►
From YouTube: CNCF SIG-Security Meeting - 2019-07-17
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
So
we're
just
doing
a
little
agenda
making
and
while
we
wait
for
people
to
arrive,
if
you're
new,
please
check
out
the
meeting
notes
if
you're
online
I'll
put
them
in
again,
because
I,
don't
think
the
chats
persistent,
add
yourself
into
the
attendee
list
and
would
love
to
have
two
volunteers
as
scribes.
That
just
means
you
write
down
whatever
you
hear,
we
have
two
people
so
that
you
know
if
you
missed
something
you
don't
have
to
stress
about
it
and
if
then,
you
can
feel
free
to
talk
and
somebody
else
will
write
stuff
down.
A
B
A
A
A
A
A
The
momentum
of
this
group
and
the
enthusiasm
how
folks
are
scrubbing
in
and
you
know,
adding
value
and
having
a
spirit
of
making
security,
something
that
should
be
for
everyone
and
openly
and
freely
available
and
and
Joe
made
the
comment
that
there's
some
vendors,
where
security
is
something
you
pay
for.
You
really
like
the
idea
that
we
were
contributing
to
a
common,
so
that
security
could
be
something
that
everybody
gets
to
have.
D
D
Besides
that,
outside
that,
we
are
continuing
to
work
on
the
image
and
paper
and
stuff
containing
emission
Krypton,
which
we
have
our
PR
LGD
and
in
continuity.
So
hopefully
we
also
have
a
KT
which
we're
going
to
present
the
signal
next
week
as
well.
So
hopefully
that
goes
well
and
then
at
some
point
we
can
also
share
happy.
A
E
Yeah
hi
Evan
as
a
first
time
joining
the
call
really
just
is
sort
of
catch
up
with
what's
going
on
and
get
more
involved
as
I
get
more
time
so
I
guess:
Potter's
history
I
used
to
look
for
the
UK
government,
doing
a
bunch
of
architecture
and
in
finished
and
security
and
automation,
things
I
love
it
at
puppet
for
a
while.
I
was
at
docker.
Most
recently,
I
had
a
few
months
off,
which
is
very
nice
I've.
More
recently,
just
joined
sneaked
I'm,
so
small
security
startup
and
getting
back
into
a
bunch
of
scary
things.
E
F
See
I
can
speak,
we'll
see
if
you
can
so,
as
you
know,
p.m.
on
our
kubernetes
distro
at
Sousa.
I
am
here
in
Nuremberg,
mainly
conspiring
about
integrating
and
container
izing
our
OpenStack
cloud
and
SEF
distributions,
on
top
of
our
kubernetes
and
figuring
out,
how
not
to
turn
our
networks
into
a
giant
swamp
of
of
crosstalk
and
insecurity
and
pretty
and
fun
things
like
trying
to
convince
people
that
maybe
we
shouldn't
be
running
user
work
on
the
same
urban
daddies
that
we're
running
the
control,
planes
and
I
know.
F
I've
said
this
before
about
having
more
time.
But
it
looks
like
we're
really
in
the
homestretch
of
releasing
stuff,
so
it
looks
like
I
will
have
more
time.
My
next
thing
is
going
to
be
cube
hunter
in
our
release
radically
before
it
gets
out
this
time.
Instead
of
six
months
after
and
as
I
as
I
told
people
at
the
base
to
fix
in
Barcelona,
I
would
start
at
the
very
least.
G
Hello,
hello
for
me,
I'm
Martin,
and
it's
my
first
time
here.
Thank
you.
I
am
working
at
VMware
and
I'm
in
the
open
source
team
in
the
security
soft
team,
in
the
open
source,
and
so
I
would
have
to
listen
more
currently,
I
have
many
things
to
read
and
to
get
familiar
with
yeah
with
what
guys
you're
doing
it.
G
H
Question
I
work
on
cloud
security
at
Google.
One
of
the
things
I'm
interested
in
is
this.
This
notion
some
of
our
customers
have
these
platform
teams
and
I'm
still
trying
to
work
on
that
I'll
probably
get
access
to
some
of
our
customers,
so
I
can
actually
ask
them.
So
we
thought
of
customer
visit
so
that.
