UMA telecon 2011-05-12

Owned by Former user (Deleted)
Last updated: May 15, 2011Version comment
4 min read

UMA telecon 2011-05-12

Date and Time

  • WG telecon on Thursday, 12 May 2011, at 9-10:30am PT (time chart)
    • Skype line "C": +9900827042954214
    • US: +1-201-793-9022 (other int'l numbers) | Room Code: 295-4214

Agenda

  • Roll call
  • Approve minutes of 2011-04-28 meeting
    • May 26: Eve regrets
  • Leadership team election status
    • Vice-chair position up for re-election by May 27
    • Also Graphics/UX editor position (overdue)
  • Action item review
  • IIW review
    • Reports from sessions
    • Interest in defining standard action descriptions
    • Claims 2.0 next steps
    • Other IIW goings-on
  • Scoped access spec review
  • OAuth interim meeting planning
  • AOB

Attendees

As of 21 Apr 2011 (pre-mtg), quorum is 8 of 14.

  1. Catalano, Domenico
  2. D'Agostino, Salvatore
  3. Hardjono, Thomas
  4. Machulak, Maciej
  5. Moren, Lukasz
  6. Maler, Eve

Non-voting:

  • Kirk Brown
  • Kevin Cox
  • Cordny Nederkoorn

Regrets:

  • Susan Morrow
  • Frank Wray

Minutes

New AI summary

2011-05-12-1

Eve

Open

Check out the possibility of running a new UMA webinar.

 

2011-05-12-2

Eve

Open

Look into how to contribute Claims 2.0 to the OpenID ABC work.

 

Roll call

Quorum was not reached.

Approve minutes of 2011-04-28 meeting

Deferred due to lack of quorum.

  • May 26: Eve regrets; Maciej will cover.

Leadership team election status

  • Vice-chair position up for re-election by May 27
  • Also Graphics/UX editor position (overdue)

Maciej and Domenico are both willing to stand again for their respective positions.

Action item review

  • 2010-11-18-4 Eve Open Capture new user stories in the wiki.
  • 2011-03-02-1 Nat Open Put together JWT-compliant examples of Claims 2.0 and Simple Access Authorization Claims
  • 2011-04-07-2 Frank, Kirk Open Match constellations to scoped access diagrams to see what happens.

Kirk reports that he and Frank have worked through a couple of use cases and flushed out some issues. Going forward, he thinks it would be valuable to update the constellation flows with the latest spec work. He'd like to get us to a point where we can give advice to implementers. We'll put this on the agenda for next week. Kirk's company's social networking application would provide a good concrete example to test against.

  • 2011-04-07-3 Thomas Open Turn the results of the scoped access work into core spec text.

Now closed.

  • 2011-04-14-1 Maciej, Alam Open Build list of FAQs (both questions and candidate answers) on the wiki.

Eve and Cordny sent questions onto the list. Another question might be:

  • How could an UMA ecosystem get started?

IIW review

The UMA group was well represented. A lot of OpenID and OAuth conversations ended up mentioning UMA too.

The Locker Project seemed to have some potential synergies with UMA, possibly providing interim ways to integrate partial AM functionality into existing apps.

The UX sessions and demos resulted in some good lessons learned. For example, the requester side seems to need some improvement in order to avoid confusion. The smartam.net 2.0 system is actually running now; the team will shortly make this available to the group members. The way it works is that smartam.net chooses to have Alice log in through Facebook, and it also leverages Facebook contacts to allow Alice to set up ACLs for the sharing of her photos residing at Gallerify.me. She can arrange for the AM to send a message to Bob through Facebook messaging. In essence, Facebook acts as a policy information point. We hope to learn more about Alam's implementation work soon.

The SMART project team discussed the new scoping mechanism with folks from HP Labs and Google. They expressed some concern about using a single token to represent a variety of access authorizations. They felt we were simplifying the host's duties too much, and the host should be be able to handle managing multiple tokens that a requester has, such that you don't upgrade or downgrade tokens, but rather just issue new ones. Maciej M. will follow up on this; we hope to get more detail soon.

There was some interest in our action description/scoping mechanism from Tom Brown of Open Source Currency. He's interested to have dynamic scopes for things like controlling the maximum amount of transactions. We discussed ways he could potentially use our action description URIs with variable parameter values.

Claims 2.0 next steps

In principle, we're supportive of contributing Claims 2.0 to the OpenID Foundation if this is acceptable according to Kantara rules as well. Eve will look into how to go about this; our current charter assumes all specs we produce would go to IETF, so maybe we have to revise it for this purpose. The OpenID Foundation IP rules are here.

Scoped access spec review

Thomas has put a new draft up on the wiki.

Eve suggests using more of a "state-diagram" approach to organizing the sections, and explaining the phases just in the introduction section. See the notes from our last UMA meeting on a suggested table of contents.

Thomas asks whether Paul's exhortation to attach no authorization significance to token issuance should be mentioned in the spec. UMA reuses OAuth for the host-AM relationship, so in that case, when the host gets a token, it's already good for accessing the entire UMA-compliant protection API at the AM. This is different from UMA's creative remixing of OAuth when it comes to the requester-AM relationship. In that case, issuing the token doesn't yet come with any authorizations. We should at least point out how UMA's assumption differs from OAuth's in this spot.

The next issue is how we define scopes – that is, exactly what they have to look like. We think requested scopes would look much like cut-down resource set descriptions, and granted scopes would look much like requested scopes with an expiration date. How would such a structure fit into today's OAuth scope strings? Would you have to base64 the whole thing? [Eve subsequently sent a strawman scope structure to the list.]

Also, Tom Brown's input was that he'd like to use something like action URLs directly, with parameters that can make them dynamic. How does this stack up against our two-part scopes?

Next Meetings

  • WG telecon on Thursday, 19 May 2011, at 9-10:30am PT (time chart)
  • WG telecon on Thursday, 26 May 2011, at 9-10:30am PT (time chart) – Eve regrets; Maciej will create agenda, chair, and do notes-wrangling