UMA telecon 2011-11-03

UMA telecon 2011-11-03

Date and Time

  • WG telecon on Thursday, 3 Nov 2011, at 9am PT (time chart) – NOTE: UK and Europe have changed their clocks so this will appear one hour earlier than usual to participants in those locations
    • Skype line "C": +9900827042954214
    • US: +1-201-793-9022 (other int'l numbers) | Room Code: 295-4214

Agenda

  • Roll call
  • Approve minutes of 2011-10-13, 2011-10-20, and 2011-10-27 meetings
  • Action item review
  • Review 2011Q4 timeline
    • Edits from last week made?
    • Contributing rev 02 update of I-D?
    • Webinar planning: Doodle poll results?
  • UMA core spec issues
    • Attempt to solve #8, #14 through #17, and #24 expeditiously
    • Other issues are bonus
  • AOB

Attendees

  1. Bryan, Paul (chair pro tem)
  2. Hardjono, Thomas
  3. Alam
  4. Catalano, Domenico
  5. Morrow, Susan
  6. Szpot, Jacek
  7. Moren, Lukasz
  8. Machulak, Maciej

Minutes

Roll call

Quorum was reached.

Approve minutes of 2011-10-13, 2011-10-20 and 2011-10-27 meetings

Deferred.

Review 2011Q4 timeline

  • Thomas attended Kerberos conference at MIT; will be working on next Internet-Draft this week.
  • Paul planning on starting spin-off REST API Internet-Draft this week. Brief discussion re: relying on other Internet-Drafts, renewals, etc.

Upcoming webinar

  • Reminder to everyone please participate in the Doodle Poll for best date/time to host the next UMA webinar.
  • General agreement that Maciej should perform the demo, so need to confirm his participation.

UMA core spec issues

Issue #8: Does the returned permission ticket need an expiration field?
  • Paul: Short answer: no, tokens are opaque.
  • Paul: Longer answer: As long as tokens are opaque, expiration field is not necessary. This will change if/when we support tokens with semantics that host can use to make authorization decision. If/when we get to this point, we'll also possibly need other PKI-ish functions such as signature verification and token revocation mechanism. 
  • Paul takes AI to comment on this ticket in GitHub and close issue.
Issue #14: Filtering the token validation request
  • Deferring for discussion next week.
Issue #15: Must the host give access if the requester has suitable permission?
  • Paul: Short answer: no.
  • Paul: Longer answer: as, discussed last week: UMA is focused on discretionary access control (DAC). Mandatory access control (MAC) is out of UMA scope. Host SHOULD give access if the requester has suitable permission. Discretionary access control should not override mandatory access controls.
  • Paul takes AI to comment on this ticket in GitHub, modify the spec to SHOULD, and close the issue.
Issue #16: Must the host register a permission?
  • Paul takes AI to discuss with Eve in more detail and comment on the ticket.
Issue #17: Claims formats that are supported (?)
  • Thomas takes AI to include the OpenID Connect simple JSON-based claims model
Issue #24: Possible to audit host's compliance in giving access based on a legitimate active permission from the AM?
  • Paul: Short answer: no.
  • Paul: Longer answer: AM provides advice to host, and is not direct party to the interaction between requester and host.
  • Paul takes AI to comment on ticket in GitHub.
Issue #25 (bonus!): Possible to reduce requester's reliance on AM to ask for only the claims it strictly needs?
  • Paul: Short answer: no.
  • Paul: Longer answer: There is no testable way we can require the AM to ask for only the claims actually needed in making an authorization decision, because:
    • policies are intentionally opaque to requester and host
    • there is no known automated way to test the reasonableness of requested claims for a given permission
  • Paul takes AI to comment on ticket in GitHub.

Next Meetings

  • WG telecon on Thursday, 10 Nov 2011, at 9am PT (time chart) – NOTE: back in sync on most apparent time differences around the world – ALSO NOTE: – Eve regrets; who will serve as chair pro tem?
  • WG telecon on Thursday, 17 Nov 2011, at 9am PT (time chart) – NOTE: Likely Eve regrets; who will serve as chair pro tem?
  • NO WG telecon on Thursday, 24 Nov 2011 – U.S. Thanksgiving holiday
  • WG telecon on Thursday, 1 Dec 2011, at 9am PT (time chart)