J
So
I
did
have
an
opportunity
to
join
a
actually
future
network,
a
road
map
which
I
bought
it
quite
a
few
months
ago.
I
guess
and
it's
going
very
slow.
They
do
have
a
security.
Single
I
mean
security
group,
basically
under
them,
focusing
on
the
5g,
those
of
you
that
may
be
ages
not
familiar
with
that.
J
So
the
the
positive
side
of
it
is
that
there
is
a
lot
of
you
know
it's
a
very
large
scope
that
they
are
actually
trying
to
address
the
security,
but
so
it
has
everything
literally,
but
that's
also
the
negative
side
of
it.
Because
am
I
from
my
own
observation?
I
am
frustrated
because
it's
not
focused
well
in
the
sense
of
I,
don't
see
anything
tangible
that
would
be
coming
out
anytime
soon,
even
though
it's
a
long
road
map,
it's
a
10-year
road
map
for
security,
as
well
as
edge
automation,
application
services.
J
A
K
L
L
I
Hi
everybody
great
all
right,
I'm,
sorry,
I
couldn't
find
him
with
the
unmute
button.
Hands-Free
from
Aqua
I've
been
bitten
off
in
these
meetings
a
little
bit,
but
now
it's
really
getting
interesting
as
we
start
to
talk
about
Identity,
Management
authorization
and
stuff
like
that,
because
that's
my
background.
I
B
We
used
it
on
this
presentation
for
the
CN
CF
last
week,
so
that
that
was
I
think
a
great
milestone
here
and
well
now,
I'm
looking
forward
to
like
future
future
projects,
I'm
very
excited
about
this
software
supply
chain.
Catalog,
again,
resources
have
been
actually
taking
up
two
papers
because
I
think
and
also
are
the
elements
of
like
academic
literature
and
theoretical
background
linked
to
it
too.
So
people
want
to
but
yeah
I
think
that's
a
discussion
that
we
can
have
next
week
when
everybody
that's
also
excited
can
chime
in
differ
thanks.
M
N
A
A
A
O
O
A
So
look
well,
you
have
been
to
the
meeting
before
we
have
some
people
who
this
is
their
very
first
meeting.
So
so
yes,
so
I
think
that
last
time
we
just
mentioned
this
in
passing
and
I
said
anybody
who
wants
in
order
to
have
a
buddy
program,
we
must
have.
The
newcomers
must
have
people
who've
been
here
for
a
little
while
they
were
willing
to
volunteer
to
be
buddies,
to
be
the
more
experienced
two
person
anybody
set.
So
I
don't
want
to
put
anybody
on
the
spot.
A
B
A
So
Santiago
will
be
Garris,
woody
and
you'll
try
out
a
buddy
program
and
then,
if
we
have,
if
we
have
any
other
I,
don't
wanna
take
up
too
much
space
for
this
buddy
matchup
thing.
If
you
were
an
experienced
person,
who've
been
here,
for
you
know
a
couple
months
or
whatever,
at
least
since
the
last.
You
know:
cubed
Connie,
you
I,
think
it.
We
had
like
a
big
upsurge
of
people.
A
People
can
match
up
or
and
add
yourself
to
the
issue
so
that
we
kind
of
know
that
we
have
a
few
people
willing
to
do
this
at
home
thanks
everyone
and
also
like
feel
free
to
shout
out
well
like,
let's
figure
out,
we
that
we
have
some
experienced
buddies
and
then
we'll
they'll
volunteer
for
new
people
to
have
buddies.
A
D
D
D
A
D
A
Know
I
was
just
thinking
that
this
is
the
yeah.
D
L
Might
be
identity
and
access
specific
projects
that
we
would
want
to
guide
people
about
as
they're
sort
of
exploring
into
building
their
own
cloud
native
projects,
and
so
looking
at
the
the
overall
CN
CF
landscape,
which
is
like
I
guess,
nine
hundred
different
associated
projects
just
started.
Thinking
about
how
to
maybe
categorize
this
section
and
so
I
kind
of
approach.
It
from
the
perspective
of
someone
who
has
had
to
implement
consistent.
L
But
we
don't
have
to
include
them
or
not,
and
so
I,
specifically
because
the
term
identity
is
so
used.
I,
specifically
added
the
word
lifecycle
and
certainly
I,
know
that's
up
for
debate.
