Happy Monday! There’s a technology family that keeps showing up in my work this Summer, and I’d like to share it with you. It’s called Trust Management. It’s a set of ideas (an architecture!) for authorization systems. The first ideas under this name are from Matt Blaze in 1999, KeyNote. The version I’d try to deploy is probably Oleg Kiselyov’s Soutei, about which there’s a nice Soutei paper and a Cabal package.

The big idea here is that we can write authZ policies in a high level, declarative language—so domain experts can easily see whether they’re correct. That the language supports easy proofs (so we can say “\(X\) never happens” and mechanically check whether \(X\) can in fact happen). And that it works in a distributed way, so that different principals can be authoritative for different modules of the policy—so maybe ActiveDirectory is authoritative for reporting relationships, and Salesforce is authoritative for who’s on which customer support teams, and the Legal training system for who’s clicked through which policies.

(Yes, many of you have heard this from me before. But I keep hearing people assuming that authorization means an access control matrix, filled in offline based on role-based rules. Some folks assume Object Capability, and there are places—especially in the Web setting—where that works. But in general, TM is the place to go for state of the art authz problems.)