UMA telecon 2012-01-05

Date and Time

NOTE: Telecon numbers have changed!

WG telecon on Thursday, 5 Jan 2011, at 9am PT (time chart)
- Skype: +99051000000481
- US: +1-805-309-2350 (other international dial-in lines available) | Room Code: 178-2540

Agenda

Roll call
Approve minutes of 2011-12-08, 2011-12-15, and 2011-12-22 meetings
Q1 schedule
- Interop activity planning
- F2F meeting planning
- Technical webinar planning
- Spec issue resolution planning
Brief review of non-spec action items
Work through A-priority issues
- Status of assigned/to-be-assigned issues: 43, 41, 39, 10
- Discuss other issues: 40, 33, 30, 24/14, 12
- Assign spec revision AIs
AOB

Attendees

As of 4 Jan 2012, quorum is 7 of 13.

Bryan, Paul
Catalano, Domenico
D'Agostino, Salvatore
Fletcher, George
Hardjono, Thomas
Machulak, Maciej
Maler, Eve

Non-voting participants:

Kevin Cox
Cordny Nederkoorn
Rich Goodwin

Regrets:

Wray, Frank

Minutes

New AI summary

2012-01-05-1	Cordny	Open	Examine interop testing needs and materials, and report back by end of January on needed next steps.
2012-01-05-2	Eve	Open	Look into UMA WG's accepted budget proposals and get suitable AIs on our docket.
2012-01-05-3	Paul	Open	Sketch an example of a POST token status request for Thomas to put in the spec.
2012-01-05-4	Thomas	Open	Add token status request example and POST rationale (from Paul) to Section 3.4, and remove the mention of OAuth bearer in Section 3.1.3.1.
2012-01-05-5	Rich	Open	Reach out to George to examine taking on issue #10.
2012-01-05-6	Eve	Open	Reach out to Reach out to Lukasz regarding his to-be-assigned action (#41).

Roll call

Quorum was reached.

Welcome to Rich Goodwin. He is based on the US east coast. He was at the last IIW and got intrigued by the enterprise implications of UMA.

Approve minutes of 2011-12-08, 2011-12-15, and 2011-12-22 meetings

Minutes of 2011-12-08, 2011-12-15, and 2011-12-22 meetings APPROVED.

Q1 schedule

Interop activity planning

Andrew Arnott had set up a testid.org suite for OpenID that was super-helpful. It had a link you could click to get all the interaction logs, and a button to clear the logs. We had discussed this idea earlier with Kirk Brown. Initially, for interop testing, maybe we can just set up a group chat mechanism and share endpoint URIs.

Maciej reports that they've been working on a project to do virtual testing. They already are exposing endpoints to one party. They have some limited documentation that they can share with Cordny and Eve.

Cordny anticipates that the main manual work would be around making a test-case scenario that exercises all of the success and error flows, including HTTP error flows so that HTTP vs. UMA vs. OAuth handling can be accounted for. We also need to be sure that we have provided testable assertions in the spec; Cordny's work last year on test cases had a lot of questions around that, but they should be resolved now (or soon).

F2F meeting planning

Thomas is attending IETF 83. Rich can't make the IIW Satellite.

Technical webinar planning

We think our interop event planning will draw the implementors and other interested techies.

Spec issue resolution planning

We have segregated issues into A, B, and C priorities.

Brief review of non-spec action items

2011-09-22-4 Various Ongoing Build list of FAQs on the wiki. Paul to write a FAQ on "access granularity". Susan to draft a FAQ on "government PDS use cases".
2011-09-29-1 Frank, Sal, Dom, Sus, Kevin et al. Open Prepare Trust Model "user guide". In progress.
2011-10-20-2 Paul Open Define a set of "RESTful CRUD" scopes that can be reusable. In progress.

The FAQ is coming along. Several people have taken a look at Paul's I-D draft; it looks reasonable.

Work through A-priority issues

Discussion on issue #39: If you pass the token to be dereferenced, there are implications to where you put it, since it might or might not appear in the access logs and they're bearer tokens. The risk is that the host is sending the AM a requester's bearer token for dereferencing, and if the AM gets hacked, someone other than the real requester could get it and use it. If we switch this request to a GET, the host is already supplying its own host access token in the header, using up the slot that would have protected the requester's access token from being logged. So the only way to protect the requester's token is to use a POST.

Discussion on issue #40: Paul's not crazy about the bearer token profile. It requires things like using POST to protect the token. There are three considerations in answering the question:

Do we want to remove the cross-reference dependency on the bearer spec in Section 3.1.3.1 (as noted in a comment to the issue)? Yes.
Do we have any implicit dependencies on bearer for host access tokens? We don't think so.
Do we have any other implicit dependencies on bearer for requester access tokens? We don't think so. We do, however, think this issue writ large will come up in issue #30, when we examine protocol changes that might be needed to support structured (e.g. signed) tokens that the host can verify locally.

Docket for next week: Confirm status of 43, 41, 39, 10, 40 with current state of spec draft; work on 33, 30, 24/14, 12.

Next Meetings

WG telecon on Thursday, 12 Jan 2011, at 9am PT (time chart)
WG telecon on Thursday, 19 Jan 2011, at 9am PT (time chart)
WG telecon on Thursday, 26 Jan 2011, at 9am PT (time chart)