But
the
idea
here
is
that,
having
sort
of
an
official
understanding
of
what
a
principle
is
a
principle
being
a
specific
user
or
a
specific
service
and
its
lifecycle
creation.
L
Creation
transition
granting
of
an
title,
removing
of
entitlements
granting
of
attributes
removing
of
attributes
that
there's
a
specific
I
feel
like
there's
a
specific
focus
set
of
tools
around
that
activity
alone
and
that
it's
worth
categorizing
that
specific
set
of
what
is
an
identity.
And
what
do
we
know
about
it?
L
D
Yeah
I
think
definitely
the
clarifications
here,
they're
giving
some
examples.
What
what
type
of
identity
functions
and
access
control
functions
projects
me
have
definitely
helped
the
thing
that
I
wanted
to
kind
of
hear
more
consumers
for
this
specific
roadmap
document.
What's
what's
our
thoughts
on
including
specific
specific
examples
of
projects
on
this
I
know?
Initially,
we
we
mentioned
15
things
like
that,
but
I
wasn't
sure
for
this
specific
document,
whether
we
want
to
move
examples,
you're
a
different
document
and
we've
this
more
for
definitions
or
do
we
wanna
add
their
examples
here
as
well.
H
Here
so
one
of
the
things
I'm
seeing
is
there's
provisioning
and
identity
consumption
right.
What
you
typically
call
authentication
is
actually
the
consumption
it
gets
provided
by.
Somebody
and
I
can
clearly
see
that
we
want
to
have
the
provisioning
and
management
of
these
identities
to
be
via
separate
thing
right.
You
know
an
Active
Directory
versus
YDC
validation,
step
right
now.
You
know
I
directory's
kind
of
management
and
provisioning
of
identities
and
the
OID
C
validation
is
kind
of
the
authentication
step.
So
I
think
that
would
be.
That
makes
it.
A
H
I,
don't
I,
don't
think
so.
I
think
that
is
actually
interesting.
I,
don't
think
we
capture
that
at
all
right,
because
that
becomes
interesting.
If
people
start
thinking
about
privacy
issues,
we
got
freedom,
questions
and
some
cue
corn
about
GDP
are
at
the
time
there's.
This
split
helps
you
think
about
that
and
reason
about
that
yeah.
The
word
lifecycle
I
actually.
A
L
It
is
one
question
I
guess
for
Chris
and
I.
That
makes
a
lot
of
sense.
The
separation
of
provisioning
and
consumption
and
I
definitely
you're
right
right,
like
those
are,
those
are
definitely
typically
different
activities
and
provision
and
its
particular
provisioning
is
particularly
important
in
larger
organizations.
L
If
you
had
to
split
those
into
two
and
we're
looking
at
something
like
an
LDAP
server
right
like
a
free,
Rabia.
Well,
radius
is
consumption,
but
something
like
specifically
an
LDAP
server,
which
is
both
used
as
a
directory
and
an
agent
for
provisioning,
but
is
also
often
used
as
the
place
where
you
know,
attributes
are
consumed
and
even
even
passwords
verified
like.
Where
would
that
fit?
Or
do
we
just
accept
that
some
things
are
you
know
some?
H
Think
they're
awesome!
So
if
you,
if
you
use
some
some
open
standards,
you
you
have
an
easier
way
of
separating
those
two
I
think,
especially
for
password
verification.
There
are
options
to
do
some
of
that,
but
I
think
a
lot
of
times.
When
you
think
about
one
of
these,
these
identity
problems,
you
tend
to
cover
both
aspects.
Right,
you
tend
to
cover.
You
know,
I
need
to
provision
this
identity
and
I
also
need
to
allow
people
to
consume
them
further
down
the
road
as
well.
So
I,
don't
think
you
can
ever
completely
separate
them.
L
Do
know
I
think
that's
that
makes
sense,
although
for
the
purpose
of
decomposing,
the
landscape
of
projects
is
that
is
helpful
because
there
are
so
many
projects,
as
you
know,
right
if
I,
if
I
compare
this
to
the
the
CNCs
landscape
document
and
say
we're
trying
to
create
a
specific
CNC,
AF
Lance
specific
CNC
have
security
landscape
that
it's
not
just
about
new
standards.
