Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version 7

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

P#

Title

Requirement

Explanation/commentary

P1

Representation-agnostic AM

The AM is not required to understand the representations of resources it is charged with protecting.

We reworded this heavily and approved it on 2009-10-15 as R4.

P2

Terms persistence

A set of terms for accessing a resource must be accessible as a Web resource with a URL.

 

P3

Host impersonation of Requesters

A Host must not be able to impersonate Requesters in interacting with an AM.

This came up on 2009-10-01.

P4

Host correlation of multi-Requester activity

A Host must not be able to correlate the same Authorizing User's activity at multiple Requester applications.

Discussed on 2009-10-08; this is wrongly stated and should be rejected. See P9 for a replacement. Officially rejected on 2009-10-15.

P5

User AM choice

The UMA protocol must not negatively impact a User's prerogative to choose or even self-host the AM that will protect a resource on any Host.

 

P6

Host following authorization instructions

A Host must allow or deny Requester access to a resource according to a User's desires as conveyed by an AM access decision, or inform the AM of instances where the User wished to grant access but the Host did not or could not.

 

P7

User-defined constraint on access

A Host must not grant a Requester access to a resource in cases where the AM gave instructions denying access.

 

P8

Access audit log

A Host must inform the AM protecting a particular resource on that Host in a timely way of all successful Requester access events.

 

P9

Correlation of Authorizing User by multiple Hosts

For two resources on different Hosts owned by the same Authorizing User and managed by the same AM, the AM must not allow one Host to be able to discover the User's relationship with the other Host.

For example, a user might use the same AM to protect resources at LinkedIn along with their personal interests and hobbies. We reworded this on 2009-10-15 and approved it as R3.

P10

POST once

Ensure that it's possible for AMs to offer a "POST once" setting.

This is critical for payments and the like.

P11

Verifiable claims

Ensure that access-agreement claims have the option of being independently verifiable.

In a lot of cases, self-asserted claims are acceptable for forging access agreements, but having the option of claims that are verifiable by third parties – such as mediators in a dispute – can allow for stronger agreements in a legal sense. This was discussed on 2009-12-10.

...

Anchor
change-history
change-history
Change History

...