UMA telecon 2012-02-02

Date and Time

WG telecon on Thursday, 2 Feb 2012, at 9am PT (time chart)
- Skype: +99051000000481
- US: +1-805-309-2350 (other international dial-in lines available) | Room Code: 178-2540

Agenda

Roll call
Approve minutes of 2012-01-12, 2012-01-19, and 2012-01-26 meetings
Tweet chat planning
Virtual and F2F interop planning
- Don't forget to join and use the OpenID Connect interop mailing list
Award season: European Identity, Future Internet
Business-oriented UMA use cases: how to handle/gather?
Work through issues, others?
- Nat's question
- 31 (baskets)
- 19 (JSON metadata)
- 41 (JSON media types)
- 7 (caching language)
- ...
AOB

Attendees

As of 1 Feb 2012, quorum is 7 of 13.

Catalano, Domenico
Fletcher, George
Hardjono, Thomas
Machulak, Maciej
Maler, Eve
Miles, Arnie
Moren, Lukasz
Szpot, Jacek

Non-voting participants:

Bradley, John
Bryan, Paul
Gropper, Adrian
Nederkoorn, Cordny

Regrets:

D'Agostino, Salvatore
Cox, Kevin
Morrow, Susan

Minutes

New AI summary

2012-02-02-1	Thomas	Open	Add the standard JSON eval vs. parser benediction to the Security Considerations section.
2012-02-02-2	Eve	Open	Incorporate the decision on issue #19 into the spec.
2012-02-02-3	Eve	Open	Ask Susan to follow up on the EIC award submission and ask Susan and Malcom to follow up on the Future Internet award submission.
2012-02-02-4	Thomas and Eve	Open	Begin capturing business-oriented use cases.

Roll call

Quorum was reached.

Approve minutes of 2012-01-12, 2012-01-19, and 2012-01-26 meetings

Minutes of 2012-01-12, 2012-01-19, and 2012-01-26 meetings APPROVED.

Tweet chat planning

Cordny will blog it and we'll get the word out through Twitter as well.

Virtual and F2F interop planning

Don't forget to join and use the OpenID Connect interop mailing list

Regarding testable assertions, Cordny has made progress on Phase 1 and is starting to work on Phase 2. These are in the form of if-then-else statements. Hopefully we can mutually influence and be influenced by the nascent OpenID Connect feature test lists. We could probably point to those test lists for the portions of UMA that rely on that technology.

Should we actually use the OSIS wiki for managing our interops? We could, but we don't have to. But any UMA-compliant entity that is also participating in OpenID Connect interactions will want to literally participate in the OpenID Connect interop activity. For example, the AM in the SMART implementation is also an OpenID client/RP.

Issue 19: JSON metadata

Eve proposed a JSON-based solution on the list. Web Host Metadata is now standardized as RFC 6415.

John, as host of XRD, is torn because a lot of work was put into XRD but JSON is so much friendlier. OpenID Connect hasn't actually started the registration process for its /openid-configuration subdirectory yet.

The RFC does allow for registering different directories other than /host-meta under /.well-known. George had a lot of trouble getting AOL corporate approval to put stuff into the /.well-known area, regardless of the directory structure underneath. Also, if the trust model relies on trusting an AM by virtue of its domain, then pointing off to a discoverable AM config file that lives anywhere in the world. However, most of them support some level of redirect. Is SSL good enough, or should the JSON be signed?

UMA has kept things simple in that the AM's metadata is hosted at the AM. The host knows the URL of the UMA server it's working with, and vice versa. Maybe George's issues around domains of email addresses don't apply, because this level of trust applies before adding the authorizing user into the picture.

XRD supports XML Signature. JSON config data could support JOSE. So that's moot between them. XRD has a known extensibility format. However, we've already invented a number of UMA-related JSON data formats and intend to register their media types, and have even dictated in the spec acceptable ways to extend them.

Paul is concerned about our group haring off and inventing our own format vs. XRD. Cordny notes that the JSON version is much smaller. Jacek notes that his Python implementation found XRD handling to be a pain, whereas parsing JSON is trivial. John issues the standard warning that people shouldn't be using eval, but rather a JSON parser. Let's add this. (See this for a text suggestion!)

Since UMA and OpenID Connect are developing a deeper relationship in various ways, and we anticipate seeing some OPs being AMs and vice versa, what's the right answer for config data? UMA AM metadata already has an OpenID connect conformance flag. We recommend that OpenID Connect config data consider a reciprocal flag. Maybe eventually they'll merge, but we won't work on that now.

We have consensus to change to a JSON format. We'll start with Eve's proposal.

Award season: European Identity, Future Internet

We'll follow up on these opportunities. People are encouraged to alert us to other award opportunities, and/or to submit UMA on their own.

Business-oriented UMA use cases: how to handle/gather?

It's time to start capturing business-oriented use cases (defined as the authorizing party being not-Alice). Eve and Thomas have expressed interest in putting this together.

Next Meetings

WG telecon on Thursday, 9 Feb 2012, at 9am PT (time chart)
WG telecon on Thursday, 16 Feb 2012, at 9am PT (time chart)
WG telecon on Thursday, 23 Feb 2012, at 9am PT (time chart)

Browser not supported