It's
also
about
helping
people
trying
to
engage
with
cloud
security
understand
what
their
options
are.
Yeah.
I
And
I
think
that
that's
that's
actually
exactly
what
what
we
need
to
do,
because
the
the
the
the
idea
that
every
project
or
even
an
application
is
going
to
store
its
own
users
doesn't
really
happen.
Anymore
is
going
towards
actually
centralized
user
information
where
the
identity
is
owned,
usually
by
the
person,
and
they
trust
some
entity
to
to
provision
aspects
of
that
record
to
certain
providers
under
the
consent
of
the
person
that
owns
the
data,
which
is
usually
the
individual.
I
So
the
idea
is
that
that,
for
most
projects,
you
will
need
to
rely
on
a
service
and
and
our
protocols,
you
know
sam'l
and
open
ID
and
all
those
kind
of
things
that
do
identity,
Federation
and
and
I.
Don't
think
that
anybody
in
the
right
mind
would
now
actually
take
on
housing
and
protecting
and
and
and
destroying
we're
talking
about
gdpr
identity
information,
that's
tied
into
an
individual.
A
So
one
question
I
had
that
this
discussion
sparked
is
like.
Is
this
consumption
of
identity
synonymous
with
credentials
like
I,
like
it
we're
just
kind
of
back
to
Aaron's
question
of
like?
Are
these
different
services
or
are
they
always
coupled
and
then
we
might
as
well
make
them
one
category,
because
we
don't
want
to
have
everything
in
two
categories?
There's.
H
Its
reasons
to
decouple
them
these
days
right,
so
one
of
them
is
that
these
these
identity
validations
are
typically
costly
because
they
involve
so
it's
a
purely
technical
argument
right,
so
you
try
to
exchange
them
for
something
that
you
can
use
symmetric,
encryption
right
and
then
also
then
serves
as
this
secondary
credential.
That
is
decoupled
from
your
actual
identity.
H
A
L
You
know
spiffy
when
I
look
at
spiffy.
It
seems
much
more
about
the
issuance
of
credentials
and
while
it
provides
some
very
loose
guidelines
about
how
to
consume
them,
I
think
most
of
the
work
and
the
consumption
spaces
actually
be
not
being
done
by
like
their
commercial
partners.
So
so
I
would
say
that
distinction
definitely
resonates
with
me
exactly
how
to
communicate
it
clearly
and
I
may
be
noodling
on
a
little
bit
to
just.
A
That
we,
we
basically
have
used
as
a
guiding
light
that
out
our
landscape
would
be
perfect.
If
everything
fell
into
a
single
category.
We
don't
expect
that
to
actually
be
reality,
partly
because
we're
in
this
emerging
space
and
early
offerings
early
projects
often
had
to
build
something
that
now
is
a
broken
out
and
there's
things
you
can
use
for
so
just
kind
of
because
of
history.
We'll
have
projects
that
do
a
lot
of
things
right
and
then,
therefore
they
would
be
in
multiple
categories,
but
we
believe
that
lens
for
the
landscape
to
be
useful.
J
There
is
probably
also
a
another
aspect
to
the
identity:
there
is
the
that
affects
the
whole
security
aspects.
There's
the
identity,
spoofing
so,
and
that,
of
course,
the
identity,
directly
maps
to
your
credentials,
to
credentials
to
your
authorization
and
all
those
things.
So,
even
if
you
could
put
them
into
separate
categories,
there
is
clear,
obviously,
relationship
between
them
that
affects
the
actual
security
preservation.
J
So
if
someone
boosts
the
identity
that
affects
the
whole
thing
down
the
chain
line
right
and-
and
you
have
to
be
able
to
trace
that
back-
you
have
to
be
able
to
shut
it
down.
You
have
to
be
able
to
take
all
the
precautionary
access
because
various
steps
rather
to
to
preserve
your
security,
so
I
like
the
idea
of
separating
them,
but
at
the
same
time
we
have
to
keep
in
mind
that
they
are
related
and
they're
very
relevant
and
one
affects
the
others
that
make
sense.
I.
I
I
think
actually,
so
the
question
that
we
have
to
understand
is:
do
we
want
to
take
the
ownership
of
being
the
identity
provider
or
are
there's
going
to
be
a
set
of
services
that
you're
going
to
trust?
