Versions Compared

Old Version 36

changes.mady.by.user Former user

Saved on

compared with

New Version 37

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

For example, the core UMA spec leverages OAuth for the authorizing user's introduction of the host to the AM. The core spec allows for both explicit (authorization coecode) and implicit (SAML assertion) forms of user consent for this connection. Profiling may be warranted to require only explicit methods, and even to dictate user experiences for consent and authorization.

...

Finally, where interoperability within an ecosystem will demand that certain types of policies about certain claim types must be available, it may be wise to define a mandatory-to-support set of claims and claim assurance strengths.

Further reading:

Isn't an Authorization Manager a privacy-destroying panopticon?

(to be supplied)

Trust and Security Implications

How can an UMA Host be made responsible for incorrect or malicious behavior on its part? How does Host/Authorization Manager trust work?

UMA requires a trust "dance" among several parties, who are aligned in some of their interests but who have divergent incentives in many other cases. The UMA Trust Model explains to what extent trust can be built between pairs of parties at a technical level vs. a contractual levelIt should be noted that the UMA Work Group has a proposed a set of minimum contractual obligations that participants in an UMA-enable flow would take on. This set of obligations is by no means complete in terms of what specific parties and deployments would expect, but it attempts to provide a kind of "bedrock of enforceability" behind acts of distributed authorization, so that if something does go wrong, the correct party can be identified and remedial actions can be pursued.

Further reading:

Isn't an Authorization Manager a privacy-destroying panopticon?

(to be supplied)

...

Trust and Security Implications

How can an UMA Host be made responsible for incorrect or malicious behavior on its part? How does Host/Authorization Manager trust work?

UMA requires a trust "dance" among several parties, who are aligned in some of their interests but who have divergent incentives in many other cases. The UMA Binding Obligations framework explains to what extent trust can be built between pairs of parties at a contractual level.

Further reading:

Does UMA come with a trust framework or an accreditation system?

At its current state of development, UMA comes with a draft technical specification and a draft contractual framework, called Binding Obligations, that lays out a set of minimum obligations to help make UMA participants confident about engaging in acts of distributed authorization. This is not a full trust framework in the U.S. FICAM sense, for example, but is meant to complement contracts and umbrella agreements wherever they might be used. The Binding Obligations document currently assumes that those who operate UMA-enabled software services will self-identify as conforming to the technical spec, and by that act, would take on obligations during the normal course of sending and receiving UMA-conforming messages. This is an area the UMA Work Group is actively working on.

Further reading:

...