...
Target Q1 for external beta review of the model text. "Accordion" the environment requirements to account for budgetary uncertainty.
Sources of Liability Tension
These are some key pairwise relationships we are exploring for the "liability tensions" within them, that is, the misalignment of incentives that leads to a reluctance to deal with each other, mistrust, or added friction in decisions to use or deploy UMA.
- RO-RqP: Can Alice trust Bob with access to her stuff? If she wants to impose "purpose of use limitations" using business-legal vs. (extra-UMA) technical methods, will they stand up?
- RS-AS: Can the host of sensitive information trust a service that promises to do the job of protecting that information? This is roughly akin to the challenges of federated authentication, only for authorization. A difference is that in circumstances in which the RO chooses their own AS, there are elements of this arrangement the RS can't protest about (but still some elements they can).
- RO-AS: Can Alice trust a service to do as she bids when it comes to protecting her stuff, if she didn't personally hand-code it? (Can consent receipts help?)
- AS-OAuth client apps: Last and potentially least in importance for now: Can the authorization server rely on the OAuth clients sufficiently to provision them with credentials? This includes both UMA RS's and UMA clients (see this diagram for an explication of how this works).