And
if
you
get
a
valid
token,
with
the
right
encryption,
where
the
right
time
stamp
and
so
on,
you're,
actually
going
to
trust
that
an
identity
is
not
spoofed,
that
it's
been
correctly
validated
and
then
really
only
need
to
do
is
based
on
the
attributes
that
you
get
in
an
assertion.
I
For
instance,
you
would
then
authorize
it
for
the
permitted
actions,
because
I
think
that
that
that's
what's
been
going
on,
you
know
over
the
last
you
know,
15
years
is
that
that
applications
aren't
are
are
don't
want
to
own
the
entire
user
record.
Don't
want
to
worry
about
roofing,
don't
want
to
worry
about
housing,
passwords
and
the
authentication
and
and
the
advanced
authentication,
and
all
those
mechanisms
for
two-factor,
authentication
and
so
on.
I
D
It
seems
like
I
think
what
TK
was
also
saying
is
that
the
interface
between
these
two
services
is
a
bit
more
complex
than
a
regular
integration
of
a
service,
because
you
know
you
have
to
maintain
more
than
just
a
call-out.
You
have
to
make
sure
that
the
correct
trustless
is
established
as
well,
as
you
know,
maintaining
certain
replication
this
and
certain
information
about
key
hierarchy
as
well.
It's
like
a
pretty
tightly
coupled
integration,
rather
than
just,
for
example,
like
calling
out
the
database
or
something
like
that.
Okay,.
J
I
was
also
thinking
about
you
know,
somewhat
probably
in
Europe,
in
the
futuristic
manner,
where
it's
more
like
the
dynamic
nature
of
this
spoofing,
and
let's
not
underestimate
that
part,
because
just
because
you
have
an
identity
confirmed
at
one
event
at
one
trigger
point
and
then
you
hand
of
application
that
is
triggered
an
application
is
in
the
process
and
then
the
identity
may
have
been
spooked
right
in
the
middle
and
someone
else
is
also
having
access
to
the
same
applications
as
such.
How
do
you
maintain
that
integrity?
J
A
So
I'm
trying
I'm
struggling
to
figure
out
how
that
I
think
you're
at
right
that
we
do
need
to
reason
about
those
things
and
figure
out
whether
we
have
you
know
where
we
have
gaps
and
whether
there's
you
know
tools
or
processes
or
whatever
it
is
to
address
those
type
of
vulnerabilities.
The
question
is
when
it
comes
to
the
landscape,
where
the
purpose
is
to
create
categories
for
different
projects,
I'm
struggling
to
see
like
how
does
that
that
area
that
body,
like
open
questions,
apply
to
this.
L
L
L
You
know,
help
you
consume
logs
of
identities,
help
you
consume
the
context
of
authentications
and
make
better
decisions
about
whether
a
particular
particular
authentication
event
might
be
fraudulent.
So
so
I
think
it's
a
reasonable
thing
to
add.
I
can't
name
other
than
like
RSA
adaptive
off
the
top
of
my
head,
particular
I.
Guess
cloud
Slayer
might
have
something
in
that
space.
What
I
was.
L
J
Ahead,
sorry,
what
I
was
thinking
about
a
little
simpler
version
like
you
would
still
have
a
separate
category.
Just
like
everybody
saying
there
is
enough
justification
to
have
those
separately
categorizing
the
landscape,
but
at
the
same
time,
if
we
could
create
a
matrix
that
shows
the
relationship
between
these
categories
and
perhaps
even
we
can
identify
a
little
more
specific
relationship
in
there.
I
would
hate
to
use
the
word
API.
It's
not
API,
but
it's
somewhat
of
a
relationship
how
one
affects
the
other.
D
All
right,
you
really
like
the
idea
and
we
could
go
a
bit
further
as
well
already.
We
could
also
say
that
the
networks
for
the
storage
structure
to
call
out
the
central
access
management
or
access
control
service,
and
this
will
get
people
to
start
thinking
about
making
that
a
consumer
rather
than
implementing
it
their
own.
A
I
A
The
access
management
category
and
we
could
say
like
no,
it's
not
because
everything
had
like
this-
is
how
they
were
I,
struggled
to
actually
imagine
how
it
would
be
visually
described.
