[Wg-uma] Technology matrix

Eve Maler eve at xmlgrrl.com
Mon Sep 28 18:08:58 PDT 2009

I don't want to "over-rotate" on the matrix too much.  I have found it  
a useful tool in quickly explaining how the UMA idea is (e.g.) similar  
to and different from XACML, OAuth, etc., but it's impossible to be  
mathematically precise with such brief statements of comparison.

That said, here are some fresh thoughts in response to Nat's comments;  
more input welcome:

On 23 Sep 2009, at 6:31 PM, Nat Sakimura wrote:

> Adding bootstrapping row is a good idea.

I can definitely see the appeal, but I'm not sure where it will  
end. :-)  This is intended to quickly highlight where UMA "sits"  
relative to other technology items on the landscape, not to be  
exhaustive.  Would adding it contribute to a better understanding of  
UMA?  (I'm really asking.)

> Also, security characteristic and its relationship to a relevant legal
> framework (though not strictly technical) would be nice to have.

Probably there is a very wide range to cover here, even for each  
column.  Can you suggest what the row would look like, so we can  
consider it?  Are you thinking of something like "assurance", or legal  
enforceability, or something else?

> In addition, having the rows explained will be beneficial, at least to
> me. I am not quite sure of some of the definition of the rows.
> BTW, re: CX, are we talking about an abstract CX or OpenID binding?
> Notion of CX is pretty abstract. It is an online contracting
> framework. Subsequent action can be anything as long as it is written
> in the contract. (It could be a physical delivery of something, for
> example, like magazine subscription, or service like hotel room.)

We could do both, but I did mean to cover OpenID CX.  You're right, my  
coverage of it was totally insufficient, and I will use your  
suggestions just below.

> If we were talking about CX+AX, I guess (since I do not fully
> understand the definition of the row) the following would be supported
> in addition:
> login-time attribute transfer
> back-channel controlled access
> on-board storage of user data
> co-ownership of write access: pseudo
> Also, I was not sure of the meaning of "binding of ID(s) to data  
> shared".
> If id_select is a late binding mechanism, then CX can also be
> considered late binding ...
> As it is a contract, it cannot be later than the time of enacting the
> contract though.

I was thinking it would be early-bound to the OpenID (or other  
identity in the generic version?) that was wielded, rather than being  
entirely agnostic as to the identifier system in use.  But I'm not  
positive this is correct.

> If the definition of the rows can be clearer, I could shed more  
> light on them.
> One last note: there can be CX+OAuth etc. as well.

Since I didn't have an explanation of CX+OAuth available, I stuck with  
what I (imperfectly) knew...

The Confluence wiki is down (they had a major outage today and are  
still picking up the pieces), so when I can get access to the matrix  
I'll edit it some more, and also grab all the rows and offer an  
explanation for them.


Eve Maler
eve at xmlgrrl.com

More information about the Wg-uma mailing list