UMA telecon 2022-08-25

UMA telecon 2022-08-25

Date and Time

Agenda

Attendees

  • NOTE: As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
  • Voting:
    • Alec 
    • Peter
    • Steve
  • Non-voting participants:
    • Lenore
    • Nancy
  • Regrets:

Quorum: No


Meeting Minutes


Approve previous meeting minutes

  • Deferred - no quorum

Topics

UDAP Spec Reviews


One of our questions around UDAP is that it's not an implementation profile, HL7 has created IGs that use UDAP as the base profile here: https://build.fhir.org/ig/HL7/fhir-udap-security-ig/branches/main/user.html 


Determine next work items

What do we want to do next? Lots of ideas below, what's most important

Current WIP

  • Update Julie Report to v0.4 – Nancy to accept suggested changed, reviewed with group ~1month ago
  • New report with core UMA (no use-case) content from Julie Report  → could evolve to IDPro article? – Alec 
  • UMA Glossary – Steve 
  • Confluence Clean Up: activate new links + archive old content + general usability of the wiki – Alec / Steve, 

We prioritized the list below, lower numbers = higher priority. Nothing is "final", feel free to comment

  • one driver is if the item was of interest to many or few member
  • other consideration is who is motivated to lead the item


AOB


Potential Future Work Items / Meeting Topics

  • 100 FAPI Review (FAPI + UMA) 
    • scope: how the FAPI work could be applied to UMA ecosystems
    • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI
  • 20 Confluence clean up, archive old items and promote the latest & greatest
    • 10 UMA glossary – Steve has started 
  • 600 Review of the email-poc correlated authorization specification
  • 120 A financial use-case report (following the Julie healthcare template)
    • either open banking or pensions dashboard
    • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
    • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
  • 300 mDL + UMA
    • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 
    • is there a role for UMA in token fabrication and referencing it as the RS?
  • 500 UMA + GNAP https://oauth.xyz/specs/ 
    • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 
    • will GNAP meet all the UMA outcomes?
  • 170 UMA + Verifiable Credentials
    • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA
    • There are openapi specs for VC formats
    • Could UMA protect a VC presentation or issuance endpoint?
    • There's a lot of openid4vc profiles 
  • IDPro knowledge base articles
  • UMA 2 playground/sandbox
  • 150 Minor profiling work,
    • resource scopes → scopes 
    • PAR as dynamic scopes eg fhir query params
    • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL
      • use-case, consent as claims (needs_info),
        • if the client has gathered RqP consent, can it be presented to the AS
        • the policy to access a resource says "you must have agreed to this TOS/consent"
        • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP
        • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

Upcoming Conferences

  • IIW 35,  November 15 - 17
  • FedID 2022 • September 6-9, 2022 • Atlanta, GA .