UMA telecon 2014-07-10

Owned by Eve Maler
Last updated: Jul 10, 2014

UMA telecon 2014-07-10

Date and Time

Agenda

  • AI status
  • August meeting planning
    • Ways to accommodate those in the southern hemisphere
  • Event planning
    • Interop testing at MIT? elsewhere?
  • Spec draft status
  • Discuss how to progress healthcare use cases
  • Discuss IoT use cases
  • AOB

Minutes

Introductions

Marcelo da Cruz Pinto is joining for the first time. He has worked for Intel for eight years, the last two from Portland OR. For the last ~18 months, his group has been following UMA closely, at first for privacy and now for IoT. They decided to join the group and contribute use cases.

AI status

Eve will brush up the specs for editorial edits today.

August meeting and interop activity planning

  • Ways to accommodate those in the southern hemisphere

There's interest in something like an "APAC call time" occasionally. What if we were to hold once-a-month focus group meetings at the "APAC" time along with our "EMEA-friendly" regular times? Would 5pm PT/7pm CT/8pm ET/7am JP be interesting? Would August be a great time to offer more APAC slots and fewer EMEA slots?

AI: Eve: Send email proposing a meeting time structure.

  • Event planning
    • Interop testing at MIT? elsewhere?

The Juju work has an interop that will involve UMA as well, though not officially until 2015. Could we align that with a "primary" UMA virtual interop somehow? We think it could benefit from using a subset of the UMA feature test set. The OIDC interop portion for Juju includes dynamic client registration features. Gluu has a client implementation that is simultaneously an OIDC client and an UMA client. We need to start working on shaping which FTs are in scope for the "UMA1" virtual interop.

AI: Andi: Research xml2rfc's capability of including "real" (non-ASCII) diagrams.

We want to include a nicer picture of all the APIs and tokens in the core spec that can serve as a quick reference. Mike's version (second diagram here) is considered helpful. We could also use the marvelous spiral paradigm as used in our UMA 101 slides.

AI: Maciej and Mark: Analyze the current state of the FTs to figure out: 1) if they're accurate according to the final 0.9 specs, including claims-gathering; and 2) which FTs are "in scope" for the UMA1iop activity.

We'd like to focus on getting informal interop testing started as soon as possible. Maciej will drive this, and Eve and Roland and others can also get together at CIS to discuss this.

Regarding August schedules, Domenico will be on holiday starting in the second week of August.

AI: Eve to propose August meeting times.

The place to discuss interop activities is the UMA-dev list. If you are going to work on an implementation and/or take part in the interop activities, please join!

AI: Mike: Send message to UMA-dev about the idea of using a shared OP server for interop.

Discuss how to progress healthcare use cases

 Eve is meeting shortly with Josh Mandel to discuss UMA questions around the ONC pilot effort. What's the right way for the UMA WG participants to liaise with the ONC pilot group? The pilot group has regular meetings on Tuesdays, but this isn't an open meeting. We did discuss ways of moving forward and examples of profiling in last week's meeting; Eve suggests that the ONC pilot group draft some profiling language based on the examples we pointed to, and come to the UMA WG with drafts to get review and guidance.

Adrian notes that healthcare and IoT intersect. Some actors don't want to deal with dynamic registration, for example.

Discuss IoT use cases

What about the IoT use cases needs or can't use dynamic registration? Marcelo (who contributed to this Intel Web of Things position paper) comments: They've been assuming that dynamic registration is valuable, so far. Token and authorization data provisioning could happen, say, at the factory. Then again, what if a device needs to be connected up to two different authorization servers?

He distinguishes two scenarios: industrial vs. consumer-facing. They have a lot of similarities, though. One of the key aspects of industrial IoT is that there's no natural person serving as the RO. It's more like the air conditioner manager, or initial installer. This sounds exactly analogous to the "UMA for enterprise" scenario: a human agent of an organizational "legal person" may be involved, but the true RO isn't a human.

Another consideration is that a constrained device itself might have a proxy service functioning as the RS as far as the UMA touchpoints are concerned.

The W3C paper has a distributed computing basis in the design principles it advocates. He notes: "UMA is a way of thinking about resources." Interestingly, Eve has been finding that for people experienced in traditional enterprise fine-grained authorization, "UMA is a way of thinking about scopes."

Mike wonders if IoT can inform our interop work. IoT tends to involve native apps, and people have a million questions about how we're going to solve IoT security.

Attendees

  • Eve
  • Mark
  • Andi
  • George
  • Marcelo
  • Thomas
  • Abhi
  • Casey
  • Katie
  • Zhanna
  • Maciej
  • Domenico
  • Jin
  • Mike
  • Ann
  • Sal
  • Adrian

Regrets:

  • SteveO

Next Meetings

  • Focus meeting Thu Jul 17 9-10am PT (time chart)
  • All-hands meeting Thu Jul 24 9-10am PT (time chart)