UMA telecon 2018-12-06

Date and Time



Roll call

Quorum was reached.

FYI, the Implementations page has been updated

In about two months (that's the HIMSS timeframe -- Feb 11-15 in Orlando), there may be an update to the HIE of One listing reflecting the product side (Trustee). Adrian could be interested to attend HIMSS if there is someone willing to pay his way. And perhaps we should look at interop testing at HIMSS.

Mike will update the Gluu listing to reflect the upcoming December ship date of the Gluu Gateway and the "Swaggerization" of the RS and (updated) client code. Swagger (technically OpenAPI is what they're using) is a kind of machine-readable API documentation that allows automated stubbing-out of applications. It's not the only API description language but it's pretty much the most popular. Since oxd is basically middleware (using Lua), its Swagger isn't that interesting for a larger Swaggerization project. They changed it a lot, taking out "mix mode".

What would it take to add an UMA module into Swagger? Then infrastructure would already be available to the online testing tools. If you could document which UMA scopes are required, security provisioning could be automated. Mike will share what they've already done. It may or may not be that helpful given the need to customize.

Meeting logistics

Approve minutes


Identiverse call for presentations is open

Here. Deadline is 11 Jan 2019.

180 degrees / decoupled / CIBA use cases

We analyzed the use case doc. The "group X" parties seem to be a species of requesting part that have a motivation to share an UMA resource owner's data that they are a custodian of (they are in an UMA resource server role, we think), but they carry some liability for inappropriate sharing so they are going to want to be extra-careful about "group Y" (Alice) being who they say they are (the UMA resource owner) and also about others (Joe and Erica, the UMA requesting parties) being who they say they are – meeting Alice's policy.

In previous discussions, we noted that the requesting party wants to ensure that it's truly Alice who is the resource owner. Is there also a need for the resource owner to know that Alice is the RO?

Is authentication (of Alice/the RO particularly) something that we can connect to auditability, as it relates to our UMA business model work? Right now the PAT is the main thing that is "in band". Sal notes that this could connect to consent receipts as well.

Eve has a plan to draft UMA business use cases and business/technical mappings (technical artifacts and legal devices) for people's perusal over the next couple of weeks. Andi says he'd also like to see us put some more thought into how we could handle cases where multiple resource owners exist for the same resource. Eve adds: These might include joint checking accounts, or two parents controlling a child's health record, etc.

UN Commission on Refugees

Tim asks if anyone has looked at their call for a proposal for blockchain-related identities being issued; he's been talking to Colin about it and wonders about UMA's relevance. Cigdem just started looking at it. Adrian notes that HIE of One combines UMA and self-sovereign technologies and has been working on similar use cases. Alec notes that Identos's solution similarly has UMA on one side and a self-sovereign type of technology on the other side. Nancy mentions some interest as well.

Colin remarks that responding to such calls tend to require a fair amount of resources and a big team. Kantara could potentially put a proposal together but a fairly large organization may need to prime the effort. Adrian mentions ID4D.


As of 18 Oct 2018, quorum is 5 of 8. (Domenico, Peter, Sal, Andi, Maciej, Eve, Mike, Cigdem)

  1. Peter
  2. Sal
  3. Andi
  4. Maciej
  5. Eve
  6. Mike
  7. Cigdem

Non-voting participants: