UMA telecon 2016-03-24

Date and Time

• Thu Mar 24, 9-10am PT (N.B.: SUMMERTIME SKEW IS OVER)
  • Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines), room code 178-2540#
  • Screen sharing: http://join.me/findthomas - NOTE: IGNORE the join.me dial-in line shown here in favor of the dial-in info above (Kantara "line C" and the Skype line)
  • UMA calendar: http://kantara.atlassian.net/wiki/display/uma/Calendar

Agenda

• Roll call
• Approve minutes of UMA telecon 2016-03-17
• Final review of security extension spec (latest as of 2016-03-22) and non-normative doc related to issue 239
• Wide ecosystem analyses and solution proposals
• Roadmap checkin
• AOB

Minutes

Roll call

Quorum was reached.

Approve minutes

Approve minutes of UMA telecon 2016-03-17: APPROVED.

Issue 239 materials

We agreed to remove "as the sole means of trust elevation" because SHOULD is the operative instruction regardless.

Discussion of the new security considerations: We're not allowing both endpoints because it's a big mess to have to deal with "old" clients along with "new" clients. You'd have to flag clients in some fashion. So this section is something of a rationale for the endpoint swap. Eve suggested a slight wording change to give it this flavor.

MOTION: Moved by Sarah. Seconded by Sal: Approve the "UMA Claims-Gathering Extension for Enhanced Security" specification, as to be amended, as a draft Technical Specification. APPROVED by unanimous consent.

AI: Maciej and Eve (with Oliver): Publish the new extension spec.

What to do with "progressing" this spec? Let's let it lie for now, and think about changes in "batch" with other 2016 roadmap work on the other specs.

What sort of publicity should we do around this? Mention on wiki, on FB, etc. Talk about it at an UMA Update session at IIW?

AI: Eve: Create an issue for the next minor rev of UMA (if there is one) to point back to the extension spec in some fashion and either deprecate it or absorb it, whatever is appropriate.

Wide ecosystem

We reviewed some previously discussed topics about wide ecosystem challenges. What value does the AAT bring? Based on current implementation and usage, it seems valuable for at least narrow and medium ecosystems, but in Justin's experimental work for wide ecosystem purposes he has done away with it entirely. Does a wide ecosystem actually require removing it if it turns out to be valuable for others? Sal points out that some IoT use cases also bring in special circumstances such as disconnection from the network.

AI: Eve: Send wide ecosystem doc and graphics.

Attendees

As of 20 Feb 2016, quorum is 7 of 12. (François, Domenico, Kathleen, Sal, Thomas, Andi, Robert, Maciej, Eve, Mike, Sarah, Ran)

1. Domenico
2. Kathleen
3. Sal
4. Thomas
5. Maciej
6. Eve
7. Mike
8. Sarah

Non-voting participants:

• Adrian
• Justin
• Arlene
• Jin
• John