UMA telecon 2012-08-02

 

UMA telecon 2012-08-02

Date and Time

  • WG telecon on Thursday, 2 August 2012, at 9am PT (time chart)
    • Skype: +99051000000481
    • US: +1-805-309-2350 (other international dial-in lines available) | Room Code: 178-2540

Agenda

  • Roll call
  • Approve minutes of 2012-07-19 and 2012-07-26 meetings
  • Chair pro tem for Aug 9 meeting? (Eve regrets)
  • OASIS PMRM liaison ideas and AIs
  • OAuth dyn-client-reg: how to make progress?
  • AI review
  • Legal ad hoc meeting report and next steps
  • Feature test update
  • Spec progress, review, issues
    • Which outstanding issues rise to the level of A-priority?
  • AOB

Minutes

New AI summary

2012-08-02-1EveOpenReach out to Justin to establish his ability and willingness to follow up on dyn-client-reg. 
2012-08-02-2EveOpenSend UMA use case information to PMRM group. 
2012-08-02-3Sal, TreyOpenLiaise with others as appropriate on potential alignment opportunities for host/AM introduction-type patterns. 
2012-08-02-4EveOpenSchedule regular calls to tackle legal, trust, and obligations issues. 

Roll call

Quorum was reached.

Approve minutes of 2012-07-19 and 2012-07-26 meetings

Minutes of 2012-07-19 and 2012-07-26 meetings APPROVED.

Chair pro tem for Aug 9 meeting? (Eve regrets)

Maciej will chair.

OASIS PMRM liaison ideas and AIs

We have consensus to share UMA use cases with the PMRM group.

OAuth dyn-client-reg: how to make progress?

The OAuth group would like those of us who are interested in this work to step up and push it forward. As far as implementations go, we know of three implementations: SMART, Fraunhofer, and Tom Brown's. We also know of several loci of interest: OpenAXN (e.g. Justin), OAuth native client folks (such as Nat), and UMA use cases.

AI review

Rev 05c closes issue #61. We'll consider Domenico's AI closed because of his latest document outlining promissory claims needs.

Legal ad hoc meeting report and next steps

One new concept from yesterday's meeting relates to how we can make the requesting party's knowledge about the parameters of access. If Bob never makes use of the access he has rights to, is he obligated yet? According to our current Binding Obligations model, potentially yes. This is because promissory claims are "active" -- Bob must provide info or consent to terms. There has to be a UX for presenting the terms in this case, ensuring that Bob understands what he's doing.
If you combine a trusted identity claim with a promissory claim, that's powerful. This is akin to signing a contract with a notary present. Even without requiring an LOA3 identity claim, you can get pretty far with enforceability; today's web is actually worse.
Do we have to say more about server logs to achieve our enforceability goals? Our first priority is to protect Alice's interests, but part of doing this is to sufficiently protect the interests of all the others in the picture.
How can we do a lightweight version of promissory claims that are meaningful? Our old Simple Access Authorization Claims spec has a potential answer. Trey has done something similar, which they've called "policy classes". Claim recordation would provide the URL of the terms agreed to, along with some metadata that timestamps the agreement so that the representation of the resource behind the URL can be unambiguously identified.
Does the Binding Obs doc have to say that the AM takes on an obligation to Bob to accurately represent to him what claims he needs to provide? Perhaps. This connects to the issuance of the AAT.
Further, each permission (in the bearer token profile) may be associated with different specific claims that Bob provided. Some of those claims may be promises. Perhaps the AM is the place where Bob should go to interact with an interface where he can look up his claims-based obligations? Or the IdPs he's used to provide identity claims could help. Eve is worried that optimizing for Bob's needs is too much for UMA V1, and since we have a naive answer (all the apps with AATs can help Bob learn his claims-based obligations), maybe we can put this on the back burner. Sal feels UMA doesn't preclude people from experimenting with this.

Host/AM introduction pattern

Sal and Trey have been seeing drafts floated (in SCIM? OpenAXN?) that have an introduction phase between IdPs and APs that looks very similar to our pattern. We'd like to converge (and hopefully to not have too many deltas from our well-established design :-) ).

Continuing legal discussions

Riccardo would like to schedule special meetings and to work actively through email as well.

Attendees

As of 12 July 2012 (pre-meeting), quorum is 6 of 11.

Voting participants:

  1. Abeti, Riccardo
  2. Catalano, Domenico
  3. D'Agostino, Salvatore
  4. Drake, Trey
  5. Hardjono, Thomas
  6. Machulak, Maciej
  7. Maler, Eve
  8. Mohammed, Alam
  9. Szpot, Jacek

Non-voting participants:

  • Davis, Peter
  • Cox, Kevin
  • Hughes, Andrew

Next Meetings

  • WG telecon on Thursday, 9 August 2012, at 9am PT (time chart) - Eve regrets; Maciej will chair
  • WG telecon on Thursday, 16 August 2012, at 9am PT (time chart)
  • WG telecon on Thursday, 23 August 2012, at 9am PT (time chart)
  • WG telecon on Thursday, 30 August 2012, at 9am PT (time chart) - Eve regrets