Quorum was reached.
Minutes of 2012-04-19 and 2012-04-26 meetings APPROVED.
Maciej is available for both May 17 and May 24. Eve can create agendas for both.
Maciej is willing to serve again. We'll collect further nominations until such time as we get a chance to vote while quorate.
MOTION: Approve Maciej as vice-chair for another year. APPROVED by acclamation. Thanks, Maciej!
It was a good meeting in terms of seeing high levels of interest in protecting personal information on the Web. There was a lot of VRM stuff this time. UMA is a big leap for many folks. Street Identity/OpenAXN and OpenID Connect are just reaching more people's consciousness. Maciej had some discussions with folks from the hardcore OAuth and OpenID Connect communities, and they are amenable to taking out dynamic client registration. It also seems that people who are more sensitized to the Attribute Provider use case are getting used to the idea of our "radical" separation of AS and RS, which hardcore OAuthers don't seem to need otherwise. The net is that OpenID Connect is driving a set of use cases that OAuth by itself wouldn't. In other words, once an Attribute Provider is conceived of as a resource server/host, UMA looks important.
Issues Eve collected that need to be added to GitHub:
Maciej needs the latter issue for auto-discovery of claims that live in a PDS. If the user has already introduced the PDS to their IdP, the requester should be able to discover what the AM protects. So the question the requester wants to be able to ask: What claims/resources could the AM offer if the requester could satisfy the policy? Project hData also needs this! What if the resource set registration process has the AM automatically create resources in a discovery service whose API is completely standardized? Has OpenID Connect already done this standardization?
Should Domenico's Trust Model User Guide be a Service Operator Criteria doc? Kantara would find that really useful.
Is it viable for us to explicitly position UMA as a Privacy By Design technology because it shifts the burden to requesting parties and because it enables more granular user-controlled protection of resources? We think this is fair.
Three legs good - four legs better! Let's name our next tweet chat or webinar with this.
Eve will meet with Pam tomorrow to learn how to work the OSIS wiki.
Eve walked through the current state of the Trust Model doc, which is now in IETF-ready I-D spec form. SMART AM is the first deployed AM in the world, so the spec obligates Newcastle to adhere to the contractual terms! NCL will look at the doc closely.
The SMART AM implementation's RPT endpoint just gives out the RPT. It doesn't do the permission request part. In fact, the requester goes to ask for the RPT for a particular host even before it attempts access at the host, so it doesn't have a permission ticket yet. This is compliant with the older version of UMA, where the host doesn't eagerly register a permission and get a ticket! There seem to be exactly two viable technical approaches:
As of 25 April 2012, quorum is 6 of 10.