But
I
love
the
idea
because
I,
it's
sort
of
this
n
dimensional
thing
in
my
head,
but
when
it
gets
to
2d
and
I'm
like
I,
don't
know
yeah.
I
It
gets
complicated
when,
when
resources
are
also
identities
right,
you
you
need,
if
you're
a
person
trying
to
start
or
stop
a
workload,
then
the
workload
is
a
resource.
However,
that
workload
is
also
an
identity
that
might
have
access
to
other
resources
or
other
workloads,
so
things
to
tend
to
play
a
dual
role,
especially
especially
when
you
start
to
talk
about
machine
IDs
versus
people,
IDs.
A
Yeah
I
think
that
we
actually
need
to
call
out
that
there's
people
IDs
and
machine
IDs,
it's
sort
of
implied
with
I,
think
an
identity,
Federation
and
single
sign-on.
To
me,
that
implies
user
identities.
Human
identities,
I
should
say
well,
maybe
they're,
not
humans,
always
but
I.
Think
that
that
it
would
be
worth
sketching
out
that
there
are
these
different
kinds
of
identities.
L
L
I
Iii
think
we
want
to
separate
you
know
human
entities
and
non
non-human
entities,
because
human
entities
do
have
a
different
path
of
authentication,
usually
it's
usually
some
kind
of
password
or
proving
your
identity,
while
non-human
entities
usually
have
something
that's
assigned
and,
and
everything
is
sort
of
inherent
and
also
the
attributes.
If
we're
talking
about
attribute
based
access
controls,
which
is
a
lot
of
information
on
the
chat.
Also,
the
you
know,
the
the
nonhuman
ideas
have
different
attributes
in
the
human
eye.
C
A
I
I
actually
have
a
question,
maybe
I'm
a
little
bit
behind
the
discussion,
but
if
we,
if
we
move
this
from
the
identity
aspect
into
the
the
resource
aspect,
but
what
are
what
are
we
authorized
excessed
to
I?
Think
it's
it?
It
will
help
us
determine.
You
know
what
what
information
we
would
need
to
obtain
in
order
to
assert
that
access.
So.
A
A
H
H
H
I
Yeah,
but
actually
so
you
know,
the
era
of
linden
access
management
is
definitely
not
that
there's
a
lot
of
established
practice
in
that
and
I
think
you
know
there
are.
There
are
tools,
different
protocols,
different
standards
that
that
we
can
use
and-
and
we
need
to
find
the
right
tool
for
the
job.
H
H
Arbitrary
problem
of
of
dealing
in
authorization,
but
there's
also
the
problem
of
dealing
in
authorization,
the
CN
CF
context,
which
is
really
what
what
we
are
discussing
right
so,
at
least
for
the
control
plane,
yeah
reasonably
well
established
standards.
Either.
Data
frame
is
a
different
question
right,
and
that
is
there
is
something
we
are
currently
grappling
with
the
mod
because
we
don't
know
how
to
auto
transfer
that.
L
So
I,
don't
and
I'd
actually
would
love
input
from
the
group
here,
which
is,
we've
talked
a
lot
about
this
notion
that,
like
resources,
need
to
make
their
own
decisions-
and
it
does
seem
like
that-
really
is
very
much
left
up
to
the
application
teams
without
a
lot
of
guidance
as
to
how
to
do
that,
I
think
intuitively.
We
all
know
that
like
to
read
and
write
are
different
operations.
There
might
be
major
buckets
of
resources
that
you
would
want
to
authorize
differently,
but
I
haven't
found.
L
Iiii
can't
off
the
top
of
my
head
think
of
any
framework
that
lives
outside
of
a
given
application
for
separating
out
or
like
what
what
resources
would
be.
That
is,
you
know
robust
enough
to
talk
about
API
access,
robot
storage,
access
at
the
you
know
object
level,
and
you
know
there
would
be
robust
to
both
kinds
of
like
resource
stuff.
So
if
there,
if
folks,
are
aware
of
any
good
frameworks
for
like
application
developers
to
put
in
to
help
them
reason
about
these
things,
like
those
would
be
examples,
I'd
love
to
I
love
is.
J
L
Right
that
is
the
main
reason
for
the
type
of
OPA
project
and
definitely
as
they
build
out
their
examples,
you
know
ash
I'm.
