UMA telecon 2010-05-27

Date and Time

Day: Thursday, 27 May 2010
Time: 9:00am-10:30am PST | 12:00-1:30pm EST | 16:00-17:30 UTC (time chart)
Dial-In:
- Skype: +9900827042954214
- US: +1-201-793-9022 | Room Code: 295-4214 (other local country numbers available on request)

Agenda

Administrative
- Roll call and introductions
- Approve minutes of 2010-05-13 meeting
- Review nominations for vice-chair and spec editor and take action as appropriate
- Upcoming meeting schedule
  - Legal subteam meeting on May 31 (now moved to June 7: see the UMA calendar for details)
- Action item review
- Reminder of #umawg chat room (web interface, log)
- How to do issue-tracking?
Review activities of "IIW week"
- UMA-related IIW sessions
- Other IIW sessions
- IEEE S&P poster session
- OAuth interim F2F
- Other
Prioritize and create timeline for remaining issues
- Ecosystem
- User experience
- Protocol
  - Core
  - Claims and "identity tokens"
- Legal
- Implementation
AOB

Attendees

As of 24 May 2010, quorum is 6 of 11.

Adams, Trent
Catalano, Domenico
Gamby, Randall
Holodnik, Tom
Maler, Eve
Scholz, Christian

Non-voting participants:

Thomas Hardjono
Jonas Hogberg
Nat Sakimura

Guests:

Joni Brennan (staff)
Anna Ticktin (staff)

Regrets:

Maciej Machulak

Minutes

New AI summary

2010-05-27-1	Eve	Open	Ask Maciej to run the June 10 meeting.
2010-05-27-2	Eve	Open	Record all open issues on the wiki.
2010-05-27-3	Eve	Open	Find and distribute info on the new proposal for OAuth signing.
2010-05-27-4	Eve	Open	Ask Dave Crocker for help with Step 1 user stories.
2010-05-27-5	Christian	Open	Recommend a solution for discovery, dynamic association, and host metadata for Step 1.

Roll call and introductions

Randall has been following Kantara since this year's RSA conference. He's the enterprise security architect for Mass Mutual. He's the IdM expert for Information Security magazine. He was recently a Burton Group consultant.

Anna is new to the Kantara staff.

Approve minutes of 2010-05-13 meeting

Minutes of 2010-05-13 meeting APPROVED.

Review nominations for vice-chair and spec editor and take action as appropriate

Maciej has nominated himself for the vice-chair position. Christian is still considering whether to go for the spec editor role.

Motion to undertake a non-secret ballot for the vice-chair position APPROVED unanimously.

Motion to install Maciej Machulak as the UMA WG vice-chair APPROVED by acclamation.

Upcoming meeting schedule

We'll have a normal meeting next week on June 3. Eve can't attend the June 10 meeting because she'll be on vacation; we'll ask Maciej to run the call.

The legal subteam is meeting on May 31 at noon PT/3pm ET/9pm CET, using the usual UMA WG dial-in.

Action item review

2010-04-08-2 TomH Open Revise the tax scenario for inclusion in the Scenarios document. Reopened.
2010-05-13-1 Eve Open Incorporate Tom's TaxMonkey scenario into the Scenarios document. Now OBE.
2010-05-13-2 Eve Open Print the IEEE S&P poster in smaller form for distribution at IIW. Now closed.

Reminder of #umawg chat room

How to do issue-tracking?

The staff is testing out Jira. The UMA group could become an early tester, but we've convinced ourselves to just continue using a wiki page to record issues. If things get much more complex, we can always "move up".

Review activities of "IIW week"

All IIWX notes
UMA-related IIW sessions: protocol, legal, claims, higher ed (not posted yet)
IEEE S&P poster session: poster is here
OAuth interim F2F

Tom's take on IIW was that a lot of people were intrigued by the first UMA presentation and the demos, and there was a lot of positive energy. The level of awareness overall among all the attendees was low, but this was a sort of coming-out party. Now that we had some code to show, several people expressed concern about the user experiences of the demos. The "User" in UMA means that the user experience must take a front seat.

The "OAuth enterprise signing" discussions may be relevant to us. In addition, the "OpenID Connect" discussions were relevant for the OpenID Connect proposal for discovery/dynamic association and the OpenID Artifact Binding solutions for strong RP/client authentication and user profile tokens (claims).

Prioritize and create timeline for remaining issues

Eve's expressed wish has been to finish incubating the UMA specs by August of this year, which would make one year of the WG's life. Question: Why did we pick IETF? We were building on OAuth, which had gone to the IETF. We could change this if we really wanted to. Would we want to be part of the OAuth group itself? It's already operating somewhat outside its charter, and being a clean extension on top could seemingly be done just fine as a separate group. OAuth itself is targeting being settled by the end of the year, and we want to encourage it to do so.

What should we accomplish by the end of June? Can we set a goal of fleshing out Step 1, in the following respects?

Develop more specific user stories about what the authorizing user would want to achieve in interacting with the host and AM
Consider absorbing the discovery and dynamic association mechanism proposed in the OpenID Connect proposal and take into account different levels of dynamicism of introduction
Add HTTP request and response examples
Document the resource details format
Confirm consensus on the AM endpoints and order of the flow of the host's interaction with them
Prototype the result
Consider specifying and possibly profiling one or more specific user delegation flows (at least the web server/redirect flow)

Yes. We started walking through the spec text of Step 1.

We're quite interested to reopen the question of how the host can dynamically meet the AM, since having the host be an entirely "anonymous client" (outside the context of any specific user) as we have it now is inefficient in any case where the host has to establish its bona fides with the AM. If the host provides its own URL as a client_id, then the AM can look up host metadata.

The host's metadata might want to include human-friendly labels for itself and a public key. For example, see how OpenID Artifact Binding is doing it.

Eve strongly recommends that the host only share details about the protected resources it hosts on behalf of that user after the user authorizes the host to get a host access token. The AM basically presents a "resource protection API", at which any host could present its "host access token" in order to get the service.

Thomas wonders if there is a layer violation in mixing authentication and consent at the authorization server. Eve suspects that if so, UMA will be inheriting the problem from OAuth rather than adding to the problem.

Christian believes we should wait before officially using JRD until it's more stable. Thus, we'll continue to use real XRD in the spec for now.

The claims and token formats in the AM metadata should probably be properties rather than links.

Does it make sense to document the various AM endpoints better by giving them the context of the "two APIs" that they represent? Yes, maybe in the introduction.

We should avoid the word "wield" in the spec!

Next Meeting: UMA telecon 2010-06-03

(See the UMA calendar for details of future meetings and for the details of the legal subteam meeting to be held June 7.)

Day: Thursday, 3 June 2010
Time: 9:00am-10:30am PST | 12:00-1:30pm EST | 16:00-17:30 UTC (time chart)
Dial-In:
- Skype: +9900827042954214
- US: +1-201-793-9022 | Room Code: 295-4214 (other local country numbers available on request)

Browser not supported