Versions Compared

Old Version 2

changes.mady.by.user Eve Maler

Saved on

compared with

New Version Current

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We won't meet next week, but will have a hopefully quorate all-hands meeting on August 1. We'll keep to 60-minute meetings.

What happened at #CISNapa

Among the people on the call, Andrew, Eve, and Jin , (and who else?) attended. Andrew: The attendees generally all believe in the API economy and need a way to protect them. So there was a lot of interest in UMA from people grappling with this problem. The F2F meeting we held with Respect Network (and also AXN) shed light on terminology understandings. RN has a concept of a personal cloud that is largely shared with other people working on this. Eve: The personal cloud definition exercise at this F2F was very useful. Jin: The OpenID Connect specification has come a long way, and basing things on OAuth is helpful for moving solutions onto hybrid platforms. UMA has a potential role in managing personal consent. This has implications for patient engagement work. It has to be possible to present UIs to the patient that make sense. Eve: Had new insight about "run-time consent" (weak) vs. "consent directive" (essentially a strong form of patient-controlled authorization). Keith: Likes this distinction. Andrew: Caution: In Canada, "consent directive" is a term of art that's hard to implement. The level of data granularity is what makes it so hard. Adrian: In the US, there's tons of overlapping federal and state law. All operators of data holders discuss how hard this is to do there. Eve: She's hopeful about "scope-grained authorization" being the right simplifying assumption to help the problem of authorization grain.

Eve: We variously explored UMA-XACML, UMA-XDI, and UMA-AXN opportunities for profiling and for UMA spec improvement. Stay tuned for more notes on this.

UMA open-source funding opportunity: Gluu UMA-RS-enabled Apache module proposal

...

There's a new slide deck with fresh Venn diagrams and a new take on explaining UMA. Jin suggests: "Or you could use an animated GIF to walk through the process, such as this identity foundation blog post." This is a very interesting idea! We will take it into consideration.

Where to take the UMA work

...

Jin notes the NIST ABAC work (draft SP 800-162) is potentially relevant, and an UMA implementation of it would be very valuable. Andrew asks: Do we need velocity around standardization? Are there interdependencies with other organizations that we have to be in the same org to deal with? What orgs encourage open-source implementors to adopt it? Keith asks: What is the driver of what we most need? IETF helps with drafts and implementations if you want to drive to an RFC. Rolling this up: Who's the audience we want to attract?

...

Here is a candidate ordered list of actions we should take as part of this analysis:

  1. Analyze our "addressable market"
    1. Is there a market leader who pulls everyone else?
  2. Right Determine the right timeline for a change
  3. Right Determine the right org (see list below) – brainstorm
    1. (Assuming the timeline identified is moderately soon)
    2. Brainstorm candidate orgs: IETF, OASIS, OpenID Foundation, ITU-T, ...?
    Right next steps.
  4. ..Determine the right next steps

Here is a candidate unordered list of factors to consider in looking at orgs:

  • Gravitas and reputation among the "addressable market"
  • Support from the org
    • E.g., wiki, mailing list, publicity...
  • Governance imposed by the org
    • E.g., how top-down is the process for progression of a standard?
  • IP protections and constraints
    • E.g., how does it compare to our current one? to IETF I-Ds?
    • What stance does the open-source community have wrt it?
    • What do the proprietary vendors in the market prefer? Is there a way for proprietary solutions to pick up and run with an UMA implementation?
  • Friction in launching the group
    • Some orgs take two+ months, others take 15 days
  • Friction in joining
    • Can everyone who has been involved to date take part?
    • How easy or hard is it to walk up and participate?
  • Liaison opportunities with relevant standards and communities

 

Attendees

  • Eve
  • Ron
  • Andrew
  • Alam
  • Thomas
  • Jin
  • Keith
  • Maciej
  • Adrian
  • Sal
  • Domenico

...

  • No meeting on Thursday, July 25 - Eve, Maciej, Thomas regrets
  • All-hands meeting on Thursday, August 1, at 9am PT (time chart) - voting duties
  • Focus meeting on Thursday, August 8, at 9am PT (time chart) - Blue Button+ initiative preso by Josh Mandel and Justin Richer
  • Andrew regrets Aug 15Focus meeting on Thursday, August 15, at 9am PT (time chart) - Andrew regrets