Abbreviated Language For Authorization 2.0
bofreq-brossard-abbreviated-language-for-authorization-20-00
| Document | Type | Declined BOF request | |
|---|---|---|---|
| Title | Abbreviated Language For Authorization 2.0 | ||
| Last updated | 2025-09-26 | ||
| State | Declined | ||
| Editor | David Brossard | ||
| Responsible leadership | |||
| Send notices to | (None) |
Name: Abbreviated Language For Authorization 2.0 (ALFA 2.0)
Description
Historically, authorization has been left off to the application developer leading to opaque access control and brittle systems. Over the past 15 years, attempts have been made to define an authorization language. These include:
- XACML (OASIS standard started in 2001)
- Open Policy Agent (Rego - part of CNCF - started in 2015)
- ALFA (profile of XACML started in 2012)
There are additional proprietary, vendor-specific languages that exist such as AWS’s Cedar.
A presentation during IETF120 on proposed interest areas was made to Hot RFC Lightning: https://youtu.be/ynPSBEaYOZg?t=1314. Several informal group conversations were held during the week with sibling groups such as OAuth and WIMSE. During IETF 121, we presented ALFA 2.0 again and held side meetings (https://github.com/ietf/wiki.ietf.org/blob/main/meeting/121/sidemeetings.md=. We also presented during alldispatch (IETF 121: IETF-Wide "Dispatch" Session (ALLDISPATCH) 2024-11-04 15:30)
The goal of ALFA 2.0 is to offer a stateless, human-readable, general-purpose fine-grained authorization language
An initial set of use cases has been published as an I-D.
Required Details
- Status: not WG Forming
- Responsible AD: sec
- BOF proponents: David Brossard <david.brossard@axiomatics.com>, Andrew Clymer <andy@rocksolidknowledge.com>, Theo Dimitrakos <theo.dimitrakos@ifiptm.org>
- Number of people expected to attend: 20
- Length of session (1 or usually 2 hours): 2 hours
- Conflicts (whole Areas and/or WGs)
- Chair Conflicts: TBD
- Technology Overlap: TBD
- Key Participant Conflict: TBD
Information for IAB/IESG
To allow evaluation of your proposal, please include the following items:
- Any protocols or practices that already exist in this space: XACML, ALFA (draft), OPA, Rego, Cedar
- Which (if any) modifications to existing protocols or practices are required: this would produce a simplified version of ALFA.
- Which (if any) entirely new protocols or practices are required:
- Open source projects (if any) implementing this work: https://alfa.guide, AuthZForce (XACML PDP)
Agenda
- Requirements for authorization
- Policy-driven authorization: XACML, Rego, ALFA…
- Why ALFA 2.0
- Relevance to other working groups
- WIMSE, OAuth, Spice
Links to the mailing list, draft charter if any (for WG-forming BoF), relevant Internet-Drafts, etc.
- Mailing List: https://www.ietf.org/mailman/listinfo/example
- Draft charter: https://datatracker.ietf.org/doc/charter-ietf-EXAMPLE/
- Relevant Internet-Drafts: