UMA telecon 2012-02-23

UMA telecon 2012-02-23

Date and Time

  • WG telecon on Thursday, 23 Feb 2012, at 9am PT (time chart)
    • Skype: +99051000000481
    • US: +1-805-309-2350 (other international dial-in lines available) | Room Code: 178-2540

Agenda

  • Roll call
  • Approve minutes of 2012-02-16 meeting
  • Cancel next week's meeting or find chair pro tem due to RSA conference
  • Event planning
    • Tech Talk, RSA, tweet chat, F2F interop ...
    • Advertising, planning, attending
  • Review open action items
  • Work through issues
    • Issue 49: token upgrades vs. one-permission-per-token
    • Issue 7: caching language
  • AOB

Minutes

Roll call

Quorum was reached.

Approve minutes of 2012-02-16 meeting

Minutes of 2012-02-16 meeting APPROVED.

Cancel next week's meeting or find chair pro tem due to RSA conference

Next week's meeting is canceled due to RSA and travel.

Event planning

Maciej, Thomas, and Eve are doing a Google Tech Talk next week. The second tweet chat is a couple of weeks after that. The F2F interop is a month after that. We need to step up our virtual interop planning and preparation.

Work through issues

  • Issue 49: token upgrades vs. one-permission-per-token

The problem: In the current spec, the requester app as controlled by the requesting party first asks for a single access token from an AM, which is upgraded whenever a permission gets added – that is, permissions applying to multiple hosts and multiple authorizing users get associated with the same token, and it just gets upgraded over and over. This potentially exposes information to each host that it doesn't have a right to, because it's about other hosts and users. With dumb implementations that expose token content directly, this could be an information leakage problem. We could instruct the AM to release only the token status data that is relevant to each host/authorizing user. Or we'd have to profile the token content pretty severely to include selective encryption in order to solve the problem if we stick with this single massive token.

A proposed solution: Cleanly separate the notions of the wide-scope OAuth "authenticated identity token" that applies to the requester/requesting party/AM and a set of one or more narrow-scope UMA "authorization tokens" that the AM hands out (or upgrades) when the requester asks for permissions to be added.

Lukasz and Maciej will share the details and diagrams for their proposal on the list ASAP.

Next Meetings

  • NO TELECON on Thursday, 1 Mar 2012
  • WG telecon on Thursday, 8 Mar 2012, at 9am PT (time chart)
  • WG telecon on Thursday, 15 Mar 2012, at 9am PT (time chart)
  • WG telecon on Thursday, 22 Mar 2012, at 9am PT (time chart)
  • WG telecon on Thursday, 29 Mar 2012, at 9am PT (time chart)

Attendees

As of 14 Feb 2012, quorum is 7 of 12.

  1. Mohammad, Alam
  2. Catalano, Domenico
  3. Hardjono, Thomas
  4. Machulak, Maciej
  5. Maler, Eve
  6. Miles, Arnie
  7. Moren, Lukasz
  8. Szpot, Jacek
  9. Wray, Frank

Non-voting participants:

  • Cox, Kevin

Regrets:

  • D'Agostino, Salvatore
  • Morrow, Susan