Versions Compared

Old Version 1

changes.mady.by.user Eve Maler

Saved on

compared with

New Version Current

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Agenda

  • Roll call
  • Minutes approval
  • Quick hits:
    • Webinar report
    • Virtual plenary in late June
    • Should we keep up the APAC-friendly meeting times the first week of every month in June++?
  • Leadership team elections
  • Binding Obligations review and next steps:
    • Real-life use cases
    • MVCR/OTTO liaison activities
    • Legal analysis
    • "Commitments"
  • AI review and AOB

Minutes

Roll call

Quorum was reached.

...

MOTION: Approve the minutes of UMA telecon 2015-04-1630. APPROVED by unanimous consent.

Binding Obligations ad hoc report/review

We're not sure if all who are interested are getting the notifications, so we recommend sending them to the whole list.

One question in this general area: Are we paying any attention to the cyberinsurance area? Is that worth a Kantara DG, perhaps? Adrian is looking for benchmarks for privacy-preserving and security technologies. Would that field provide monetary metrics/valuation around this? Mike observes that UMA might or might not ameliorate a person's risk, and it's implementation-dependent. CISWG is another place where risk could be mitigated: a company gets a safe harbor by getting a receipt.

Personal discovery discussion/next steps

George walked us through his swimlane that proposes how to use UMA to protect a webfinger-based discovery service. In his scenario, a patient walks into a doctor's office, where the office app (autonomous?) is an UMA client, starting out without credentials, and the discovery service is an UMA RS. The client has to dynamically register for credentials. As an optimization – assuming that any access controls applying to discovery of the resource also apply equally to the resource itself – the JRD can reveal either something like a standalone RPT that the client can present at the actual resource, or maybe claims that can be presented to get access to the resource, or something similar.

Adrian notes that patient matching is a huge issue, and this swimlane potentially solves some big challenges. However, it uses "foreign language" with respect to patient ID and such. Where is the identity perspective in this picture?

What's the right forum and form for doing something about this? Is it a profile where UMA protects webfinger? Is it the UMA WG? A number of events are coming up, such as EIC and CIS, where we could push this forward. Should we hold BOFs? Maybe this should be a high-priority wishlist/backlog item. Andi notes, with his CIS hat on, that there's an opportunity for people to do this there. And George is doing a talk on exactly this, so a BOF right after would be perfect.

Webinar planning and advertising

Joni is publishing a press release on the occasion of the V1.0 publication of the UMA Recommendations. All those on the WG who wish to have a quote published as part of the blog post containing the press release should submit the quote to her by Monday morning. Eve, Maciej, and Thomas (being the leadership team) can submit quotes for the short pushed press release.

Eve and Maciej will draft webinar content while at EIC together next week.

We got our budget request for test suite development approved! The board asked us to ensure that Kantara branding goes along with the test suite and testing. Does it make sense to think about interop (or conformance-to-Roland) testing outreach in the Q4 timeframe? Mike prefers the conformance approach vs. cross-matrix interop testing. Jin agrees. Sal agrees too. Eve suspects that the natural order of things is conformance testing -> errata collection -> spec revision -> Independent Submission.

...

Webinar report

The recording is a great resource!

Virtual plenary

Keep an eye out on the community list for more information on this. The dates are (we think) the mornings (Pacific) of June 24 and 25. Eve will be presenting on the UMA WG at the plenary. It's a telecon-based event.

APAC-friendly meeting times

Starting in July again, we will hold our first-week-of-the-month meetings at the special time. Eve will change the calendar accordingly. We will meet at our normal time next week (June 4).

Leadership team elections

MOTION: Re-elect Eve as chair, Maciej as vice-chair, Thomas as spec editor, Domenico as user experience editor, and Maciej as implementation coordinator. APPROVED by unanimous consent.

MOTION: Propose a vote of thanks to those individuals, who have done an awesome job up until now. APPROVED. Thanks!

Spreading the word and getting together

Eve created a limited-edition line of mugs, and now Kantara is making a CafePress store for UMA stuff! So everyone can have UMAnitarian mugs, T-shirts, teddy bears, and so on. Yes, hats too.

