Skip to content

fix: clarify KAS delegates authorization decisions to the PDP#67

Closed
marythought wants to merge 1 commit into
mainfrom
fix/clarify-kas-pdp-roles
Closed

fix: clarify KAS delegates authorization decisions to the PDP#67
marythought wants to merge 1 commit into
mainfrom
fix/clarify-kas-pdp-roles

Conversation

@marythought
Copy link
Copy Markdown

@marythought marythought commented Mar 17, 2026
edited
Loading

Summary

  • Clarifies that KAS (PEP) delegates authorization decisions to the PDP rather than performing them itself
  • The previous wording — "performs the authorization check (evaluating the policy against the client's authenticated attributes)" — implied KAS makes the policy decision, conflating the PEP and PDP roles

This change is responding to an AI tool finding that "Note: Virtru's own developer docs sometimes label KAS as PDP — this conflicts with the OpenTDF spec, which formally separates the two roles."

Test plan

  • Review the updated wording in protocol/protocol.md for accuracy against the OpenTDF architecture

🤖 Generated with Claude Code

@marythought @claude
fix: clarify KAS delegates authorization decisions to the PDP
bff6440 
The previous wording implied KAS itself evaluates policy against client
attributes. KAS acts as a Policy Enforcement Point (PEP) and delegates
the authorization decision to the Policy Decision Point (PDP).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@marythought marythought requested a review from a team as a code owner March 17, 2026 00:21
@marythought marythought requested a review from russjaxn March 17, 2026 00:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@russjaxn russjaxn Awaiting requested review from russjaxn

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@marythought