UMA telecon 2017-06-15

Date and Time

Thursdays, 9-10am PT
- Screenshare and dial-in: http://join.me/findthomas
- UMA calendar: http://kantara.atlassian.net/wiki/display/uma/Calendar

Agenda

Roll call
Approve minutes of UMA telecon 2017-05-25
Logistics:
- Public Comment/IPR Review period concludes on July 12 – please report any comments you have during this period
- No meeting on June 22 due to Cloud Identity Summit
- Who's going to CIS? Should we have a BOF? What sessions should we be aware of?
UMA V2.0 work:
- All GitHub issues for V2.0/dynamic swimlane (not updated to the spec refactor)/Release Notes/UIG/Wikipedia
- It seems no discussion is needed on new issues #326, #327, #328 – all are editorial and none seem to have controversy (speak up if you disagree)
- Issue #257: Discuss new proposal for how to write the release notes (from Eve)
- Issue #287: Time to submit our IANA registry requests formally?
- Issue #300: Update our IETF Internet-Drafts (or create new ones) at Recommendation status?
Leadership team elections
- Terms expire June 23 so we should vote on positions and new annual terms by either today or June 29
AOB

Minutes

Roll call

Quorum was reached.

Approve minutes

Approve minutes of UMA telecon 2017-05-25: Deferred.

Logistics

Public Comment/IPR Review period concludes on July 12 – please report any comments you have during this period
No meeting on June 22 due to Cloud Identity Summit
Who's going to CIS? Should we have a BOF? What sessions should we be aware of?

Check out this nice article from KuppingerCole.

CIS: Justin, Eve, Mike, Colin, Sal, Mark L. Don't miss the UMA2 session on Thursday afternoon. Justin is speaking on Shadow IT on Monday, and gray lists on Thursday. There's a Kantara workshop on Monday morning, where there will be a lot of updates, and a Kantara booth (table). IRM has an updated principles paper. Eve is speaking on HEART on Thursday. Sal, Mark, and Eve are on a privacy panel Tuesday afternoon. Sarah is speaking on VoT (vectors of trust) just before the UMA talk (this is opposite the HEART talk). Mike is speaking in the Practical OIDC track on good client software Wednesday morning. Eve and others are performing in a band on the Wednesday night after the keynote. #ZZAuth, baby.

Let's all promote each other's talks as the week proceeds!

UMA V2.0 work

All GitHub issues for V2.0/dynamic swimlane (not updated to the spec refactor)/Release Notes/UIG/Wikipedia
It seems no discussion is needed on new issues #326, #327, #328 – all are editorial and none seem to have controversy (speak up if you disagree)
Issue #257: Discuss new proposal for how to write the release notes (from Eve)
Issue #287: Time to submit our IANA registry requests formally?
Issue #300: Update our IETF Internet-Drafts (or create new ones) at Recommendation status?

Release notes approach: Eve's attempted approach seems reasonable enough. The categories are: Spec Reorg, Terminology Changes, AS Discovery, AS/C and RS/C Communications (basically UMA grant), AS/RS Communications (basically fed authorization), and General. An UMA2 implementation approach might involve a fresh start in any case, though Eve's feeling is that it's just due diligence to publish proper release notes, to catch small corner cases or any small bits of code reuse that got things wrong from before.

Justin notes that the MPD implementation is sort of "95% there", it's just that he'd need a sponsor, or engineers thrown at it to do pull requests. This was a branch on MITREid Connect (the previous version, V1.2). It was never brought into an official release stream. Sal might reach out about that.

AI: Eve: Send off emails to the relevant official IANA Registry email addresses regarding making the registration requests.

I-Ds: Do we even need to create something like this anymore? Does anyone point people to the I-D versions anymore? Justin gives this example. We probably should have put links to the wiki home page into those pointer I-Ds in the first place, but oh well. Consensus not to bother.

The thread with Pedro

Are there any actions needed based on the various topics in that thread?

You don't do the implicit grant with UMA; you do the UMA grant itself. It allows any client type you want, unless you want to further constrain client types in some profile of the UMA grant that you write yourself. The UMA grant does have special protections within it that make it more secure – in some respects – than, say, the authorization code grant, because (e.g.) the permission ticket is obtained through an API call.

This sounds a bit related to Eve's discussion with some researchers asking why the permission ticket exists and questioning its security and usability benefits.
Also see Chapter 1 of Justin's book, available for free!

Developing a test harness and doing an UMA (assuming UMA2?) conformance program: Kantara is looking for directed funds to make this happen! Our last estimate was $60K. Maybe it could use some volunteer effort as well to defray expenses.

A while back, Gluu had done some work on figuring out a sample API to protect.
Maybe informal interop testing is what's needed before formal testing. Then again, note that the informal OIDC testing was messy and hard to manage. "Neatness" of testing would count for a lot.

Leadership team elections

Terms expire June 23 so we should vote on positions and new annual terms by either today or June 29

All are encouraged to stand for any position they wish.

AI: Eve: Send note to the group about positions and nominations (self- or other).

Attendees

As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)

Domenico
Sal
Eve
Cigdem

Non-voting participants:

Justin
Scott F
Colin L
Thomas
Bjorn Hjelm

Regrets:

James
John W

Browser not supported