UMA telecon 2013-10-31
UMA telecon 2013-10-31
Date and Time
- All-hands meeting on Thursday, October 31, at 9am PT (time chart) - note that US doesn't go off summer time till Nov 3 and this meeting will be one hour earlier for UK/Europe participants
- Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines), room code 178-2540#
- Screen sharing: http://join.me/findthomas
Agenda
- Upcoming meeting schedule
- Resource descriptions for user attribute retrieval (email thread)
- SAML IdP+UMA attribute release discussion (email thread)
- AS=C use case discussion (most recent previous notes) – any conclusions yet?
- Field interop feature test issues
- AOB
Minutes
Roll call
Quorum (7 of 12) was reached.
Meeting minutes approval
MOTION: Approve the last two meeting minutes, and read into today's minutes all of the previous focus meeting notes not otherwise previously read in. APPROVED by unanimous consent.
Upcoming meeting schedule
Eve has to miss approximately every other meeting for the next couple of months. We have a lot of technical, interop, and outreach work coming up. What's the best way to make progress? The interop effort should also drive clarifications in the spec or places that need work. Making progress requires a) having the use case champion present in discussions and b) that person being willing to draft a proposed solution. Does it make sense to have fewer meetings (according to Eve's availability) but try to extend the meetings we do hold to a length of 90 minutes? There's variable availability for this. E.g., Andrew has HIAWG directly after the 60-minute UMA call on Oct 31, Nov 14, etc. What about starting to meet 30 minutes earlier? This seems, on balance, to work better. With that assumption, here's what our calendar looks like for the next few weeks (see below on this page, and also the official UMA calendar).
NOTE: Eve is checking on whether this means we need to use a different dial-in bridge. For now, the calendar is definitely accurate as regards timing of meetings, but may not be accurate as regards dial-in. Stay tuned!
NOTE: Most of the world will be "back in sync" next week wrt summertime skew. Our meetings will start at 16:30 GMT after the change (8:30am PT), rather than 17:00 GMT (9am).
Interop feature test issues
We discussed F-as-config. How should we resolve the mismatch between requirements for RS and C to consume AS config data and the spec text, which doesn't mandate it? Lukasz comments that the Cloud Identity sample apps don't hard-code the endpoints, and do leverage the config data. George comments that it seems like not a very big deal to require the AS to expose the config data, and still not burden the RS and C. The main problem is putting something at /.well-known. George read an article recently about a "tax on iOS apps" around handling 301s and the security around serving up content through HTTP.
We've discovered that OAuth closed quite a few (but not all) TLS loops in its final versions of RFC 6749 and RFC 6750. For the AS, TLS with specific parameters is mandatory to implement, and for some endpoints and flows, mandatory to use. In a code flow where the client is confidential (can protect the secret), you have the rare conditions where you can relax the requirement. All other redirect URIs must use HTTPS. Of course, the AS config data discovery endpoint is different in kind from the endpoints mentioned in the config data, but it should be at least as well protected as those others.
George's recommendation: The server must implement and use HTTPS, but the clients (RS and C getting the config data in this case) don't have to implement discovery that uses the endpoint in question here. This is a starting point; we can test whether folks want to push back on this as we go. What if we were to start requiring HTTPS in UMA the way OAuth essentially does now? No pushback from implementors so far.
AI: Eve and Thomas: Update spec text to add HTTPS/TLS strengths based on OAuth final language. Also: Typo in Core Sec 1.4: s/absent/absence/. Also: The repetition of the "valid PAT" statement in Sec 3.2 should be removed as appropriate. Also: RSR 2.1: s/scope/Scope/ at beginning of sentence. Also: Account for Josh Mandel's changes.
Attendees
- Keith
- Eve
- Andrew
- George
- Lukasz
- Thomas
- Maciej
Next Meetings
- Focus meeting Thu Nov 7 8:30-10am PT (time chart) - Oshani Seneviratne will present on "Provenance" research in the last half-hour
- No meeting Thu Nov 14
- All-hands meeting Thu Nov 21 8:30-10am PT (time chart) - we'll discuss resource/scope management and SAML/UMA attribute release with Roland
- No meeting Thu Nov 28 (US Thanksgiving holiday)
- No meeting Thu Dec 5
- Focus meeting Thu Dec 12 8:30-10am PT (time chart)
- All-hands meeting Thu Dec 19 8:30-10am PT (time chart)
- No meeting Thu Dec 26 (holidays)
- Focus meeting Thu Jan 2 8:30-10am PT (time chart)