There are great chances to get together at the Cloud Identity Summit. There won't be a formal BOF, but there will be informal chances to get together.

Binding Obligations review and next steps

Eve suggests a "depth-first", use-case-based approach to the BOs.

Rene asks: What about sharing with an organization vs. a person? What are the implications of that? For example, what if you want to share with everyone in a hospital? If we stick with the BO implication for a moment, then the hospital would be an NPE type of Subject as a Client Operator. This is covered in the BO terminology.

The use cases of interest for "tracking UMA interactions" may be:

  • Alice wants a receipt for:
    • PAT issuance
    • The policies she has lodged – is this as interesting? Eve suspects this is equivalent to health "consent directives" – so yes, this would be interesting to generate receipts for
    • Authorization data getting added to an RPT
    • The access Bob has succeeded in getting – Justin thinks this is more interesting
  • Bob wants a receipt for:
    • AAT issuance
    • The claims (facts and promises) he coughs up
    • Authorization data getting added to an RPT
    • The accesses he successfully achieved (RPT being used)

This has a relationship to auditing overall, and to the Consent Receipt work.

Maybe what we need to do this time, rather than looking at all the pairs of entities/parties, is look at the protocol afresh, and ask who would be interested to get notification that each interaction occurred.

Eve believes that the original concept of Consent Receipts was as a technique for enabling existing websites, apps, and IoT devices to achieve easier compliance with regulations, and thus it would have meant that applying CRs to UMA would have meant that it was only a "Bob" proposition vs. an "Alice" one. However, in recent times, as we have been flesing out the technical details of consent receipts, it appears that the receipt notion can be applied to auditing generally. So Justin's conception of it is that anyone can get a machine-readable receipt for any interaction.

Robert notes: It is reasonable that both parties in an agreement keep a copy of the agreement. In agile terms - do the thing that gives most value.

Does it make sense to "start on the outside", with Alice's and Bob's concerns, and then move inward only as we're able to identify use cases for the services in the middle? There are a variety of degenerate use cases where some of the parties are actually the same subject (e.g. Alice = Bob, or the RS = the AS, or whatever). The Consent Receipt WG is meeting in an hour (2pm ET) – join that group if you'd like to work on the data model!

We'll continue to press forward on this topic.

AIs

Everyone with UIG action items, please start to work on them!

Outstanding AIs:

  • AI: Sal: Investigate IP implications of formal liaison activities with other Kantara groups with the LC, and ultimately draft an LC Note as warranted.
  • AI: Gil: Edit the UIG to add Ishan's content and excerpt it for Eve to add to the FAQ, pointing everyone to the UIG.
  • AI: Sal: Fill out IDESG form to have UMA adopted as a recommended standard for use in the IDESG framework.
  • AI: Mike: Rework UIG section on organizations as ROs and RqPs.AI: Eve: Edit UIG (Mike's input, Zhanna/Andi's input).
  • AI: Eve: Update GitHub.
  • AI: Maciej: Write as many sections for the UIG as he can.
  • AI: Justin: Write a UIG section on default-deny and race conditions.
  • AI: Eve: Send suggested Wikipedia updates to Will at Gluu for English page updating, and to Domenico for Italian page updating, and to Rainer for hoped-for German page updating, and to Riccardo Abeti for the Spanish page, and to Mark for a Dutch translation.

...

As of 23 Apr 2015, quorum is 8 of 15. (Dom, Sal, Mark, Thomas, Andrew, Robert, Maciej, Eve, Mike S, Jin, Ishan, Ravi, John, Mike F, Chris)

  1. EveChris Shawn - works for US VA in healthcare security and compliance requirements
  2. Maciej
  3. Ishan
  4. Andi
  5. Mike SThomas
  6. Robert
  7. Domenico
  8. Maciej
  9. Ishan
  10. Sal
  11. Jin
  12. Mike S

Non-voting participants:

  • Rene Mulder - IAM architect in NL - also in IRM WG
  • Colin
  • Zhanna
  • Jin
  • Marcelo
  • George
  • Adrian

 

...

  • Sarah - University of WA - also working for Engage Identity
  • Justin
  • Tim
  • Ann

Regrets:

  • Sal