UMA telecon 2019-08-01
Date and Time
- Thursdays 6am PT
- Screenshare and dial-in: https://global.gotomeeting.com/join/857787301
- See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar
- Roll call
- Approve minutes of UMA telecon 2019-06-20
- IETF 105 recap and next steps
- OAuth.net/2 needs UMA revision
- Business-legal framework update
- Nominations for chair and vice-chair
Quorum was not reached.
- Approve minutes of UMA telecon 2019-06-20
IETF 105 recap and next steps
- Especially valuable to have (potential) profile and extension authors here to discuss
Here is the message to the OAuth list with links to the two sets of meeting minutes. Video recordings are also coming out. You can read about OAuth.XYZ here, and its applicability to UMA use cases here. The official IETF I-D is here.
Questions about XYZ: Is it meant to be profilable to help it fit into a larger ecosystem? UMA is meant for a multi-party environment. We'd want to be sure that the rechartering effort accommodates actual UMA use cases. Aaron P has proposed how to "add identity to XYZ" (iow, layering OIDC functionality into it), but discussion with Justin so far shows that there's an intent to incorporate UMA use cases directly; maybe OIDC use cases would become part of it as well. Justin says all of the UMA functionality is intended to be baked into the core protocol. Aaron P is also considering doing a profile for IndieAuth. XYZ shouldn't have to be profilable in the same way as OAuth2 because it doesn't have the same model of grant types – there's not nearly as much need because there aren't as many options. Swimlanes are coming to show how it would be used for different purposes.
Some of the technical design basis is sourced from current UMA: transactional handles are like permission tickets, the user interaction approach/endpoint works the same, and the ticket given in user interactions is like a PCT. XYZ has a C-to-AS first flow as today's OAuth does, but there is interest among some in the OAuth group already in a C-to-RS first flow like UMA has, and Eve and Justin have discussed how to achieve this in a robust fashion. You would need to have the RS make a call to the transaction endpoint and get a resource handle back to hand to the client.
Sometime in August the rechartering discussion will be picked up. It would help to have specific UMA use cases and flows documented, within the bounds of XYZ. "This is a use case that core OAuth2 can't handle. UMA2 can (or even UMA2 can't), but XYZ would bring these benefits because of these reasons: x, y, z..." Justin mentions the single-user case (Alice-to-Alice sharing). If the client can be shown to avoid jumping through a lot of hoops, that's a win. Things UMA2 doesn't currently handle: Strong assurance to Bob that Alice is who she says she is (the "CIBA" case with UMA sharing benefits). Also fully disconnected sharing.
The set of use cases would ideally be provided in the next couple of weeks (self-imposed deadline). Justin needs four sections: a) the use case itself (be short and to the point), b) why vanilla OAuth has limitations around it, c) what you can achieve with extensions to OAuth (including UMA), and d) an in-depth description of how you'd solve the use case with XYZ, ideally with swimlanes. Roman will be picking things up again in late August, and concrete write-ups will help keep the momentum up. Justin's Identiverse talk will help people understand his spec in greater detail. Eve will ask key people to help generate these use case write-ups.
OAuth.net/2 needs UMA revision
- Anyone willing to do a quick pull request on this page to point to the final UMA2 recommendation or our wiki home page?
Justin has done this, thanks!
- Speaking of which, our FAQ is extremely old and out of date...
Business-legal framework update
Please read the meeting notes from this week, sent in email – we now have an emerging state machine, thanks to the work of Cigdem, Lisa, and Nancy!
Nominations for chair and vice-chair
Nominations are open for these positions. Please send your nominations (self or other) to Eve. She is willing to stand for chair again and Maciej is willing to stand for vice-chair again. We'll keep these nominations open for a while more, even though we're a bit late with the elections. You can see the leadership team list here.
The right spec link
The right spec link is UMA Grant Recommendation. In addition to their having removed all the wrong robots.txt entries, we also need to ask KI staff to link more frequently to the correct spec! This will help search results point to the right file, which nobody is able to find.
As of 16 Jul 2019, quorum is 5 of 9. (Domenico, Peter, Sal, Thomas, Andi, Maciej, Eve, Mike, Cigdem)