Versions Compared

Old Version 1

changes.mady.by.user Eve Maler

Saved on

compared with

New Version Current

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Agenda

Minutes

Roll call

tbsQuorum was reached.

Minutes approval

...

MOTION: Approve the minutes of UMA telecon 2015-03-19 and read into today's minutes the notes of UMA telecon 2015-04-01. APPROVED by unanimous consent.

Final recommendations

Post-publication, we have already collected one erratum (from Justin). We haven't even done the formal interop testing, and lots of independent implementations are just getting going right about now. Before we do the Independent Submission route, it's a good idea to shake out the bugs. Hannes T has offered assistance in the Submission process.

Roundup of upcoming events

...

Eve and Adrian reported on the Kantara "Extending the Power of Extent with UMA and OpenUMA" event. He didn't sense challenges to UMA, in the sense of OAuth having been accepted totally in the healthcare API realm – now the policy and consent layer needs a solution, and UMA is what is available to solve that challenge. Eve had an interesting conversation related to the lack of an XACML-style "obligations" model in UMA (V1.0, so far). 
  • No telecon RSA week
    • Adrian is facilitating a P2P session on Apr 21 at 4:30pm on health privacy standards
    • The Nonprofits on the Loose party is the evening of Apr 21 at Minna Gallery
    • The Rock Opera that Eve is in is on Thursday morning
    • Dave Staggs' UMA Healthcare talk (with a demo from Eve) is Friday morning
    • Gluu is doing a Gluu Server training with UMA at RSA
  • Regular telecon Thursday April 30
  • No telecon Thursday May 7 (EIC week)
    • Kantara All-Hands May 4
    • Kantara workshop May 5 (UMA talk)
    • OpenID Foundation workshop May 5 (HEART talk)
    • EIC has a User-Managed Identity and Access Track! (Eve speaking on UMA in the track)
    • Eve has a keynote
  • Webinar May 14
    • Tweet chat before?
  • IWPE'15 May 21 in Oakland with IEEE Symposium on Security and Privacy
  • ForgeRock Identity Summit May 27-29 in Half Moon Bay
  • Cloud Identity Summit June 8-11 in San Diego

Binding Obligations

...

Eve walked through the theory behind the Binding Obs draft. The idea is that the "deep mapping" into UMA protocol state changes would make it more robust should a problem land the parties in court, possibly avoiding lawsuits entirely because independently obtained logs would answer questions ahead of time. It requires more work to do the mapping, of course, but in the UMA case it's already done.

Robert is currently working in the justice sector, where they currently use IdPs, but he anticipates using UMA at some point.

Adrian notes the idea of using GitHub for tracking lawyer/user/machine-readable legal language. Eve has spoken with Dazza about exactly this kind of approach. In healthcare, when the issue is the right of access (e.g., as managed by the Office for Civil Rights), then there are groups interested in logging the denial of authorization. Eve's notion of an authorization server's right not to respond to a request message, e.g. if it suspects a DoS attack, in order not to accept a "binding obligation", might be not acceptable in the context of a trust framework that requires certain standards of response and audit logging.

There's two ways to think of the Binding Obs. One way is to see them as something every deployment has to sign on to, even if they're not part of a trust framework. The other is to see them as a kind of "trust SDK" that any trust framework can call by reference if they wish to.

Could this be a three-phase commit sort of process, so that it's not just a state-change thing?

There is a ton of trust framework-related work going on. Trustmarks, VOT, OTTO, and more...

AI: Eve: Set up an ad hoc Binding Obs meeting. Interest from Anwar, Tim, and Mike.

It may be a good idea to do a Q3 webinar on UMA trust.

AIs

Outstanding AIs:

  • AI: Sal: Investigate IP implications of formal liaison activities with other Kantara groups with the LC, and ultimately draft an LC Note as warranted.
  • AI: Gil: Edit the UIG to add Ishan's content and excerpt it for Eve to add to the FAQ, pointing everyone to the UIG.
  • AI: Sal: Fill out IDESG form to have UMA adopted as a recommended standard for use in the IDESG framework.
  • AI: Mike: Rework UIG section on organizations as ROs and RqPs.
  • AI: Eve: Edit UIG (Mike's input, Zhanna/Andi's input).
  • AI: Eve: Update GitHub.
  • AI: Maciej: Write as many sections for the UIG as he can.
  • AI: Justin: Write a UIG section on default-deny and race conditions.
  • AI: Eve: Send suggested updates to Will at Gluu for English page updating, and to Domenico for Italian page updating, and to Rainer for hoped-for German page updating, and to Riccardo Abeti for the Spanish page, and to Mark for a Dutch translation.

...

As of 15 Mar 2015, quorum is 8 of 14. (Dom, Sal, Mark, Thomas, Andrew, Robert, Maciej, Eve, Mike S, Jin, Ishan, Ravi, John, Mike F)

  1. tbsEve
  2. Robert
  3. Domenico
  4. Ishan
  5. Andi
  6. Mike S
  7. Jin
  8. Thomas

Non-voting participants:

  • tbs

Regrets:

...

  • George
  • Adrian
  • Anwar (Georgia Tech - working on trustmarks NSTIC pilot and law enforcement federation and HEART...)
  • Zhanna

Guests:

  • Tim Reiniger (shortly to be an official participant - attorney - coauthor of Virginia identity legislation)
  • Jenn Behrens (shortly to be an official participants - director of privacy and compliance with ID.me - two NSTIC pilots - chair of IDESG privacy committee)