Zero trust is about not trusting anything, not only the network, and instead focusing on controlling the access/damage. It is 100% authz, about limiting what you can access and how long you can access it to what is required. That you there is no trust in those agent (ie. assume authn is already compromised) so you limit the damage possible.
I would extend it to not inherently trusting the agent as well as being able to not have to trust the network (e.g., internet WAN) by closing all inbound ports by implementing authentication-before-connect using strong identity (e.g., x509)
> authentication-before-connect using strong identity
Identity always involves trust and is authn. Zero-trust assumes authn is already compromised (ie. don't trust anything) and therefore identity is out of scope.
Quote from NIST, "Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established."
Zero Trust is not assume everything is compromised and you dont trust anything. Its about reducing implicit trust across the pillars to reduce risk.
I think you are just misreading it. Read correctly, IMO, it says that no trust is granted to anything... note how they list multiple general examples, enough items to cover everything multiple times, to help make sure this was the reading. That authentication is discrete from authorization and outside of each others purview. And given zero trust is all about access control, I think my framing makes sense.
Any framing which helps one to reduce systematic risk is fine by me and fully agreed that authentication is discrete from authorization. My framing is set by the open source project I work on (https://openziti.github.io/) which allows anyone to embed zero trust networking into anything including an application with an SDK, this allows us to have zero trust in the network, be it internet/WAN, local or even the host OS network. This reduces a lot of the attack surface but you do have the trust the overlay control plane.
