenticate - Unauthorized Edition

This is *not* what you get if you prompt an GenAI model to create an image of Mike and David cowriting an authorization newsletter at Authenticate. (We’re thinking of having it made into a greeting card.)

Greetings from a busy week at FIDO’s Authenticate 2024!

As I write this newsletter, the AuthZen Interop live session is underway. While attendees heard from the working group chairs (Omri, Alex, David, and Atul) on Monday, this will enable them to see firsthand what an interop looks like, ask questions, and engage participants in deeper conversations about the work of AuthZen.

Here’s Omri describing what’s going on this week.

Standards Updates

• GNAP is now RFC9635 - Congrats to Justin Richer and all who worked on this project!

From the RFC Abstract: “The Grant Negotiation and Authorization Protocol (GNAP) defines a mechanism for delegating authorization to a piece of software and conveying the results and artifacts of that delegation to the software.”

• And here’s a throwback from Justin in 2017 musing on Vectors of Trust, which found some expression in NIST’s 800-63.

Industry News

• Cerbos released its October newsletter, which updates you on all things related to the company (like what it’s doing at Authenticate this week!)

• Aserto and Zuplo showed how to add fine-grained authorization to APIs through a 20-minute demo.

• IndyKite partners with Project CAMARA and Deutsche Telekom

“IndyKite today announced it has joined open source project CAMARA, a Linux Foundation open source community addressing telco industry API interoperability, and partnered with Deutsche Telekom to provide richer services to customers.

. . . Further, through a new partnership with Deutsche Telekom, IndyKite will enable access to Telekom’s Magenta Business APIs to enhance decision power and design intelligent services like consent management, dynamic authorization, trusted data sharing, AI and more.”

• Permit live-streamed (and helpfully recorded) an hour long discussion of the evolution of Policy as Code.

• Pangea published a writeup on RBAC vs ReBAC vs ABAC for your next argument authZ discussion.

Randomness

• Ever wanted to use Terraform to order pizza?

The world is full of wonders. I highly suggest that you read the warnings and caveats section. Here’s a taste (pun intended) of what you’ll find:

“3) This is not a joke provider. Or, it kind of is a joke, but even though it's a joke it will still order you a pizza. You are going to get a pizza. You should be careful with this provider, if you don't want a pizza.”

• Got a good question to challenge AI?

Scale AI and CAIS are excited to announce the launch of Humanity's Last Exam, a project aimed at measuring how close we are to achieving expert-level AI systems. Top 50 questions earn $5K apiece . . .

What would the authorization-related question be? (Maybe we can crowd source and split the profits.)

Moment of Zen

Finally…. your moment of zen, so to speak:

Random find from the Trustworthy archives @ Stanford. Tell me that photo above doesn’t look like a creation of GenAI. (It just needs more poodles.)