/
UMA telecon 2015-05-28

UMA telecon 2015-05-28

Owned by Eve Maler
Last updated: May 30, 2015

UMA telecon 2015-05-28

Date and Time

Agenda

  • Roll call
  • Minutes approval
  • Quick hits:
    • Webinar report
    • Virtual plenary in late June
    • Should we keep up the APAC-friendly meeting times the first week of every month in June++?
  • Leadership team elections
  • Binding Obligations review and next steps:
    • Real-life use cases
    • MVCR/OTTO liaison activities
    • Legal analysis
    • "Commitments"
  • AI review and AOB

Minutes

Roll call

Quorum was reached.

Minutes approval

MOTION: Approve the minutes of UMA telecon 2015-04-30. APPROVED by unanimous consent.

Webinar report

The recording is a great resource!

Virtual plenary

Keep an eye out on the community list for more information on this. The dates are (we think) the mornings (Pacific) of June 24 and 25. Eve will be presenting on the UMA WG at the plenary. It's a telecon-based event.

APAC-friendly meeting times

Starting in July again, we will hold our first-week-of-the-month meetings at the special time. Eve will change the calendar accordingly. We will meet at our normal time next week (June 4).

Leadership team elections

MOTION: Re-elect Eve as chair, Maciej as vice-chair, Thomas as spec editor, Domenico as user experience editor, and Maciej as implementation coordinator. APPROVED by unanimous consent.

MOTION: Propose a vote of thanks to those individuals, who have done an awesome job up until now. APPROVED. Thanks!

Spreading the word and getting together

Eve created a limited-edition line of mugs, and now Kantara is making a CafePress store for UMA stuff! So everyone can have UMAnitarian mugs, T-shirts, teddy bears, and so on. Yes, hats too.

There are great chances to get together at the Cloud Identity Summit. There won't be a formal BOF, but there will be informal chances to get together.

Binding Obligations review and next steps

Eve suggests a "depth-first", use-case-based approach to the BOs.

Rene asks: What about sharing with an organization vs. a person? What are the implications of that? For example, what if you want to share with everyone in a hospital? If we stick with the BO implication for a moment, then the hospital would be an NPE type of Subject as a Client Operator. This is covered in the BO terminology.

The use cases of interest for "tracking UMA interactions" may be:

  • Alice wants a receipt for:
    • PAT issuance
    • The policies she has lodged – is this as interesting? Eve suspects this is equivalent to health "consent directives" – so yes, this would be interesting to generate receipts for
    • Authorization data getting added to an RPT
    • The access Bob has succeeded in getting – Justin thinks this is more interesting
  • Bob wants a receipt for:
    • AAT issuance
    • The claims (facts and promises) he coughs up
    • Authorization data getting added to an RPT
    • The accesses he successfully achieved (RPT being used)

This has a relationship to auditing overall, and to the Consent Receipt work.

Maybe what we need to do this time, rather than looking at all the pairs of entities/parties, is look at the protocol afresh, and ask who would be interested to get notification that each interaction occurred.

Eve believes that the original concept of Consent Receipts was as a technique for enabling existing websites, apps, and IoT devices to achieve easier compliance with regulations, and thus it would have meant that applying CRs to UMA would have meant that it was only a "Bob" proposition vs. an "Alice" one. However, in recent times, as we have been flesing out the technical details of consent receipts, it appears that the receipt notion can be applied to auditing generally. So Justin's conception of it is that anyone can get a machine-readable receipt for any interaction.

Robert notes: It is reasonable that both parties in an agreement keep a copy of the agreement. In agile terms - do the thing that gives most value.

Does it make sense to "start on the outside", with Alice's and Bob's concerns, and then move inward only as we're able to identify use cases for the services in the middle? There are a variety of degenerate use cases where some of the parties are actually the same subject (e.g. Alice = Bob, or the RS = the AS, or whatever). The Consent Receipt WG is meeting in an hour (2pm ET) – join that group if you'd like to work on the data model!

We'll continue to press forward on this topic.

AIs

Everyone with UIG action items, please start to work on them!

Outstanding AIs:

  • AI: Sal: Investigate IP implications of formal liaison activities with other Kantara groups with the LC, and ultimately draft an LC Note as warranted.
  • AI: Gil: Edit the UIG to add Ishan's content and excerpt it for Eve to add to the FAQ, pointing everyone to the UIG.
  • AI: Sal: Fill out IDESG form to have UMA adopted as a recommended standard for use in the IDESG framework.
  • AI: Mike: Rework UIG section on organizations as ROs and RqPs.
  • AI: Eve: Update GitHub.
  • AI: Maciej: Write as many sections for the UIG as he can.
  • AI: Justin: Write a UIG section on default-deny and race conditions.
  • AI: Eve: Send suggested Wikipedia updates to Will at Gluu for English page updating, and to Domenico for Italian page updating, and to Rainer for hoped-for German page updating, and to Riccardo Abeti for the Spanish page, and to Mark for a Dutch translation.

Attendees

As of 23 Apr 2015, quorum is 8 of 15. (Dom, Sal, Mark, Thomas, Andrew, Robert, Maciej, Eve, Mike S, Jin, Ishan, Ravi, John, Mike F, Chris)

  1. Eve
  2. Maciej
  3. Ishan
  4. Andi
  5. Thomas
  6. Robert
  7. Domenico
  8. Mike S

Non-voting participants:

  • Rene
  • Sarah - University of WA - also working for Engage Identity
  • Justin
  • Tim
  • Ann

Regrets:

  • Sal