UMA telecon 2017-11-16

Date and Time

• Thursdays, 9-10am PT
  • Screenshare and dial-in: http://join.me/findthomas
  • UMA calendar: http://kantara.atlassian.net/wiki/display/uma/Calendar

Agenda

• Roll call

• Approve minutes of UMA telecon 2017-08-03, UMA telecon 2017-08-17, and UMA telecon 2017-09-14 

• Finalization of Draft Recommendations
  • Issue #358 resolution – see proposal in email
  • Note that OAuth Authorization Server Metadata was updated to rev 07
  • Consider motion to approve specs
• Timeline
  • Progression of specs
  • Meeting schedule
• UMA2 logo
  • New candidates to consider
• AOB

Minutes

Roll call

Quorum was reached.

Approve minutes

Approve minutes of UMA telecon 2017-08-03, UMA telecon 2017-08-17, and UMA telecon 2017-09-14: APPROVED.

Finalization of Draft Recommendations

• Issue #358 resolution – see proposal in email

Regarding #358a: Consensus that we can respond to the commenter with "no change" and the keymaster/gatekeeper rationale.

Regarding #358b: When UMA1 had the AAT, we presumed that the RqP's authorization was captured in some fashion, even if the token issuance was silent – but really, we're in the same boat now. Whatever trust framework applied to AAT issuance before needs to apply to RqP authorization now, and we're shoring up our considerations for saying so.

Editorial instructions:

• In 3.3.1 and 3.3.2: Should we say "...regarding claims containing personal data" or just "...regarding claims" when pointing people to the security and privacy considerations? The latter.
• In 5.7: For "A malicious client could push a claim token to the authorization server to seek access to a protected resource on its own behalf without, or prior to, the authorization server using interactive claims gathering to seek an end-user requesting party's authorization." instead say "A malicious client could push a claim token to the authorization server (revealing the claims therein; see Section 6.2) to seek resource access on its own behalf prior to any opportunity for an end-user requesting party to authorize claims collection."

• Note that OAuth Authorization Server Metadata (Discovery) was updated to rev 07
  
  • Now requires the https: scheme
  • There are some other changes as well, but perhaps less impactful to us
• Consider motion to approve specs

MOTION: Andi moves and Maciej seconds: "Approve Draft Recommendations Grant rev 09 and FedAuthz rev 09 as amended according to the editorial instructions of UMA telecon 2017-11-16, as ready to send to the Leadership Council for certification towards an All-Member Ballot." APPROVED by acclamation. Woot.

Timeline

• Progression of specs

What happens next: Assuming we have a successful motion today, the Draft Recommendations will go to the LC for an e-ballot to certify them for a Kantara All-Member Ballot. Eve has prepared a GOTV spreadsheet so that we can all help reach out to Kantara Members and efficiently boost the Yes votes.

• Meeting schedule

Andrew and Eve have worked up a plan to have the CIS and UMA WGs meet on Nov 30 at 8-9am PT, just before the regular UMA WG call time and overlapping the CIS WG Consent Receipts call time. We will invite CIS, UMA, UMA Legal. Planned for 60 minutes but could go into the UMA WG hour (using the CISWG GTM line). Kantara has switched to GoToMeeting instead of TurboBridge. We won't switch to GTM yet, so as not to disrupt our current processes, but let's look into that as soon as practicable.

Agenda:

• CR people present on CR to UMA people
• UMA people present on UMA to CR people, including reviewing the "shoebox" labeled issues
• UMA Legal people present on UMA Legal to all
• Enumerate the possible places in UMA where things would be useful to "record"/have a "receipt" structure
• Enumerate places where the RO and RqP would find it useful to get a receipt ("repudiation" use cases)
• Enumerate relevant technical artifacts in UMA and their places of issuance and usage

UMA logo

• New candidates to consider

Notes on options from Domenico (shown on screen):

• Great direction
• Interest is highest in the rightmost option
• Since there isn't huge awareness of UMA1, how about dropping the "2"?
  
  • It would be good to see options adding back the Kantara green color somehow even with the "2" gone
• Circular is good, making it similar to the OAuth family
  • The original UMA logo is beautiful, but the white color of the third bubble is sometimes a challenge on white backgrounds, making it look off-center

Attendees

As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)

1. Sal
2. Andi
3. Maciej
4. Eve
5. Mike

Non-voting participants:

• James

Regrets:

• Domenico
• Adrian