UMA telecon 2013-01-24

Date and Time

• Focus meeting on Thursday, 24 Jan 2013, at 9am PT (time chart) – legal, educational, technical
  
  • Skype: +99051000000481
  • US: +1-805-309-2350 (other international dial-in lines available) | Room Code: 178-2540

Agenda

• Action item review
• Briefly review revised Binding Obligations
• Review latest spiral etc. diagrams
• Review status of case studies for needed terminology/other updates
• Any takers on reviewing and revising Wikipedia entries?
• AOB

Minutes

Action item review

Done.

Briefly review revised Binding Obligations

We reviewed the latest. Dazza asks: How to experiment with applying the binding obligations? See the Implementations page. The OXAuth implementation in particular, being open source, could enable a logging framework for obligations. What about screenshots or wireframes to show those junctures? The smartam.net running service would be great for that. CloudIdentity has sample RS and client applications that it's making available: CareerMonster and PDS.

AI: Thomas: Submit Binding Obligations rev 00 to IETF as an I-D.

Dazza is running a "legal hackathon" next week with the MIT Media Lab and the Kerberos Consortium. The focus will be on the use of scopes and grant types as hinges for "terms of authorization". They've got a couple of OpenID Connect servers running, and an OpenPDS instance. (OAuth2 is the core of that, of course.) They're working with developers, lawyers, and others on new approaches around authorization. See iAuth.org. "I Authorize!" Everyone can join; the hackathon is virtual. Dazza offers support for teams wanting to experiment with UMA specifically.

Review latest spiral etc. diagrams

What about arrowheads? Domenico and Eve ultimately thought that stories can be told about all the verbs if there are no arrowheads. Does this rationale work? We think there are interesting and useful narratives about verbs:

• Control: The RO controls the AS to set policy; the AS controls access to resources on the RO's behalf.
• Protect: The RS outsources some amount of protection to the AS; a combination of the AS and RS (depending on RPT profile in use) actually performs the protection.
• Manage: The RO manages resources at the RS; the RS manages resources on behalf of the RO.
• Manage: The RqP manages the client, literally wielding it at least on first access attempt; the client manages the act of access on behalf of the RqP (e.g., accessing it offline if given that scope).
• Authorize: The AS authorizes the client (which is acting on the RqP's behalf) for access; the client (again on behalf...) authorizes the AS to gather claims to satisfy authorization policy.
• Access: The client (on behalf...) seeks access to resources at the RS; the RS ultimately gives or refuses access to the client.
• Consent: This word is troubling, since UMA does a much stronger job than enabling consent. It enables "active"/"proactive" consent and RO-mediated asynchronous authorization grants through policy. Maybe using this word advisedly helps us reach the people whose use case is "consent management"! In that case:
  
  • Consent: The RO proactively grants consent through setting policy at the AS; the AS has the RO's "consent power-of-attorney" in conducting authorization activities.
• Trust: This word has a lot of meanings; do they help us? What about Delegate?
  
  • Delegate: The AS (on the RO's behalf) delegates constrained access to the RqP. (There is no reciprocal?) Let's think about this over the weekend and get to a conclusion by Monday.

Review status of case studies for needed terminology/other updates

Any takers on reviewing and revising Wikipedia entries?

AI: Domenico: Check the Italian Wikipedia entry for terminology changes needed.

AI: Eve: Ask if Riccardo Abeti might be willing to edit the Spanish one.

Who wants to tackle the English one?

Attendees

• Eve
• Keith
• Domenico
• Lukasz
• Dazza
• Maciej
• Thomas

Regrets:

• George

Next Meetings

• Focus meeting on Thursday, 24 Jan 2013, at 9am PT (time chart)
• All-hands meeting on Thursday, 31 Jan 2013, at 9am PT (time chart) - technical (threat model), educational (event schedule) - potential Thomas regrets - find chair pro tem for early Feb meetings