UMA telecon 2019-04-18

Date and Time

• Thursdays 6am PT
  • Screenshare and dial-in: https://global.gotomeeting.com/join/857787301
  • See UMA calendar for additional details: http://kantara.atlassian.net/wiki/display/uma/Calendar

Agenda

• Roll call
• Approve minutes of UMA telecon 2019-03-14, 2019-03-28, 2019-04-04 
• IETF update
• Business model update
• Fine-grained access extension
• Charter refresh discussion
• AOB

Minutes

Roll call

Quorum was not reached.

Approve minutes

• • Approve minutes of UMA telecon 2019-03-14, 2019-03-28, 2019-04-04

Deferred.

Goings-on in the community

On Apr 4, the last time we met, the UK government put out its response to the consultation it had done on the Pensions Dashboard project. Based on the acknowledgment there that UMA is required for PD success, there is an opportunity now to align UMA, OB, FAPI, PD, CIBA, OAuth, etc. – and some interested parties are currently applying resources to help do this.

Don't forget about:

• The HEART webinar and deep-dive workshop (two hours total) on Apr 23
• The IEEE ComSoc magazine special issue with deadline of mid-June – "The Dawn of the Internet Identity Layer and the Role of Decentralized Identity" (Eve is one of the guest editors)
• The SOUPS conference – the call for posters is still open and the new PEPR conference is co-located with it (@@add link)
• The new Me2B alliance – Lisa is building this community as a home for developing a code of practice and certification for ethical digital relationships – they're starting with businesses but it could branch out
• IIW – here is a M2Be discount code! Me2B_IIW28_20

IETF update

Opinion is mixed in the OAuth group about adoption. Eve attended the last OAuth virtual office hours meeting and discussing things more with the WG. There's not, perhaps, a deep understanding yet of the many use cases, particularly around the A-to-B flows. Eve offered a "bull session" to get any and all questions answered at Montreal (IETF 105) in July, and there was good interest in that. Alec/Identos is planning to attend as well. Who else will be there who's on today call? We're not sure if anyone else. During that call, they brought up again that the specs could change considerably if adopted. Eve assured them that the UMA WG knows the deal, and she has exhorted the UMA participants to take active part where they are committed to current design; the key consideration overall is solving for the use cases that UMA has solved for (thinking, e.g., of slide 12 in what we presented).

Should we consider breaking up our specs more and contribute them in more pieces? Mike had suggested something like that. Eve hadn't been sure of that, but maybe (e.g.) Alex notes contributing token endpoint error handling as an independent piece would be a kind of valuable primitive they could adopt. Cigdem asks: Do we have feedback on which parts they're excited about? Thomas notes no one gets excited about anything until you're at IETF draft.

Maybe we do want to consider the informational RFC path at first, given that there is starting to be some adoption that could welcome that level of standardization. It's not hard to then turn it into a standards-track RFC. The former could be an individual submission (maler-*) or could be adopted by the OAuth WG (oauth-*) as a work item and select specific people to read it and comment on it. The individual route is faster. If the OAuth WG remains uninterested and the world continues to demonstrate traction, we could go to the ADs (Area Director, which in the case of OAuth is Security; the ADs are Benjamin Kaduk and EKR) and ask to adopt.

Cigdem suggests the permission ticket notion might be another area that is amenable to modularizing somehow. It's a pattern we're seeing more frequently. It's a "ticket-getting-ticket" (TGT) that functions kind of like an authorization code, or at least that's the analogy that Bertrand made and that we tried to make in the IETF 104 presentation. Is this a dangerous analogy? Ben would get it!

Hannes appears to believe that the WG needs a charter change before adopting the UMA work, but we're not certain why this is the case.

Let's continue to keep things open prior to Montreal, and figure out our choice of strategy by/after then.

AI: Eve: Check with Hannes/Rifaat about the OAuth charter situation prior to Montreal.

Business model update

There is a winning primary time: Tuesdays at 9am PT / 10am CT / 11am ET / 4pm UK.

And a winning secondary or alternate time: Fridays at 8am PT / 9am CT / 10am ET / 3pm UK.

AI: Eve: Set up the new business model meeting series, using the same UMA WG GTM where possible.

AI: All: If you didn't respond to the Doodle poll for this meeting series, please drop Eve a note if you want to be included in the event invitation.

Fine-grained access extension

This is the name that Pedro has given his extension (already documented in Keycloak documentation, but he has turned it into something that looks like an extension spec). He has send a draft to Eve but not yet to the list, but it's coming soon!

If there are enough UMAnitarians around in Montreal, we could potentially have an an UMA WG F2F there and take a look at an Identos-contributed extension spec (assuming it might be contributed by then).

Charter refresh discussion

• The current charter as of 27 Feb 2018

Deferred.

Attendees

As of 18 Oct 2018, quorum is 5 of 8. (Domenico, Peter, Sal, Andi, Maciej, Eve, Mike, Cigdem)

1. Domenico
2. Eve
3. Cigdem

Non-voting participants:

• Alec
• Scott
• Lisa
• Thomas
• Colin

Regrets:

• Andi