UMA telecon 2022-05-26

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT

  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 (224) 501-3316, Access Code: 485-071-053

  • See UMA calendar for additional details: http://kantara.atlassian.net/wiki/display/uma/Calendar

Agenda

• Approve minutes since UMA telecon 2022-03-31

• UMA/UDAP/etc comparison - Let's add a row for GNAP/mDL

• Charter Refresh

• AOB

Attendees

• NOTE: As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

• Voting:

  • Alec

• Non-voting participants:

  • Scott

  • Nancy

• Regrets:

Quorum: No

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of UMA telecon 2022-03-31, UMA telecon 2022-04-06, UMA telecon 2022-04-14, UMA telecon 2022-04-21, UMA telecon 2022-05-05, UMA telecon 2022-05-12, UMA telecon 2022-05-19

• Deferred–no quorum

Topics

UMA/UDAP/etc comparison

• https://docs.google.com/spreadsheets/d/1UWxhLoLFsVNmHulGvyS_3vx5hF9u2reFXT3gxc3bRnY/edit#gid=0 

• Let's add a row for GNAP

  • https://datatracker.ietf.org/wg/gnap/documents/

  • https://oauth.xyz/

• Could also add a row for mDL 18013-5 (online/offline/hybrid)

  • https://www.aamva.org/getmedia/c4fe2a21-91ff-449d-9df3-5a7e33cf3a8e/mDL-Implementation-Guidelines-1-0_2021.pdf

Julie Use-case Report - progress update on resolving feedback

• Link to V0.3 Working Group Draft: Notes, drafts, and WIP

Charter Refresh

Draft Charter 2022

AOB

me, delegate

?user=delegate 

Does the RqP need to know the owner? No

Does UMA support group membership policy? Yes

Alice has a resource R registered at her A, she delegates control to Bob, allowing Bob to 're-share' R with Sam. 

If Alice shares a resource R with Bob, Bob should not be able to share R with Sam

Delegation of Control (administration): Alice allows Bob to create policies over her resources (R, S, T)

Delegation of Access (sharing): Alice allows Bob to access her resources (R, S)

resource = R, scopes = (a, b, c), owner = O

Explicit Policy (opt-in): O says R can be accessed by ANYONE who provides a (name, email) ← eg to download some whitepaper

Implicit(default) Policy (opt-out): AS has a policy that all R of type can be access by ALL doctors

Implicit Policy: AS will allow any Doctor to access any resource if they assert the scope 'btg'

Implicit Policy: As will allow any RqP who is an Owner to access their own resources

Implicit policy is (today) broadly agreed to by the Owner when the agree to the ASs Terms of Service. Implicit Policy may allow an explicit opt-out by an owner. 

Explicit Opt-out: O say doctor E can't access any of her resources

National Policy > State Policy > Local Policy > (Implicit) Organizational Policy > actual policy < subject/owner/administrator Policy (Explicit)

Should we have have more impl guidance around Group Policy? It's supported in the spec, however most of our public information is Alice→Bob sharing

Potential Future Work Items / Meeting Topics

• Confluence clean up, archive old items and promote the latest & greatest

• Review of the email-poc correlated authorization specification

• A financial use-case report (following the Julie healthcare template)

  • either open banking or pensions dashboard

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

• mDL + UMA

Upcoming Conferences

• https://identiverse.com/  June 21-24, 2022 Denver, Colorado. 

• https://www.identitynorth.ca/events/annual2022/ Identity North June 14-15, Toronto, Ontario

• https://www.rsaconference.com/usa RSA Conference, Moscone Center & Digital | Jun. 6 - 9, 2022