+1

+1 non-binding

+1 (And sorry for the delay!) - Bryan

+1

Hey CNCF TOC and wider community, we currently have 4 project proposals in flight: Istio: https://github.com/cncf/toc/pull/70 Rook: https://github.com/cncf/toc/pull/57 SPIFFE:

anyone else want to chip in?

I've been reading it this morning. I think SPIFFE/SPIRE, OPA, and Vault fit nicely within that framing. Frankly, I think proxies fit within the AAA category, too. Maybe we're even talking about "AAA"

I am ok with that. Wonder what others think? Is that an offer? ;-) a

Tough one, but I'd say "yes." FWIW, we should probably read through RFC 2989 (specifically the agreed-upon terminology) for historical context. --- SJ | sunil@... | Scytale & SPIFFE

would you suggest moving key management to AAA?

+1 to this framing, particularly to its cross-cutting nature. While I agree 'security' is a natural starting bucket, the value propositions these (and other) projects address go beyond this (over

+1 to the Authentication (SPIFFE, spire), Authorization (OPA), Audit (?). Classically these are part of Security, but there's no box for that. AAA is typically cross-cutting. OPA, for example, has

Similar functions have often been classified as "AAA" in traditional systems (Authentication, Authorization, Accounting). I agree that no box really captures these well today - the closest are likely

That was where I was going... Do others agree?

I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories. In fact I feel that way about all three. ---- Nick

All, Question about the landscape. https://raw.githubusercontent.com/cncf/landscape/master/landscape/CloudNativeLandscape_latest.jpg - do we want to put OPA in the top layer, either inside, or next to

Thanks Andrew, I really appreciate your detail answers to my questions I raised earlier. Let me digest all these details and get back to you in case I need more clarity etc. In the meanwhile, thanks

Hello! Here are extra materials that were requested on the call. You can find out more about OPA at openpolicyagent.org. We have a number of tutorials with examples across Kubernetes, Terraform, SSH,

Hi Deepak - great to hear from you! Some answers to your questions inline. Istio has implemented the X.509-SVID as its identity token. This is part of the SPIFFE specification. We’re working

we'll find something for folks who want to take the call F2F too, thanks for the reminder -- Chris Aniszczyk (@cra) | +1-512-961-6719