UMA telecon 2024-11-21
- Alec Laws
UMA telecon 2024-11-21
Date and Time
Every other Thursday @ 1:00ET/10:00am PT
Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
United States: +1 346 248 7799, Access Code: 994 8781 4311
See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
Agenda
Plan for vulnerability report + publication
Attendees
NOTE: As of Sept 15, 2022, quorum is 3 of 5. (Peter, Sal, Alec, Eve, Steve)
Voting:
Non-voting participants:
Regrets:
Quorum: No
Meeting Minutes
Topics
Scenario, there is a UMA-based health data-sharing ecosystem
A provider(RqP) receives a (malicious/phising) email link to access a patients record (e.g. patient summary resource)
The provider opens the link in their EMR client
The link points to a malicious RS, which provides a ticket it has from an interaction with the target RS to access all available patients
The EMR client follows the WWW-authenticate header to the target AS, the Provider(RqP) is able to authenticate and grant access to the target resource
The EMR client negotiates a token and presents it to the malicious RS
The malicious RS can access the target RS with the token
Conditions:
the client trusts ANY RS
the issued token was a Bearer token
Mitigations:
informational
the client is informed of the RS aud when it receives the token
the provider is informed of the scope of access when authenticating (requires claims gathering)
technical: the client must authenticate to the RS at Resource access time
Plan for vulnerability report + publication
template format
description of the vulnerability (general)
frame up “real” scenarios to show motivation → help us test mitigations
how do implementors know if they’re impacted?
what are their mitigation option?
Next call, confirm template for reports and start outlining section
AOB