UMA telecon 2012-05-24

Date and Time

WG telecon on Thursday, 24 May 2012, at 9am PT (time chart) – Eve regrets
- Skype: +99051000000481
- US: +1-805-309-2350 (other international dial-in lines available) | Room Code: 178-2540

Agenda

Roll call
Approve minutes of 2012-05-17 meeting
Spec/issues review – proposed workstream priorities
- #20: Solve for various "requester-to-host first" (known resource location) vs. "request-to-AM first" (unknown resource location) flows
- #50: Considering modularizing the AS/RS interop portion for wider non-UMA adoption
- #56: Standardized scope descriptions for well-known APIs?
Any trust model/binding obligations discussion
AOB

Minutes

Roll call

Quorum was reached.

Approve minutes of 2012-05-17 meeting

Minutes of 2012-05-17 meeting APPROVED.

Discussion of issue #20

Thomas: The description of Issue #20 on GitHub seems to indicate that the problem is multi-faceted and can be broken up. There is the issue of discovery (how to discover) and there is the issue of access to one/multiple resources. If the Requester already has an AAT, then at least the AM (assuming it is providing discovery services) knows that the Requester has been authenticated.

Maciej says currently SMART AM does not have discovery (but may have it in the future).

George: In the hData/HER use-case, the issue involves an extra step of authorization because the User (patient) needs to allow the Specialist to connect to the PCP service who may not know the Specialist and his provider.

An analogy is the following: Alice is allowing Bob to access her photos at Photoz.com but Bob will be using a print-service unknown to Alice (call it PrintShop.com). So the entity that will be accessing Alice's photos at Photoz.com is not Bob the human, but instead it will be PrintShop.com (without Bob being present at PrintShop.com). So how does PrintShop.com learn which end-points to access at Photoz.com, etc.? The situation maybe more complex because Bob may not know in advance that he will be using PrintShop.com. (It would be nice if Bob could tell both Alice and Photoz.com about which print shop Bob will use, but there is no guarantee).

Sal suggested/asked if perhaps the discovery information could be communicated through the permission ticket. Thomas suggest that since Alice maybe using one AM to control her various resources across several Hosts, perhaps the AM could operate the discovery service. George suggest that the Host may be the better choice for proving a discovery feature. Currently it is out of scope (for the UMA WG) how the Requester finds the discovery service (regardless of where it sits).

Thomas suggest perhaps a discovery service could be designed to mimic the behavior of the AM in that: 1) it would be aware of an index or list of resources-sets at a Host and 2) it would need Requesters to obtain an AAT (and RPT) before querying the discovery service. George suggest that if we treat the queried data as just another resource, then a Host could protect it in the same way as other resources. Thomas agrees.

Chaining: George says that the difficult question is that of "chaining" of authorizations (such as in the case of Alice and Bob above). Domenico says this is reminiscent of Liberty Alliance.

Thomas suggests that in a future UMA telecon we should ask someone (e.g. George) to give an overview of (and the differences between) Simple Web Discovery (SWD) and WebFinger. Sal agrees with this suggestion, as an overview would help many folks in catching-up with OAUTH WG developments.

Thomas suggest to put Issues #50 and #56 for next week's telecon call.

Attendees

As of 22 May 2012, quorum is 6 of 10.

Catalano, Domenico
D'Agostino, Salvatore
Fletcher, George
Hardjono, Thomas
Machulak, Maciej
Moren, Lukasz

Non-voting participants:

Cox, Kevin
Mohammad, Alam

Regrets:

Maler, Eve

Next Meetings

WG telecon on Thursday, 31 May 2012, at 9am PT (time chart)
WG telecon on Thursday, 7 June 2012, at 9am PT (time chart)
WG telecon on Thursday, 14 June 2012, at 9am PT (time chart)
WG telecon on Thursday, 21 June 2012, at 9am PT (time chart)
WG telecon on Thursday, 28 June 2012, at 9am PT (time chart)

Browser not supported