UMA telecon 2015-01-22

Date and Time

• Thu Jan 23 9-10am PT
  • Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines), room code 178-2540#
  • Screen sharing: http://join.me/findthomas
  • UMA calendar listing all future meetings: http://kantarainitiative.org/confluence/display/uma/Calendar

Agenda

• Roll call
• Minutes approval
  • Sample motion: Approve the minutes of UMA telecon 2015-01-15.
• Upcoming meeting schedule
  • Reminder of special meeting Mon Feb 23; voting participants added to event invite
• Interop progress
• Educational materials
  • Reporting on AIs
• V1.0 rollout
  • Reporting on AIs
• Field public review comments and other open issues
• AOB

Minutes

Roll call

Quorum was reached.

Minutes approval

Deferred

Upcoming meeting schedule

Mark notes that his Kennisnet colleague is speaking at SXSW on the education case study, and Eve is appearing with IEEE/Kantara folks for a panel on IoT and IRM. We'll collect and share links.

Shall we do UMArtinis and UMArgaritas again this year at RSA? Let's! George put in a Peer2Peer talk on standards and the IoT. What if we were to concentrate our efforts on supporting an UMA-related talk in the crowdsourced track? The submission process opens on Jan 29. Topics that might be interesting: trust el, digital enrollment, why to kill the password, panel announcing UMA V1.0... Maybe straightforwardly announcing the news might be best. RSA likes "controversial" panels. Sal is thinking of submitting his "Embedded UMA" talk as well. Maybe the UMA aspect could be soft-pedaled, and the live demo aspect could be highlighted. Getting both in would be awesome.

No meeting next week! We are meeting the following week at the APAC-friendly time (that is, apparently Wednesday afternoon/evening for non-APAC-ers.)

Interop progress

Mike sees Roland making lots of commits to his test harness – it appears on OIDC parts.

Educational materials

Most of the AIs are scheduled for progress this week and next.

Eve is working on a paper that she hopes will be accepted by the IEEE Privacy Engineering reviewers.

V1.0 rollout

This was the "kitten AI".  People behave differently from how technologists want them to. This is in process.

Field public review comments and other open issues

Issue 128 is editorial, and needs to wait until an RFC number is assigned.

Issue 127 is mostly editorial. The question of whether to include "null" is not editorial. Discussion as recorded in the issues:

We have two usages of something Boolean. The first comes from the "active" claim in the introspection spec, in Section 2.2:

http://tools.ietf.org/html/draft-ietf-oauth-introspection-04#section-2.2

...where it just says "Boolean", and isn't clear whether null is an option or not. Non-normative examples show only true and false. Eve was wrong about the JSON spec not saying "Boolean" (though it spells it lowercase), though it does literally list true, false, and null. In the "active" case, we should probably alert Justin Richer to the potential ambiguity. Presumably the fact that it's a required property means that it should never be null, but it's good to be explicit.

The second is for the "redirect_user" hint. (The non-normative hint example has a bug in it; it needs to say true, not "yes".) Given the logic above, it suggests that null is not needed as a value, so we could say that the value is "a Boolean value, either true or false".

Agreed to do that.

Issue 126 is editorial.

What about thoughts on issue 125?

If an UMA client is running in a browser, for example, then it can't hold a secret in a trustworthy fashion. What does this mean for holding RPTs? In the "public" space, you can't prove it's the client making the request. So when the client is "non-provable", what do you do? Does the PKCE spec come into play? Should we name-check the "PKCE" spec now that it's got a new name? That's a way, in browser-based redirects, to ensure that you send a token back to the same client. So there's still a problem in the picture.

AI: Sal, George: Do a close reading of UMA Core Sec 8.1 against the OAuth Security Cheat Sheet and see where we can improve the former.

 Attendees

As of 14 Jan 2015, quorum is 7 of 12. (Dom, Sal, Mark, Thomas, Andrew, Robert, Maciej, Eve, Mike, Jin, Ishan, Ravi)

1. Mark
2. Robert
3. Thomas
4. Domenico
5. Maciej
6. Jin
7. Sal

Non-voting participants:

• George
• Zhanna
• Colin
• Marcelo

Regrets:

• Ishan