UMA telecon 2019-02-21
UMA telecon 2019-02-21
Date and Time
- Thursdays 6am PT
- Screenshare and dial-in:Â https://global.gotomeeting.com/join/857787301
- See UMA calendar for additional details:Â http://kantara.atlassian.net/wiki/display/uma/Calendar
Agenda
- Roll call
- Approve minutes of UMA telecon 2019-01-17, 2019-02-07Â
- IETF contribution status and presentation prep
- Commonalities/touchpoints between drafts (e.g. oauth-distributed, resource-indicators...)?
- Ideas based on newer community concepts (sender-constrained...)?
- Grant model concept (discussed here)?
- High assurance of the RO to the RqP
- If time and Peter is available
- AOB
Minutes
Roll call
Quorum was reached.
Approve minutes
- Approve minutes of UMA telecon 2019-01-17, 2019-02-07
APPROVED by acclamation.
IETF contribution status and presentation prep
- Commonalities/touchpoints between drafts (e.g. oauth-distributed, resource-indicators...)?
- Ideas based on newer community concepts (sender-constrained...)?
- Grant model concept (discussed here)?
The contributions have been made. Some implementers have been indicating enthusiasm about supporting in-person. Maciej and Eve are looking into in-person involvement. Historical topics we should touch on:
- The history/background of UMA1 (submitted to IETF and expired)
- Dynamic client registration (submitted and influenced OAuth/OIDC)
- The "design principle" of sedimenting content into OAuth (slideware exists for this, possibly in 2015)
- EIC award (like the OAuth one)
- Potentially privacy-protective capabilities of UMA (along with the business model layer)
Other useful things to share, in order to contrast with other current work: swimlane flows that illustrate how it solves:
- Alice-to-Bob consented sharing (which otherwise OAuth doesn't do) – many are on the cusp of solving it in a nonstandardized way
- Alice-to-Alice sharing with centralized management of resources (which otherwise OAuth doesn't do) – point to discussion of laws/regs/rules for the "multiple portals problem" and its relevance to contexts of "open APIs"
- Proactive, reactive, and silent Alice (data subject)-to-whoever and enterprise (non-human)-to-whoever sharing in a (relatively) compact single grant
Will oauth-distributed get taken forward? Dick has left Amazon and the use cases for this spec came from there. The draft has an AS discovery element and there was some list discussion about possibly leveraging UMA's existing mechanism. We could make a brief mention and point out how we do it. (Eve's presentation on UMA to the OAuth WG some months ago included this.) Cigdem also points out that AS discovery is supported in the ACE framework as well in IETF (ACE Core). It seems that AS discovery is popping up in several places. There are a few implementations.
What about the divergence in concepts between UMA resources that get registered and resource-indicators? Our RPT is pretty specific in what it contains, while this other draft just audience-binds tokens and forces downscoping and lets the AS do the mapping. Also, since UMA is client-to-RS-first and gets a permission ticket, this makes the purposes different as well; UMA is more capable in limiting the audience already.
AI: George: Help with the resource-indicators section of the preso.
We should also include the implementation status.
Meeting logistics
We will meet next week (Thu Feb 28). No meeting the following week (Thu Mar 7) due to the RSA conference.
Attendees
As of 18 Oct 2018, quorum is 5 of 8. (Domenico, Peter, Sal, Andi, Maciej, Eve, Mike, Cigdem)
- Domenico
- Sal
- Maciej
- Eve
- Cigdem
Non-voting participants:
- Alec
- Colin
- George
- Lisa (new - welcome!)
- Scott
- Thomas
- Nancy
- Bjorn
- Adrian
Regrets:
- Andi