UMA telecon 2014-08-06

Date and Time

Focus meeting Wed Aug 6 4-5pm PT/ Thu Aug 7 8-9am JPN / Thu Aug 7 9-10am AUS (time chart)
- Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines), room code 178-2540#
- Screen sharing: http://join.me/findthomas

Agenda

Hold meeting Aug 14? Eve regrets
Public review status and disposition of any comments to date
Interop planning and discussion as required (Maciej, Mark)
Vet milestone choices for open issues
Discuss Andi's Enterprise-Cloud use case and "Obligations" – are there new issues to add here?
Discuss Audit ID: issue 63 - goes first on next meeting's agenda!
If time: select another issue to discuss
AOB

Minutes

Events

Let's track the PII conference Nov 12-14 in Palo Alto.

Meeting planning

Let's not meet next week.

Public review status

No official comments have come in to date. Nat notes that repeating a review process until there's sufficient comfort with the spec is valuable. All other forums, including ISO, build this in.

IIW and interop

Eve will attend. Nat will probably attend. Gil probably won't.

Open issues and milestones

We adjusted milestone settings on various issues.

For issue #95, Maciej is interested to discuss it sooner rather than later. Marcelo is interested in the challenge of load-balancing one AS vs. another.

We discussed issue #83. Marcelo points out that if the RS doesn't do this right, it seems more like it's a broken RS vs. something we can fix in the spec. Nat comments that it might not be a privacy issue but might well be a security issue. Maybe it's more like a best practice, once we get more experience.

We discussed issue #37. It seems the "naive" method of simply re-registering scopes completely will work for now. In the worst case, an RS can redo everything.

We discussed issue #26. We'll leave it open, on the assumption that it may not be 100% closed by virtue the existence of the claim profiles spec.

We discussed issue #20.

Enterprise-Cloud use cases

Nat points out the quite often, location-dependent obligations need to be imposed, e.g. at Boeing for highly sensitive data. Gil also points out document redaction scenarios. There are consumer and IoT scenarios as well.

Gil often advises people not to use Obligations in XACML because it's such a mess. It can be hard to apply obligations in the right order etc.; that is, interpretation of them is not obvious. Some have talked about an obligations-handling service. Yikes!

However, it can be useful for the AS to convey various kinds of information to the RS, e.g. in/associated with the RPT. Eve notes that this kind of feature is eminently profilable as part of either the existing "bearer" RPT token profile, or new profiles that are XACML-style.

AI: Eve: Create an issue for Obligations-type communications and assign no milestone to it.

Audit privacy considerations

There are questions around the exposure of users' real names in error logs. So there's a need to pseudonymize/tokenize/"nickname" such PII while keeping the association. Zhanna will update us on her thoughts on this in email.

Attendees

Gil
Eve
Marcelo
Domenico
Ryan
Nat
Zhanna

Next Meetings

No meeting Thu Aug 14 9-10am PT (time chart) - Eve regrets
Focus meeting Thu Aug 21 9-10am PT (time chart)
All-hands meeting Thu Aug 28 9-10am PT (time chart)

Browser not supported