UMA telecon 2016-03-10

Date and Time

• Thu Mar 10, 9-10am PT (N.B.: North America will change to Daylight Savings Time next week; this week is normal but NEXT WEEK WILL BE ABNORMAL)
  • Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines), room code 178-2540#
  • Screen sharing: http://join.me/findthomas - NOTE: IGNORE the join.me dial-in line shown here in favor of the dial-in info above (Kantara "line C" and the Skype line)
  • UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar

Agenda

• Roll call
• Approve minutes of UMA telecon 2016-02-25
• Quick reports from sync meeting, RSA, and HIMSS
  • (And don't forget to sign up for IIW)
• Consider new mitigation thought on issue #239 and review draft extension spec and non-normative doc
• Proposal for new "Why UMA?" wiki area
• Charter-bashing (if anyone has done any homework...)
• AOB

Minutes

Discussion of Kantara's new organizational structure

Is this new structure of any concern? It seems not; it's a mark of Kantara's growth and maturity.

APAC-friendly meeting series

Eve will reach out to those likely most affected if the series is changed to see if those people would mind if she offers ad hoc syncs instead.

Roll call

Quorum was not reached.

Approve minutes

Approve minutes of UMA telecon 2016-02-25: APPROVED

Updates from recent meetings and events

IAPP Canada: John W was approached by an IAPP Canada organizer about doing a technical presentation, and he reached out to Andrew Hughes to help put together a panel on UMA, so as to inject more interesting technicality into the proceedings. John and Eve will sync on getting some good UMA slide fodder. 40% of the IAPP is made up of lawyers, so they'll have to go for the right level. We're looking at leveraging this into another opportunity at IAPP/CSA's "Privacy. Security. Risk." event in September. Yesterday's APAC-friendly meeting had a big focus on IAPP Canada preparations.

RSA: Eve and Josh Alexander presented, and Eve got to spend a few minutes on UMA in the talk. She has been hearing repeatedly that UMA has been coming up in "third-party" conversations she isn't in.  She has die-cut stickers to give UMAnitarians, and they got snapped up at RSA. She also had interesting side conversations about health, energy, other use cases for UMA (relevant tweet).

HIMSS: Not a lot of UMA-related news. Justin gave an overview to the Argonaut and FHIR project folks, and it came up in conversation a few times. Adrian observes that they don't know of any pilots. François notes that he doesn't know of pilots either. Delegation is the key unique use case, where patients can delegate access.

Btc Expo: Adrian heard some interesting avenues there. Andi has been hearing blockchain/UMA opportunities.

CIS: Andi notes that there is a distributed ledger/blockchain track, and a privacy track as well. Everyone please register and book hotel rooms ASAP!

(And don't forget to sign up for IIW.)

Why UMA?

Eve has asked Domenico (our UX and graphics editor!) to put together some material for our wiki to highlight the "Why?" of UMA for businesses as an important audience. He will share his research on the list. Eve would like to ask everyone to contribute new "collateral" to this area. The impetus was Robert asking Eve for use cases, and our finding that our Case Studies page doesn't suffice. Mike asks that we present Enterprise UMA more prominently as this is an easier sell than privacy. Therefore, Mike should contribute content. What about Pedro's use case?

AI: Eve: Approach Pedro at Red Hat about their use case.

A barrier is lack of libraries, including RS support. In fact, this has just come up on the UMA Dev list, and this is the exact purpose of the UMA Dev WG, right down to putting the emphasis on the RS. Eve also likes how Nat had published an easy Hello, World OIDC client app on his blog to show everyone how small and easy it could be.

There are lots of great ways other than (boring?) slideware to document and persuade about UMA:

• Pumpkin security theater
• John is big on putting together an interactive whiteboard why-and-how presentation
• A music video (this one is about privacy generally, from RSAC)
• Other ideas for presentation

Issue 239

The main issue in the extension spec is whether it can coexist with the main spec or whether it "stomps on" the main spec. This likely affects the extension spec title, several instances of language, and the configuration data design – it should probably invent a new endpoint that exists alongside the original endpoint. Coexistence would dictate changing our previous consensus about seeing little reason to deploy the "unenhanced" claims-gathering mechanism. Reasons for coexistence would be backwards compatibility with the existing UMA spec(s), and we still could make arguments for someone having a specialized environment that does claims-gathering and doesn't really need the enhancement. Note that the old endpoint would be marked for eventual deprecation and disabling. An important question is whether it's even possible to not support the old endpoint. George argues for it to be possible for an AS not to support the "old" endpoint on security grounds. And in fact, this could be very clean because you just don't support the "claims-gathering method" as offered by regular UMA.

And now there's a draft non-normative companion doc. Eve's thinking is that all vulnerabilities found in protocols such as this should come with docs like this as a kind of FAQ.

AI: Eve: Ask the WG about one more ad hoc meeting early next week to see about finalizing decisions on spec text so we can close out the issue next week and publish.

Attendees

As of 18 Feb 2016, quorum is 6 of 11. (François, Domenico, Kathleen, Sal, Thomas, Andi, Robert, Maciej, Eve, Mike, Sarah)

1. François
2. Domenico
3. Andi
4. Robert
5. Maciej
6. Eve
7. Mike

Non-voting participants:

• Adrian
• John W
• Justin
• Gil
• Arlene
• George

Regrets:

• Sarah
• Thomas