UMA telecon 2022-05-26

Date and Time

Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
- Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
- United States: +1 (224) 501-3316, Access Code: 485-071-053
- See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar

Agenda

Approve minutes since UMA telecon 2022-03-31
UMA/UDAP/etc comparison - Let's add a row for GNAP/mDL
Charter Refresh
AOB

Attendees

NOTE: As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
- Alec
Non-voting participants:
- Scott
- Nancy
Regrets:

Quorum: No

Meeting Minutes

Approve previous meeting minutes

Approve minutes of UMA telecon 2022-03-31, UMA telecon 2022-04-06, UMA telecon 2022-04-14, UMA telecon 2022-04-21, UMA telecon 2022-05-05, UMA telecon 2022-05-12, UMA telecon 2022-05-19

Deferred–no quorum

Topics

UMA/UDAP/etc comparison

https://docs.google.com/spreadsheets/d/1UWxhLoLFsVNmHulGvyS_3vx5hF9u2reFXT3gxc3bRnY/edit#gid=0
Let's add a row for GNAP
- https://datatracker.ietf.org/wg/gnap/documents/
- https://oauth.xyz/
Could also add a row for mDL 18013-5 (online/offline/hybrid)
- https://www.aamva.org/getmedia/c4fe2a21-91ff-449d-9df3-5a7e33cf3a8e/mDL-Implementation-Guidelines-1-0_2021.pdf

Julie Use-case Report - progress update on resolving feedback

Link to V0.3 Working Group Draft: Notes, drafts, and WIP

Charter Refresh

Draft Charter 2022

AOB

me, delegate

?user=delegate

Does the RqP need to know the owner? No

Does UMA support group membership policy? Yes

Alice has a resource R registered at her A, she delegates control to Bob, allowing Bob to 're-share' R with Sam.

If Alice shares a resource R with Bob, Bob should not be able to share R with Sam

Delegation of Control (administration): Alice allows Bob to create policies over her resources (R, S, T)

Delegation of Access (sharing): Alice allows Bob to access her resources (R, S)

resource = R, scopes = (a, b, c), owner = O

Explicit Policy (opt-in): O says R can be accessed by ANYONE who provides a (name, email) ← eg to download some whitepaper

Implicit(default) Policy (opt-out): AS has a policy that all R of type can be access by ALL doctors

Implicit Policy: AS will allow any Doctor to access any resource if they assert the scope 'btg'

Implicit Policy: As will allow any RqP who is an Owner to access their own resources

Implicit policy is (today) broadly agreed to by the Owner when the agree to the ASs Terms of Service. Implicit Policy may allow an explicit opt-out by an owner.

Explicit Opt-out: O say doctor E can't access any of her resources

National Policy > State Policy > Local Policy > (Implicit) Organizational Policy > actual policy < subject/owner/administrator Policy (Explicit)

Should we have have more impl guidance around Group Policy? It's supported in the spec, however most of our public information is Alice→Bob sharing

Potential Future Work Items / Meeting Topics

Confluence clean up, archive old items and promote the latest & greatest
Review of the email-poc correlated authorization specification
A financial use-case report (following the Julie healthcare template)
- either open banking or pensions dashboard
- openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
mDL + UMA

Upcoming Conferences

https://identiverse.com/ June 21-24, 2022 Denver, Colorado.
https://www.identitynorth.ca/events/annual2022/ Identity North June 14-15, Toronto, Ontario
https://www.rsaconference.com/usa RSA Conference, Moscone Center & Digital | Jun. 6 - 9, 2022