Podcast takeaways from Joshua Cornejo on 2025-06-11 (public-md-odrl-profile@w3.org from June 2025)

From: Joshua Cornejo <josh@marketdata.md>
Date: Wed, 11 Jun 2025 07:11:11 +0100
To: Joshua Cornejo <josh@marketdata.md>
Message-ID: <3F89C593-29B0-4CC8-8436-4E1CA3A67581@marketdata.md>
My key takeaways from the state of policies in the community:

 
There is a lot of conversation about Cedar/REGO/OpenFGA and it was surprising that ODRL was taken by ISO/Eclipse/etc as the language for policy specification; it all became clear when the conversation turned to duties/obligations like attribution managed by a single framework
The pattern of target users for policy specification is separate from policy developers is refreshing (today the majority is “self-marked homework”, which is flawed and causes headaches)
With the above, the view where “a business stakeholder writes a policy in a contract that can make it to production with the appropriate risk controls” sounds like a dream come true, 
I didn’t catch the name of who says this in OIDC, but paraphrasing “writing policies is significantly harder than reading them”,
Therefore, mechanisms for reusability are highly encouraged, the concepts of templating and/or “if my asset has this shape, give recommendations from what’s public”,
The community looks at the world mostly through the eyes of Agents (mostly Users and API), switching the API to “data providers” for datasets or records could simplify the conceptualisation of policies,
The concept of a graph which is a “meta” of OpenFGA’a one, is interesting and useful, but RDF isn’t 
Separate PEP will survive small niche use cases, due to manageability and latency requirements PEP/PDP will merge
 

Mike’s summary post on his LinkedIn:

 

Digital assets come with strings--obligations to use the assets only for certain purposes. These obligations are described by the W3C Open Digital Rights Language ("ODRL"), on its third version in 25 years. Below are my takeaways from Episode 114 with Joshua Cornejo where we discussed ODRL, and especially about the intersection with the supply chain of data sellers and aggregators. 

 

⚡ W3C ODRL is a flushed out schema and policy framework for digital assets. It defines the asset metadata that enables the creation of complex policies. Failure by data aggregators to comply with ODRL obligations can result in millions of dollars in risk, due to audit and fines. Assured compliance with ODRL would greatly reduce enterprise risk.

 

⚡ ODRL templates are needed to standardize certain asset sharing relationships. For example, a photographer sharing a photo with a media distributor--this should be boilerplate.

 

⚡ Policies in ODRL are about assets, and the purpopes for which that asset can be used. There are policies about how different people (or organizations) can use that asset--for example, the owner of the asset has rights, the manager (or custodian) of that asset has rights, and third party auditors may have rights.

 

⚡ Rather then access control (it's too late, you already have the asset!), ODRL is about purpose control--what can you do with it.

 

Link - https://www.youtube.com/live/bS6uPiaJUxY?si=tpdUUqPuo4NgTqox

 

___________________________________

Joshua Cornejo

marketdata

smart authorisation management for the AI-era
Received on Wednesday, 11 June 2025 06:11:21 UTC