UMA telecon 2019-12-05

UMA telecon 2019-12-05

Date and Time

Agenda

  • Roll call
  • Approve minutes of UMA telecons 2019-10-03, 2019-11-21
  • Discuss recent next-gen authz news
  • AOB

Minutes

Roll call

Quorum was not reached.

Approve minutes

Deferred.

Reminder: Identiverse CfP is open till Jan 10

Keep those cards and letters coming!

Discuss recent next-gen authz news

Adrian relates news from a symposium at which Thomas was presenting, where bots and swarms have roles to play, blockchain enables consensus on swarm activities, and there is a payment model for bots. Shades of (George's?) Device-Managed Access model and Ray Bradbury's Night Call, Collect! And what if an intelligent machine ultimately infringes on an existing patent?

The second decentralized identity meeting is tomorrow at 1pm ET. The minutes from the first meeting are here. Planning for all this is happening on the DIF Slack workspace and also the W3C groups (there are at least three relevant ones; the most relevant is the Credentials Community Group). WGs are slightly more "closed". The calendar invitation is here. Adrian's take: There are some people convinced and some not so convinced about Linked Data as a way to move forward. People representing (many) startups don't want to wait and want to press forward in Hyperledger Aries and(/or?) DIF. These two organizations seem friendly towards each other and MSFT is taking two steps back. Though Kantara has been mentioned and it hasn't been dismissed, it's unlikely. Adrian believes it's possible to accommodate a two-org track that continues with the W3C effort as well, e.g. with DIDcomm. Justin sees a challenge with the hard work of blocking and tackling of standards integration now needed.

Adrian and others brought up UMA as a relevant technology/standard in the first meeting. A question of "IP" came up; apparently this has to do with the desire to build the decentralized web independent of TLS and basic lack of familiarity with Kantara and the existing standards world.

Justin attended the side meetings on OAuth 2.1 (which weren't available for meetecho remote participation). If you have a 2.1 client talking to a 2.0 server with the right extensions, then everything should work fine; it adheres to semantic versioning (even though the WG hasn't made a formal commitment to semantic versioning overall). 2.1 is just a collection and branding of certain features like mandating auth code+PKCE etc. But it doesn't include extensions like RAR. He believes PAR is sufficiently baked to use, but RAR needs a lot more work. 2.1 could talk about dynamic client registration (DCR) but point off to sources. How do you deal with the need to constantly update security advice? Eventually you do issue a BCP for 2.1 if it's necessary.

RAR/PAR is what has a few elements of UMA-relevant features. All along we've had a goal of "sedimenting" UMA features into OAuth itself, and been happy when this has happen, e.g., DCR. 

George sees the value of RAR as more than OAuth2. It's a JSON structure for dealing with internal microservice authorization issues. Eve had picked up on the fact that RAR enables resource-specific scopes in UMA-like fashion without requiring pre-registration of resources (as UMA does) in a specific resource owner context. UMA's protection API has the AS issue a resource ID that basically carries resource owner personal data because of that context. She believes Identos had created an UMA extension specifically to undo this bit of implication so as to privacy-enhance AS interactions – is that so?

Adrian asks about a RAR/PAR relationship to ZCAP (the Linked Data spec at W3C); Justin believes they're not related. Maybe we can drill down into the topic of DCRs and different types of wide ecosystem a bit more.

Attendees

As of 16 Jul 2019, quorum is 5 of 9. (Domenico, Peter, Sal, Thomas, Andi, Maciej, Eve, Mike, Cigdem)

  1. Domenico
  2. Andi
  3. Eve
  4. Mike

Non-voting participants:

  • Adrian
  • George
  • Scott
  • Bjorn
  • Justin

Regrets:

  • Maciej