You
may
have
something
to
add
here.
That
would
definitely
be
referencing
I'm.
We
are.
We
already
talked
about
that
a
little
bit
elsewhere
and
so
I'm
just
wondering
if
there's
anything
anything
else
for
more
traditional
are
back
like
systems
that
would
serve
as
a
good
entry
point.
Well.
A
N
Yeah,
sorry,
look
great
yeah,
just
a
quick
comment
on
Aaron's
point,
so
opai's
pretty
general
purpose
like
you
know
where
you
can
do
our
back
a
back
anything
with
OPA.
It's
depends
on
how
you
Auto
your
policies.
Is
there
something
specific
that
you
think
OPA
does
not
need
or
we
need
to
kind
of
include
I'm,
not
understanding
that
point.
It's
not
very
clear
to
me
right
now.
L
H
A
A
Or
is
you
know,
or
maybe
it's
not
right
like
we
do?
Have
the
kubernetes
example
as
Christian
mentions,
that
is
like
the
CRT
and
it's
a
very
formalized
sense
of
what
is
a
resource
and
how
do
you
interact
with
it?
But
there
are
you
know
there
are
other
models
and
maybe
from
the
opah
experience
you
have
a
good
way
of
describing
like
what
are
the
things
that
we
authorized
and
she
is
the
resource
term
appropriate
when
we
have
a
category
that
maybe
may
maybe
we
want
to
leave
open
for
other
types
of
framing
so.
J
If
you
follow
kind
of
a,
if
you
try
to
simplify
everything
to
an
object,
oriented
model,
you
can
literally
describe
the
whole
universe
in
different
objects
right.
So
then
you
can
consider
that
okay,
well
resource
is
an
object.
So
any
type
of
access
to
the
resource
is
an
object,
access
to
the
object.
So
literally,
you
know
from
that
perspective,
I
think
you
can
probably
bring
everything
in
that
model
as
an
object,
title
things,
and
then
you
provide
the
grant
or
not
granting
access
to
that
particular
object,
which
may
be
just
an
action
so.
A
I'm
actually
very
familiar
with
the
resource
based
model
and
I
am
a
big
fan
of
calling
everything.
Resource
I
also
have
been
in
API
religious
wars
with
people
who
are
like
I.
My
thing
is
not
a
resource
and
so
I'm
in
your
camp,
but
I
know
that
there
are
other
people
not
in
that
camp.
So
in
just
naming
the
category
that's
what
I
was
like
saying
is
that
do
we
want
to
have
some
I,
don't
know
examples
of
the
non
resource
authentication
that
is
hanging
out
of
a
cloud.
A
Q
So
this
mark
I'd
I,
could
see
us
getting
into
a
longer
conversation
about
this,
but
the
hl7
fire
standard
has
multiple
sub
standards
around
provenance,
the
the
authorization
layer,
the
infrastructure
for
transporting
authorization,
the
resources
and
the
RDF
triple
store
associated
with
the
domain
models.
I
think
because
they're
dealing
with
HIPAA
and
safety
that
the
fire
standard
does
a
better
job
of
any
of
the
cloud
native
security
projects
that
I've
seen
now
getting
into.
That
is
a
bit
of
a
deep
dive,
so
that's
kind
of
the
risk
of
going
into
this
territory.
Q
But
you
know
if
we
had
the
time.
I
would
think
that's
worth
our
time
now
what
we
did
with
this
and
then
this
big
data
working
group
was
trying
to
do
a
crosswalk
to
some
of
their
existing
standards.
I,
don't
it
looks
to
me
like
that
is
not
going
to
suit
the
more
modest
thing
we
have
in
mind
for
the
landscape,
but
you
might
want
to
just
put
a
placeholder
here
to
go
back
and
revisit
the
work.
That's
been
done
in
that
standards.
Organization.
A
That
would
seem
to
be
helpful
to
the
group
that
were
a
presentation
format
and
those
have
all
been
uploaded
to
YouTube
and
with
transcripts,
so
we
want
to
like.
Basically
they
need
to
be
like
sort
of
when
do
they
witness
the
actual
presentation
start
and
end
of
the
meeting
and
like
just
sort
of
sweeping
through
the
transcript
to
be
like.