UMA telecon 2015-02-04

Date and Time

• Wed Feb 4 2-3pm PT / Thu Feb 5 APAC-friendly
  • Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines), room code 178-2540#
  • Screen sharing: http://join.me/findthomas
  • UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar

Agenda

• Roll call
• Minutes approval
  • Sample motion: Approve the minutes of UMA telecon 2015-01-15 and UMA telecon 2015-01-22.
• Upcoming meeting schedule
  • Reminder of public review period, special meeting Mon Feb 23, and important LC meeting Wed Feb 25
• Interop progress
• Educational materials
  • Reporting on AIs
• V1.0 rollout
  • Reporting on AIs
• Field public review comments and other open issues
  • Reporting on AIs
  • Spec editing schedule
  • New AIs
• AOB

Minutes

Roll call

Quorum was not reached.

Minutes approval

Deferred.

Upcoming meeting schedule

Don't forget about the special Feb 23 meeting.

Interop progress

Roland will have incomplete tests ready for implementers next week. Sal's team is starting to be ready to join the testing.

AI: Sal: Supply participant and solution information for the iop page.

Colin may be interested to provide input, as an imminent implementer. We'd like to see the feature tests just to eyeball them as soon as possible, so that everyone can do this kind of review.

We do have the budget proposal going to the Kantara board tomorrow, so we'll hear soon about that kind of support that may accelerate Roland's efforts in this direction.

Educational materials

Outstanding AIs:

• AI: Mike: Write the section on "Organizations as Resource Owners and Requesting Parties".
• AI: Maciej: Write as many sections for the UIG as he can. (smile)
• AI: Andi: Write the section on "Handling Ignored Parameters" and share with Zhanna for comment.
• AI: Eve: Send suggested updates to Will at Gluu for English page updating, and to Domenico for Italian page updating, and to Rainer for hoped-for German page updating, and to Riccardo Abeti for the Spanish page.
• AI: Mark: Do a Dutch Wikipedia page translation.
• AI: Ishan: Review the FAQ for needed updates (http://tinyurl.com/umafaq).

Ishan is working on his item. Does it make sense for some in-depth FAQ-type topics to cross over to the UIG? Possibly. What do you need in addition to UMA, e.g. a policy engine? Ishan has got that question captured. Sal has been having discussions with people about whether authentication and federation are "part of UMA".

Eve points to Martin Kuppinger's recent blog post on UMA for the enterprise. It describes a business SaaS/centralized business logic use case.

AI: Eve, Mike: Write new case study for business SaaS/centralized business logic use case.

Mike notes that Gluu gets a lot of hits on its SAML/UMA post. This is probably worth another case study.

AI: Eve, Mike: Look into team-tweeting from the UMAWG handle.

V1.0 rollout

We do need to craft a crowdsourced track submission. Ideas:

• You've authenticated. Now what? Solving the hard problem of distributed/federated authorization
• Trust elevation theme
• OpenID Connect vs. UMA: OAuth profiles: sisters that look nothing alike...

AI: Eve, Colin, Mike, (Sal?): Email discussion about possible crowdsourced track submission

Field public review comments and other open issues

Outstanding AIs:

• AI: Sal, George: Do a close reading of UMA Core Sec 8.1 against the OAuth Security Cheat Sheet and see where we can improve the former.

Zhanna brings up a question about the scope description. Should there be a "description" property to allow there to be a longer description of the scope, for optional help text or documentation? There's sentiment for adding this. At the OAuth level, you need to get this from somewhere because you need to display this in order to let the person consent to giving an app access to that scope. So we feel that the OAuth use case motivates having a "nice, plain string" available. We don't want to go crazy adding other fields, when anyone can add their own extension fields for documentation functions. We have consensus on the following wording:

description

OPTIONAL. A string describing, in longer form than the scope name, the scope (extent) of access. This name MAY be used by the authorization server in any user interface it presents to the resource owner. This string could be used, for example, as help text or in documentation.

AI: Editors: Add to GitHub.

We briefly discussed issue #132, and there's some sentiment for changing in this direction. We'll "sleep on it" and see if we can close it next time.

Zhanna will add a couple of new issues to GitHub that she brought up on the call.

Next time: Discuss IETF submission options

Be sure to discuss this next time.

 Attendees

As of 14 Jan 2015, quorum is 7 of 12. (Dom, Sal, Mark, Thomas, Andrew, Robert, Maciej, Eve, Mike, Jin, Ishan, Ravi)

1. Ravi Mysore (first time: based in Bangalore! works for Morpho; program manager for 750M person biometric ID program; experience in FICAM; keen to add privacy to these use cases)
2. Eve
3. Robert
4. Sal
5. Mike
6. Ishan

Non-voting participants:

• Colin
• Marcelo
• Gil
• Zhanna