UMA telecon 2015-04-16
UMA telecon 2015-04-16
Date and Time
- Thu Apr 16Â 9-10pm PT
- Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines), room code 178-2540#
- Screen sharing:Â http://join.me/findthomas
- UMA calendar:Â http://kantara.atlassian.net/wiki/display/uma/Calendar
Agenda
- Roll call
- Minutes approval
- Sample motion: Approve the minutes of UMA telecon 2015-03-19 and read into today's minutes the notes of UMA telecon 2015-04-01.
- Final Recommendations are published!
- RSA:
- Non-Profits on the Loose party at RSA next Tuesday 5-8pm!
- Binding Obligations next steps
- List discussion on discovery
- AIs and webinar planning
- AOB
Minutes
Roll call
Quorum was reached.
Minutes approval
MOTION: Approve the minutes of UMA telecon 2015-03-19 and read into today's minutes the notes of UMA telecon 2015-04-01. APPROVED by unanimous consent.
Final recommendations
Post-publication, we have already collected one erratum (from Justin). We haven't even done the formal interop testing, and lots of independent implementations are just getting going right about now. Before we do the Independent Submission route, it's a good idea to shake out the bugs. Hannes T has offered assistance in the Submission process.
Roundup of upcoming events
- No telecon RSA week
- Adrian is facilitating a P2P session on Apr 21 at 4:30pm on health privacy standards
- The Nonprofits on the Loose party is the evening of Apr 21 at Minna Gallery
- The Rock Opera that Eve is in is on Thursday morning
- Dave Staggs' UMA Healthcare talk (with a demo from Eve) is Friday morning
- Gluu is doing a Gluu Server training with UMA at RSA
- Regular telecon Thursday April 30
- No telecon Thursday May 7 (EIC week)
- Kantara All-Hands May 4
- Kantara workshop May 5 (UMA talk)
- OpenID Foundation workshop May 5 (HEART talk)
- EICÂ has a User-Managed Identity and Access Track! (Eve speaking on UMA in the track)
- Eve has a keynote
- Webinar May 14
- Tweet chat before?
- IWPE'15Â May 21 in Oakland with IEEE Symposium on Security and Privacy
- ForgeRock Identity Summit May 27-29 in Half Moon Bay
- Cloud Identity Summit June 8-11 in San Diego
Binding Obligations
Eve walked through the theory behind the Binding Obs draft. The idea is that the "deep mapping" into UMA protocol state changes would make it more robust should a problem land the parties in court, possibly avoiding lawsuits entirely because independently obtained logs would answer questions ahead of time. It requires more work to do the mapping, of course, but in the UMA case it's already done.
Robert is currently working in the justice sector, where they currently use IdPs, but he anticipates using UMA at some point.
Adrian notes the idea of using GitHub for tracking lawyer/user/machine-readable legal language. Eve has spoken with Dazza about exactly this kind of approach. In healthcare, when the issue is the right of access (e.g., as managed by the Office for Civil Rights), then there are groups interested in logging the denial of authorization. Eve's notion of an authorization server's right not to respond to a request message, e.g. if it suspects a DoS attack, in order not to accept a "binding obligation", might be not acceptable in the context of a trust framework that requires certain standards of response and audit logging.
There's two ways to think of the Binding Obs. One way is to see them as something every deployment has to sign on to, even if they're not part of a trust framework. The other is to see them as a kind of "trust SDK" that any trust framework can call by reference if they wish to.
Could this be a three-phase commit sort of process, so that it's not just a state-change thing?
There is a ton of trust framework-related work going on. Trustmarks, VOT, OTTO, and more...
AI: Eve: Set up an ad hoc Binding Obs meeting. Interest from Anwar, Tim, and Mike.
It may be a good idea to do a Q3 webinar on UMA trust.
AIs
Outstanding AIs:
- AI: Sal: Investigate IP implications of formal liaison activities with other Kantara groups with the LC, and ultimately draft an LC Note as warranted.
- AI:Â Gil: Edit the UIG to add Ishan's content and excerpt it for Eve to add to the FAQ, pointing everyone to the UIG.
- AI: Sal: Fill out IDESG form to have UMA adopted as a recommended standard for use in the IDESG framework.
- AI: Mike: Rework UIG section on organizations as ROs and RqPs.
- AI: Eve: Edit UIG (Mike's input, Zhanna/Andi's input).
- AI: Eve: Update GitHub.
- AI: Maciej: Write as many sections for the UIG as he can.
- AI: Justin: Write a UIG section on default-deny and race conditions.
- AI: Eve: Send suggested updates to Will at Gluu for English page updating, and to Domenico for Italian page updating, and to Rainer for hoped-for German page updating, and to Riccardo Abeti for the Spanish page, and to Mark for a Dutch translation.
Attendees
As of 15 Mar 2015, quorum is 8 of 14. (Dom, Sal, Mark, Thomas, Andrew, Robert, Maciej, Eve, Mike S, Jin, Ishan, Ravi, John, Mike F)
- Eve
- Robert
- Domenico
- Ishan
- Andi
- Mike S
- Jin
- Thomas
Non-voting participants:
- George
- Adrian
- Anwar (Georgia Tech - working on trustmarks NSTIC pilot and law enforcement federation and HEART...)
- Zhanna
Guests:
- Tim Reiniger (shortly to be an official participant - attorney - coauthor of Virginia identity legislation)
- Jenn Behrens (shortly to be an official participants - director of privacy and compliance with ID.me - two NSTIC pilots - chair of IDESG privacy committee)
Â
Â