UMA telecon 2012-08-02

Date and Time

WG telecon on Thursday, 2 August 2012, at 9am PT (time chart)
- Skype: +99051000000481
- US: +1-805-309-2350 (other international dial-in lines available) | Room Code: 178-2540

Agenda

Roll call
Approve minutes of 2012-07-19 and 2012-07-26 meetings
Chair pro tem for Aug 9 meeting? (Eve regrets)
OASIS PMRM liaison ideas and AIs
OAuth dyn-client-reg: how to make progress?
AI review
Legal ad hoc meeting report and next steps
Feature test update
Spec progress, review, issues
- Which outstanding issues rise to the level of A-priority?
AOB

Minutes

New AI summary

2012-08-02-1	Eve	Open	Reach out to Justin to establish his ability and willingness to follow up on dyn-client-reg.
2012-08-02-2	Eve	Open	Send UMA use case information to PMRM group.
2012-08-02-3	Sal, Trey	Open	Liaise with others as appropriate on potential alignment opportunities for host/AM introduction-type patterns.
2012-08-02-4	Eve	Open	Schedule regular calls to tackle legal, trust, and obligations issues.

Roll call

Quorum was reached.

Approve minutes of 2012-07-19 and 2012-07-26 meetings

Minutes of 2012-07-19 and 2012-07-26 meetings APPROVED.

Chair pro tem for Aug 9 meeting? (Eve regrets)

Maciej will chair.

OASIS PMRM liaison ideas and AIs

We have consensus to share UMA use cases with the PMRM group.

OAuth dyn-client-reg: how to make progress?

The OAuth group would like those of us who are interested in this work to step up and push it forward. As far as implementations go, we know of three implementations: SMART, Fraunhofer, and Tom Brown's. We also know of several loci of interest: OpenAXN (e.g. Justin), OAuth native client folks (such as Nat), and UMA use cases.

AI review

Rev 05c closes issue #61. We'll consider Domenico's AI closed because of his latest document outlining promissory claims needs.

Legal ad hoc meeting report and next steps

One new concept from yesterday's meeting relates to how we can make the requesting party's knowledge about the parameters of access. If Bob never makes use of the access he has rights to, is he obligated yet? According to our current Binding Obligations model, potentially yes. This is because promissory claims are "active" -- Bob must provide info or consent to terms. There has to be a UX for presenting the terms in this case, ensuring that Bob understands what he's doing.

If you combine a trusted identity claim with a promissory claim, that's powerful. This is akin to signing a contract with a notary present. Even without requiring an LOA3 identity claim, you can get pretty far with enforceability; today's web is actually worse.

Do we have to say more about server logs to achieve our enforceability goals? Our first priority is to protect Alice's interests, but part of doing this is to sufficiently protect the interests of all the others in the picture.

How can we do a lightweight version of promissory claims that are meaningful? Our old Simple Access Authorization Claims spec has a potential answer. Trey has done something similar, which they've called "policy classes". Claim recordation would provide the URL of the terms agreed to, along with some metadata that timestamps the agreement so that the representation of the resource behind the URL can be unambiguously identified.

Does the Binding Obs doc have to say that the AM takes on an obligation to Bob to accurately represent to him what claims he needs to provide? Perhaps. This connects to the issuance of the AAT.

Further, each permission (in the bearer token profile) may be associated with different specific claims that Bob provided. Some of those claims may be promises. Perhaps the AM is the place where Bob should go to interact with an interface where he can look up his claims-based obligations? Or the IdPs he's used to provide identity claims could help. Eve is worried that optimizing for Bob's needs is too much for UMA V1, and since we have a naive answer (all the apps with AATs can help Bob learn his claims-based obligations), maybe we can put this on the back burner. Sal feels UMA doesn't preclude people from experimenting with this.

Host/AM introduction pattern

Sal and Trey have been seeing drafts floated (in SCIM? OpenAXN?) that have an introduction phase between IdPs and APs that looks very similar to our pattern. We'd like to converge (and hopefully to not have too many deltas from our well-established design :-) ).

Continuing legal discussions

Riccardo would like to schedule special meetings and to work actively through email as well.

Attendees

As of 12 July 2012 (pre-meeting), quorum is 6 of 11.

Voting participants:

Abeti, Riccardo
Catalano, Domenico
D'Agostino, Salvatore
Drake, Trey
Hardjono, Thomas
Machulak, Maciej
Maler, Eve
Mohammed, Alam
Szpot, Jacek

Non-voting participants:

Davis, Peter
Cox, Kevin
Hughes, Andrew

Next Meetings

WG telecon on Thursday, 9 August 2012, at 9am PT (time chart) - Eve regrets; Maciej will chair
WG telecon on Thursday, 16 August 2012, at 9am PT (time chart)
WG telecon on Thursday, 23 August 2012, at 9am PT (time chart)
WG telecon on Thursday, 30 August 2012, at 9am PT (time chart) - Eve regrets

Browser not supported