...
- (Get on join.me)
- Roll call
- Approve minutes of UMA telecon 2013-02-28 and UMA telecon 2013-03-28, and read into today's minutes the notes from UMA telecon 2013-03-21, UMA telecon 2013-03-14, and UMA telecon 2013-03-07
- Action item review
- Review new spec rev 07c (out shortly) and its thread model/security considerations
- Plan for an implementor's draft release effort
- AOB
Minutes
...
Logistics
Quorum was reached.
APPROVED by unanimous consent: Approve minutes of UMA telecon 2013-02-28 and UMA telecon 2013-03-28, and read into today's minutes the notes from UMA telecon 2013-03-21, UMA telecon 2013-03-14, and UMA telecon 2013-03-07.
...
The "intended audience" approach has been proven valuable in the SAML era, even in its weakest form, because it demonstrates intent – a friendly concept for our Binding Obligations. To prevent a malicious attack, you do need to have some way to verify the client, but this doesn't need to reach HOK/POP levels. In JOSE, you could have a signed bearer token. Would signing the RPT help? The goal is to prevent replay by unauthorized parties, so it sounds like not, without validating the client that presents the token.
AI: All to weigh in on the "minimum viable action" the UMA core spec itself should take to solve the bearer token problem on a technical level (could be zero action).
AI: Thomas to check the OAuth Threat Model doc for whatever it might say about the bearer token vulnerability.
Attendees
As of 28 Mar 2013 (pre-meeting), quorum is 6 of 10.
...