Clarify that policy evaluation mechanics are out of scope

Add paragraph in Policy Claims section explicitly stating that policy definition, distribution, and evaluation are out of scope. The pol claim is an opaque identifier; any policy engine may be used provided outcomes are faithfully recorded. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 19:21:54 +01:00
parent de9c7719a4
commit e60035c75b
4 changed files with 578 additions and 545 deletions
--- a/draft-nennemann-wimse-execution-context-00.html
+++ b/draft-nennemann-wimse-execution-context-00.html
@@ -2276,6 +2276,15 @@ was made.  When present, <span class="bcp14">MUST</span> be equal to or earlier
 </dd>
          <dd class="break"></dd>
 </dl>
+<p id="section-4.2.3-3">This specification intentionally defines only the recording of
+policy evaluation outcomes.  The mechanisms by which policies are
+defined, distributed to agents, and evaluated are out of scope.
+The "pol" claim is an opaque identifier referencing an external
+policy; the semantics and enforcement of that policy are
+determined by the deployment environment.  Implementations may
+use any policy engine or framework (e.g., OPA/Rego, Cedar, XACML,
+or custom solutions) provided that the evaluation outcome is
+faithfully recorded in the ECT claims defined above.<a href="#section-4.2.3-3" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="data-integrity-claims">