UMA telecon 2013-07-18

Date and Time

• Focus meeting on Thursday, July 18, at 9am PT (time chart)
  
  • Skype: +99051000000481
  • US: +1-805-309-2350 (other international dial-in lines available) | Room Code: 178-2540

Agenda

• (Get on http://join.me/findthomas)
• Summer meeting schedule
• What happened at CIS
• UMA open-source funding opportunity: Gluu UMA-RS-enabled Apache module proposal
• New UMA "infographics"
• Where to take the UMA work
• AOB

Minutes

Emergent theme for today's meeting: Healthcare use cases!

Summer meeting schedule

We won't meet next week, but will have a hopefully quorate all-hands meeting on August 1. We'll keep to 60-minute meetings.

What happened at #CISNapa

Among the people on the call, Andrew, Eve, and Jin attended. Andrew: The attendees generally all believe in the API economy and need a way to protect them. So there was a lot of interest in UMA from people grappling with this problem. The F2F meeting we held with Respect Network (and also AXN) shed light on terminology understandings. RN has a concept of a personal cloud that is largely shared with other people working on this. Eve: The personal cloud definition exercise at this F2F was very useful. Jin: The OpenID Connect specification has come a long way, and basing things on OAuth is helpful for moving solutions onto hybrid platforms. UMA has a potential role in managing personal consent. This has implications for patient engagement work. It has to be possible to present UIs to the patient that make sense. Eve: Had new insight about "run-time consent" (weak) vs. "consent directive" (essentially a strong form of patient-controlled authorization). Keith: Likes this distinction. Andrew: Caution: In Canada, "consent directive" is a term of art that's hard to implement. The level of data granularity is what makes it so hard. Adrian: In the US, there's tons of overlapping federal and state law. All operators of data holders discuss how hard this is to do there. Eve: She's hopeful about "scope-grained authorization" being the right simplifying assumption to help the problem of authorization grain.

Eve: We variously explored UMA-XACML, UMA-XDI, and UMA-AXN opportunities for profiling and for UMA spec improvement. Stay tuned for more notes on this.

UMA open-source funding opportunity: Gluu UMA-RS-enabled Apache module proposal

Be sure to donate and get the word out! The Crowdtilt page is here. Please also RT the \@UMAWG tweet. This would have pretty wide ecosystem effects if it gets developed.

Keith notes that he got feedback about UMA/Gluu saying that Java is too heavy, and node.js is their preference. Is anyone interested in doing something lightweight like this for the requesting party and a handheld device with a client app, for the GPII use case? Maciej isn't an expert in it so can't comment. But he notices that a lot of people are discussing distributed authorization without knowing about UMA, so his group has been considering sharing their code for this.

New UMA "infographics"

There's a new slide deck with fresh Venn diagrams and a new take on explaining UMA. Jin suggests: "Or you could use an animated GIF to walk through the process, such as this identity foundation blog post." This is a very interesting idea! We will take it into consideration.

Where to take the UMA work

We had discussed considering organizations other than IETF when we move from incubation to finalization. Nat has mentioned that OpenID Foundation could be a suitable location; he explained how its governance structure works to Eve and Andrew at CIS. What's the best way to execute on our UMA development and adoption facilitation goals?

Jin notes the NIST ABAC work (draft SP 800-162) is potentially relevant, and an UMA implementation of it would be very valuable. Andrew asks: Do we need velocity around standardization? Are there interdependencies with other organizations that we have to be in the same org to deal with? What orgs encourage open-source implementors to adopt it? Keith asks: What is the driver of what we most need? IETF helps with drafts and implementations if you want to drive to an RFC. Rolling this up: Who's the audience we want to attract?

Here is a candidate ordered list of actions we should take as part of this analysis:

1. Analyze our "addressable market"
   
   1. Is there a market leader who pulls everyone else?
2. Determine the right timeline for a change
3. Determine the right org (see list below)
   
   1. (Assuming the timeline identified is moderately soon)
   2. Brainstorm candidate orgs: IETF, OASIS, OpenID Foundation, ITU-T, ...?
4. Determine the right next steps

Here is a candidate unordered list of factors to consider in looking at orgs:

• Gravitas and reputation among the "addressable market"
• Support from the org
  
  • E.g., wiki, mailing list, publicity...
• Governance imposed by the org
  
  • E.g., how top-down is the process for progression of a standard?
• IP protections and constraints
  
  • E.g., how does it compare to our current one? to IETF I-Ds?
  • What stance does the open-source community have wrt it?
  • What do the proprietary vendors in the market prefer? Is there a way for proprietary solutions to pick up and run with an UMA implementation?
• Friction in launching the group
  
  • Some orgs take two+ months, others take 15 days
• Friction in joining
  
  • Can everyone who has been involved to date take part?
  • How easy or hard is it to walk up and participate?
• Liaison opportunities with relevant standards and communities

Attendees

• Eve
• Ron
• Andrew
• Alam
• Thomas
• Jin
• Keith
• Maciej
• Adrian
• Sal
• Domenico

Jin Wen is with McKesson. He attended CIS and is researching IAM for a program he's working on, the CommonWell Health Alliance. He's concerned about HIPAA privacy rules and wants to address them properly in his new platform. There are touchpoints with Adrian's work on patient rights and patient identification.

Next Meetings

• No meeting on Thursday, July 25 - Eve, Maciej, Thomas regrets
• All-hands meeting on Thursday, August 1, at 9am PT (time chart) - voting duties
• Focus meeting on Thursday, August 8, at 9am PT (time chart) - Blue Button+ initiative preso by Josh Mandel and Justin Richer
• Focus meeting on Thursday, August 15, at 9am PT (time chart) - Andrew regrets