UMA telecon 2015-07-16
UMA telecon 2015-07-16
Date and Time
- Thu Jul 16Â 9-10am PT
- Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines), room code 178-2540#
- Screen sharing: http://join.me/findthomas - NOTE: IGNORE the join.me dial-in line shown in favor of the dial-in info above (Kantara "line C" and the Skype line)
- UMA calendar:Â http://kantara.atlassian.net/wiki/display/uma/Calendar
Agenda
- Roll call
- Minutes approval
- Sample motion: Approve the minutes of UMA telecon 2015-06-25 and read into today's minutes the notes of UMA telecon 2015-07-01 and UMA telecon 2015-07-09.
- Quick hits:
- AI status
- License/contract/Binding Obs next steps
- Issue backlog next steps
- AOB
Minutes
Roll call
Quorum was not reached.
Minutes approval
Deferred.
New UMA Developer Resources WG
Is this way of doing open source going to work? It seems worth a try. Mike points out his experience of writing an Apache module, which took longer than expected. Libraries might be valuable, but he points out that how-to recipes for building, e.g., smart clients might be even more valuable. Examples of how to apply the components could be valuable. "Client" means a lot things. Sorting that out would be super-helpful. And maybe that group wants to expand its charter to include, if not specs, then non-code deliverables. Maybe this WG will want to remand the UIG to that WG for completion!
The implementations that exist are, Mike believes, are AS-heavy and Java-heavy. His implementation protects SCIM deployments.
AI: Mike: Write SCIM protection case study to highlight client claims-based use case.
License/contract/Binding Obs next steps
Adrian wants to solve the problem of making the entire system more user-centric. What are the properties of a license model vs. a contract model wrt this problem? For example, in health, resource servers tend to err on the side of security over privacy, and thus don't want to allow dynamic client registration. He's looking to provide a safe harbor to them, to allow Alice  to achieve what she wants. The transference of responsibility is valuable for his ends.
Adrian believes the biggest hurdle is getting the RS to sign on with the AS, not between the RO and RqP. Let's take this up next time.
The license model we discussed last time could be extended with the machine-readable license language Tim brought up if we bake the language into the scope (or even resource set?) descriptions; this is an idea Dazza had a long time ago. Eve calls this a "notice model" because the act of using the scopes (exercising the license?) binds the RqP. Jon would say, rather that the RO is the licensor and has issued the license; it's the opposite of a notice model. You can have choice exercised through the issuance of multiple different licenses.
Eve's attempt at a dialogue that achieves Bob's consent need not be mapped to contract; licensure could work as a model too, says Jon.
The time seems to be right to start having legal subgroup meetings to come to recommendations about RO-RqP, RS-AS, and any other transactional relationships in the UMA environment. Adrian suggests inviting Jim Hazard as well. The goals might be:
- Jurisdictional friendliness internationally
- Applicability to many different vertical and horizontal use cases, including health
- Support of higher-level access federation trust frameworks and similar efforts
- Â
Issue backlog next steps
What do people think about breaking changes? Mike is okay with them. Justin feels it's important to consider the changes. He doesn't care what the version number is. MIT is only tracking a released version of the protocol, vs. drafts.
We need to discuss timelines for any revision considerations, and also our plans for the Informational RFC submission process.
AI status
- AI: Thomas: Review the charter for potential revisions in this annual cycle. Treat this as a reminder!
- AI: Eve: Review Marcelo Wikipedia comments and take next actions.
- AI: Tim: Expound on the licensing idea in email. DONE.
- AI: Sal: Investigate IP implications of formal liaison activities with other Kantara groups with the LC, and ultimately draft an LC Note as warranted. Let's discuss this at the next LC call.
- AI:Â Gil: Edit the UIG to add Ishan's content and excerpt it for Eve to add to the FAQ, pointing everyone to the UIG.
- AI: Sal: Fill out IDESG form to have UMA adopted as a recommended standard for use in the IDESG framework. PROGRESSING. There are multiple steps. He has gone through the process with OAuth and OIDC already.
- AI: Mike: Rework UIG section on organizations as ROs and RqPs.
- AI: Eve: Update GitHub.
- AI: Maciej: Write as many sections for the UIG as he can.
- AI: Justin: Write a UIG section on default-deny and race conditions.
Attendees
As of 1 Jul 2015 (pre-meeting), quorum is 7 of 13. (François, Domenico, Sal, Mark, Thomas, Andi, Ishan, Robert, Maciej, Eve, Arlene, Mike, Jin)
- Eve
- Andi
- Arlene
- Thomas
- Robert
Non-voting participants:
- Justin
- Adrian
- Abhi
- George
- Colin
- Marcelo
Regrets:
- Domenico
Guest:
- Jon Neiditz - intended participant - lawyer - consenting adult  - leads a practice focused on privacy, consent, cybersecurity
Â