UMA F2F 2010-11-01
| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Date and Time
- WG F2F on Monday, 1 Nov 2010, colocated with IIW XI at 11am-5pm PT (time chart)
- No dial-in
- No telecon this week
- Boole room in the Computer History Museum
...
- Let's use #umaf2f along with #iiw as hashtags for the day
- "IPR benediction"
- Identify note-takers
- Roll call
- Agenda-bashing
- Approve minutes of 2010-10-28 meeting
- Reminder of next week's telecon and time change (see Next Meetings below)
- Action item review
- Bounty program status
- Other updates from the wider UMA world
- Brief "UMA 101" session as necessary for newbies in the room
- User stories: add, review, prioritize, decide
- Resource/scope registration: go through latest proposal and issues and decide
- AOB
...
- Charles Andres
- Alan Karp
- Henrik Biering
- Joseph Holsten
- Jeff Stollman
Minutes
Thomas offered to be the serve as a notes-taker for for most of the day.. Thank you!
New AI summary
Alan |
...
Open | Write up backup service/copy service use case, with reference to requester delegate scenario. |
| ||
George | Open | Write up "problem B" as a user experience description that can be turned into a user story. |
| |
Eve |
...
Open | Put the public-private continuum language and diagram into the Lexicon. |
...
|
Roll call
Quorum not reached.
Approve minutes of 2010-10-28 meeting
Deferred due to lack of quorum.
Action item review
- 2010-08-26-6 Eve Open Ping Denise Tayloe of Privo to see if she has interest in taking custodian scenario forward.
- 2010-09-02-1 Thomas Open Categorize all existing scenarios by their distinctive aspects. We'll discuss this today and decide whether to change this one.
- 2010-10-07-2 Sal, Domenico Open Propose the next version of the trusted claims solution, making appropriate simplifying assumptions.
- 2010-10-28-1 Eve Closed Work with Sal and George to put together a set of flow options/user stories for review at the IIW F2F.
Bounty program status
Two indications of submission interest have been sent in so far. The deadline for submission interest is 11:59pm Pacific time tonight.
Other updates from the wider UMA world
...
Maciej will speak on UMA at Devoxx in Antwerp soon. His paper for the MW4SOC conference will be published shortly.
Alan has worked on "transitive access" research, and will submit a scenario focusing on this. Our "requester delegate scenario" is related to this.
Over lunch, Alan demonstrated Tyler Close's work on "the Introducer" with some others (including Mike Hanson), which may offer one solution for the resource discovery problem in cases where the authorizing user wants to send the requesting party a link to a protected resource.
UMA for newbies
We reviewed the UMA entities, basic lexicon, trust a token/get a token/use a token protocol flow, the spec module map, and trusted claims (which Eve suggested should layer on top of the core protocol as an extension). The "Bob at Gmail" problem involves Alice wanting to grant access to Bob in his "bob@gmail.com" embodiment, perhaps through an access control list (ACL) that lists this email address. How can Bob show up, using some requester app, in a way that proves he is bob@gmail? This is illustrative of the trusted-claim problem.
In UMA terminology, we need to distinguish a "requester" (a software tool that implements an UMA protocol endpoint) and a "requesting party" (an individual or company that may assume legal liability for gaining authorized access).
The Liberty Alliance's Identity Web Services Framework (ID-WSF) solved for patterns like this, but it was considered by some as having too many components, and many web developers today consider it as being too complex.
There are many ways for Alice to provision knowledge of the resource to the requesting party. If the latter is Bob, for example, she can email the resource URL to him, hand him a business card with the resource location printed on it, or publish information about it openly on her blog. (Information cards and discovery services could also be employed.)
User stories: add, review, prioritize, decide
We reviewed the new User Stories page. Eve is trying to use some analogues of Agile techniquies to develop UMA user stories.
The page isn't very complete yet; Eve put in a sampling of user stories to test the columnal design, column sorting, and general "feel". Epics are tightly associated collections of stories; she has made epics all be in the "UX" category so that they focus on a human being's desire for some benefit. Some stories are "negative", in that they express some (typically malicious) entity's desired outcome that we want to avoid if at all possible.
...
The public-private continuum: There are useful things an AM can offer in managing a resource, ranging from the "public" end – access tokens could be issued to all comers, but the user could track, monitor, audit, and observe analytics of access in various ways (see, e.g., the null scenario) – to the "hidden" end – either the user might not have mapped a policy to particular resource at all, so that access tokens are always denied to all comers, or the user might have mapped a very draconian policy to the resource so that it turns out no one is worthy of getting an access token.
...
- Can we solve a use case where the user just indicates to "protect" (manage) resources at the host without going through all the steps of actually selectively sharing them? (For example, this might come into play when the user wants to ensure that some or all of their resources are "non-public", as you can do when uploading a bunch of photos to Flickr in batch.) We believe so, since the resource registration piece involves only host-AM communication and doesn't have to have the redirect-the-user-to-the-AM piece on the end.
Next Meetings
- WG telecon on Thursday, 11 Nov 2010, at 9-10:30am PT (time chart) - Maciej to chair