UMA telecon 2021-06-24

Date and Time

Agenda

Minutes

Roll call

Quorum was NOT reached.

Approve minutes

Deferred

Relationship Manager - user stories

From: https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-11-19

As RqP Bob, I want to be able to request access to a set of Alice's resources directly from Alice's AS without knowledge of their location, because I don't have to bother getting or caring about all the locations from Alice first.

{  
   "access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
   "token_type":"Bearer",
	"resource_type" : "http://resourcetyperegistry.com/a/resource/type" <- this is the contract with the client over what the response from the RS will be
	"resource_location" : "http://thisspecificrs.com/path/to/resource"
}

// this is a non-conforming to oauth2 as the access_token isn't a string
{  
   "access_tokens":[
		{bearer access token with resource location}
]
   "token_type":"Multi"
}


As client C used by RqP Bob, want to be able to request access to a set of Alice's resources directly from Alice's AS on Bob's behalf without knowledge of their location, because I(client) don't have to retrieve the locations first.


— 
From: https://groups.google.com/g/kantara-initiative-uma-wg/c/f0g98sr22Rw/m/M5jK9z1nAgAJ 

As a RO, I want to manage my resources independently of each individual RS (UMA core prop)


As an AS(RS) operator, I need statically registered clients (clients + RSs), in order to meet my federation assurance requirements

As an RS operator, I don't want to trust any RO chosen AS, because I need strong federation assurance (I can't trust a individual person)

As an RS operator, I want to register resources with specific trusted AS, in order to meet my federation assurance 

As an RS operator, I want to delegate RP registration and authorization, as I never intended to take on this responsibility/cost

federation issuance is short-hand for trust framework, legal/regulatory/compliance requirements (I can't trust anyone)

These necessarily narrow the ecosystem, UMA+these drafts aim to  widens the ecosystem again and remove the need to 1-1 agreements between all parties. 


Alec will attempt to organize these use cases into a document for solicitation. We need to get less technical and more business/legal feedback on these goals


As an AS, I want to decouple the consent management UX from the authorization services, 

As a RO, I need a personally controlled user-agent (UMA Wallet) to manage my key material, in order to maintain personal-agency in ecosystems

As a RO, I want to authorize a "UMA Wallet" to manage RS resources, so that I have a single view into my available RS's and Resources

As a RS, I need Alice to authenticate in order to determine which resources she can manage, in order to ensure appropriate management access

As a RS, I need Alice to establish credentials (pub key), so that I can trust externally asserted policy was issued with Alice

AS a RS, I need to trust delegations signed by Alice's key, so that Alice can allow Bob (other keys...) or <<claims gathering condition>> to access her resources 

As a RS, I may delegate resource management user experience, so that I can focus of my core service to the RO

As an RS, I need to know which AS(s) Alice wants to use, in order to delegate access control (uma core)

As an AS, I want to delegate RqP identification to a UMA Wallet, so that 
- a RqP can choose their private key and consent management provider
- I can avoid directly holding or seeing a users personal details



New term "BOLTS"

UMA Interop Testing


AOB


Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

  1. Eve
  2. Steve
  3. Alec

Non-voting participants:

  1. Nancy
  2. Tim

Regrets:

  1. Domenico