UMA telecon 2021-07-15

Owned by
Alec Laws
Last updated: Jul 19, 2021 by
Salvatore D'Agostino (Unlicensed)
3 min read

UMA telecon 2021-07-15

Date and Time

Agenda

Minutes

Roll call

Quorum was NOT reached.

Approve minutes

Deferred


ANCR/UMA initial understanding

https://groups.google.com/g/kantara-initiative-uma-wg/c/EzbI7kjc_MU/m/NLX_0eYZCQAJ


Short flow

  1. Alice visit's Bob's Organization(site/service) website
  2. Bob returns a notice that references a third party registry
  3. Alice is able to independently lookup Bob's notice from the registry
  4. Alice requests a notarized receipt from the registry, including Bob's notice and her Rights (eg the law's of the country she lives in)
  5. Alice includes this receipt in requests as she interacts with Bob's service
  6. Bob is able to use the receipt token to interact with Alice's information, either in requests for authorization/information (eg as a token/claim)

ANCR current state: documentation of the receipt: Bob's notice, Alice's rights assertion, the notarized ANCR receipt

Next steps: Determining ANCR receipt fields contributions to be part of the ISO 27560 WD. Publish anchor notice and consent receipt via Kantara. Move from receipt definition to flows/protocol integrations.

The receipt creates transparency for Alice to discover and understand the sites/services terms, controller, etc. Steps 1-5 would be part of a Browser/extension implementation and could be broadcasted through headers (for example). Alice could include in her notarized receipt where Bob's service could discover her information, eg her UMA Auth server or relevant resource locations. 

After discovery, Alice is able to monitor service term changes through a registry.  The 'registry' doesn't necessarily need to be a 3rd party, the site itself could host this to achieve transparency outcomes. Self assertion (public transparency) like this can still reference third parties, who don't need to know about ANCR. For example in the UK there is a public business registry with the Controllers listed, the site itself can reference that endpoint and provide that url in the receipt and further auto (public) discovery can transpire.


Can a service be registered with multiple registries? yes

ANCR is having an off cycle meeting 1130(?) Monday. They usually meet Wednesday at 1030ET

Advanced Notice and Consent Receipt: Advanced Notice & Consent Receipt - ANCR-WG


Anyone attending HIMSS?

IDENTOS will have some representation there (not Alec), presenting their TrustSphere project in BC 


Has Kantara ever provided funding support to attend/present posters/papers? Kantara is open for funding requests, if interested please reach out to Alec(or any WG chair) and they'll help with the request to the Leadership Council. Largely attendance have been self-funded


Relationship Manager - user stories

Review the Diagram: https://groups.google.com/g/kantara-initiative-uma-wg/c/WAnizgl08Fg/m/YjflL1EbAwAJ

Last week we got into the details and questions around discovery. It may not need to be part of the core UMA AS function, and could be a 3rd service specification (with some intersection to the ANCR registry concepts)


Implementing the UMA spec is not enough, need to have use-cases to fill the gaps and details (and to 'get creative'). This has made interop challenging between implementations. There's a bunch of work around UMA that are required to show implementation. Maybe a simple interop profile around a use-case would allow us to show us working together. One example, who owns + stores the PAT. Communicating the handle (uri) from RO to RqP


AOB

Please welcome Kay Chopard as the new  Kantara Executive Director!

Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

  1. Steve
  2. Alec
  3. Sal

Non-voting participants:

  1. Zhen
  2. Scott

Regrets: