The KMS will have different types of identities accessing it:
- Bing Ads
- Ad techs
- Users who just fetch the key
There is a request that Ad techs have a level of access higher than regular users, but lower than Bing Ads itself, specifically be able to propose setting the JWT validation policy, but not do other proposals.
Unless we wish to do something equivalent to (or literally) disabling endpoint authentication other than the attestation report, Bing ads will have to propose trusting an Ad tech identity initially.
The only reason they might want this extra level of access is if they then want to propose trusting new identities they bring up without having to go back to Bing Ads. However if this is the case, we might want to restrict which JWT validation policies they can set given they're scoped by tenant (this is a can of worms).
The simple naive solution for this problem if it's really what we want would be having a mapping of ACL roles to which proposals they can propose, then having Bing Ads be admin and Ad techs only be contributors. You could also implement a programmable voting system like CCF has.
The KMS will have different types of identities accessing it:
There is a request that Ad techs have a level of access higher than regular users, but lower than Bing Ads itself, specifically be able to propose setting the JWT validation policy, but not do other proposals.
Unless we wish to do something equivalent to (or literally) disabling endpoint authentication other than the attestation report, Bing ads will have to propose trusting an Ad tech identity initially.
The only reason they might want this extra level of access is if they then want to propose trusting new identities they bring up without having to go back to Bing Ads. However if this is the case, we might want to restrict which JWT validation policies they can set given they're scoped by tenant (this is a can of worms).
The simple naive solution for this problem if it's really what we want would be having a mapping of ACL roles to which proposals they can propose, then having Bing Ads be admin and Ad techs only be contributors. You could also implement a programmable voting system like CCF has.