UMA telecon 2015-07-01

UMA telecon 2015-07-01

Date and Time

Agenda

  • Roll call
  • Minutes approval
  • Quick hits:
    • AI status
    • August meeting plans?
  • Binding Obs
  • AOB

Minutes

Roll call

Quorum was not reached (not that it is generally expected in this specially scheduled call).

Minutes approval

Deferred.

Logistics

It was noted that join.me has grown in functionality since we started using Thomas's paid account, and there is now a dial-in number displayed that we are not using; instead we use Kantara's "line C", which comes with a Skype option. Should we continue splitting up the screenshare and the dial-in (and warn people to try and avoid confusion), which has the advantage of offering the Skype option, or align the two so as to fully avoid any confusion? Eve will ask on the list and we will decide by next time.

Upcoming event in Singapore and UMA-XACML interest

Kuppinger Cole conference in Singapore in November: Gil proposes a panel that freshens up the discussion about XACML. E.g., how does XACML plug into UMA? Could it be part of the panel, or maybe be a separate session? And relatedly, might there be interest in developing a profile of XACML for UMA, a profile of UMA for XACML, or both? Eve had written some thoughts following on to Hal Lockhart’s white paper on an XACML profile for OAuth policies, which could provide some food for thought.

Eve will ping her colleague Allan Foster, who is Singapore-based, for interest in co-presenting. Colin is interested in the topic; he probably can’t attend if not speaking. Justin would be interested to attend the conference if someone is willing to send him!

Gil’s conclusion with his colleague was that XACML policy, or even portions of it, in combination with UMA is a good idea.

How would an OASIS/Kantara split of activity work? An active liaison would probably be a good idea. As long as text isn’t quoted, and “incorporating by reference” is okay, then a profile on either end is probably acceptable.

The REST profile for XACML was published about six months ago. The UMA FAQ mentions it.

Justin’s demo at the HIMSS conference protected XACML policy as an UMA resource! That’s a nice new one.

UMA issue backlog

Justin has been implementing UMA against an existing OAuth and OpenID Connect server and has been collecting ideas for things that could be optimized or fixed or cleaned up. He’s been sitting on them so far, partly to be sure he understands them fully, and partly not to upset the V1.0 apple cart.

His items/ideas include, for example (he has 16):

  • “dynamic endpoint” config data naming (vs. “registration endpoint”)
  •  “rpt endpoint” being separate from the ordinary OAuth token endpoint doing an ordinary OAuth token grant, which would allow the client to specify the scopes it wants, which it can’t do now

Eve has been thinking about one, which is:

  • Letting an RS register more than one requested permission rather than a single one

Binding Obligations

Sociotechnical Systems conversation, commitments, and obligations: Eve, Tim, and others are meeting with Professor Munindar Singh and his colleagues on July 10 at 9am PT. If anyone is interested to join the call, drop Eve a line.

Eve will send a link to Prof. Singh’s extended abstract and other papers to the list. (DONE: Email is here.)

NZ government POC

Colin describes the ongoing NZ government POC. The first sprint is to stand up an UMA out-of-the-box scenario. Governments, like any large enterprise, have issues with delegations: a user wants to delegate access to others out of their account, and there are also “headless” use cases where the user is not present. Colin is not directly involved, but is observing from the side. He’ll give updates as he can.

AIs

  • AI: Thomas: Review the charter for potential revisions in this annual cycle.
  • AI: Tim: Expound on the licensing idea in email.
  • AI: Sal: Investigate IP implications of formal liaison activities with other Kantara groups with the LC, and ultimately draft an LC Note as warranted.
  • AI: Gil: Edit the UIG to add Ishan's content and excerpt it for Eve to add to the FAQ, pointing everyone to the UIG. Update: Will try to do this weekend.
  • AI: Sal: Fill out IDESG form to have UMA adopted as a recommended standard for use in the IDESG framework.
  • AI: Mike: Rework UIG section on organizations as ROs and RqPs.
  • AI: Eve: Update GitHub.
  • AI: Maciej: Write as many sections for the UIG as he can.
  • AI: Justin: Write a UIG section on default-deny and race conditions.

Attendees

As of 1 Jul 2015 (pre-meeting), quorum is 7 of 13. (François, Domenico, Sal, Mark, Thomas, Andi, Ishan, Robert, Maciej, Eve, Arlene, Mike, Jin)

  1. Eve
  2. Sal
  3. Thomas

Non-voting participants:

  • Gil
  • Justin
  • Dave
  • Adrian
  • Colin