[WG-UMA] New rreg and core specs
eve at xmlgrrl.com
Wed Dec 15 13:13:08 EST 2010
Thanks for these comments! (Can I tempt you to do the same for the rreg spec too? :-) We need to do an analysis of draft 11 and figure out implications for our spec. You're right that we should identify the OAuth draft (the current one we use is 10) more clearly. As we get more specific about conformance language, I think we're going to want to name/number an UMA "snapshot" so that it can become a consistent testing target.
On 15 Dec 2010, at 9:40 AM, Thomas Hardjono wrote:
> I just went through the UMA Core spec. I think it looks very good and
> reads well -- a much easier read for me that reading OAuth2.0 (but
> that's just me:)
> Here are some minor comments/suggestions:
> (1) Need to identify which draft of OAuth2.0 is being referred to:
> Minor nit. I know that OAuth2.0 seems to be a moving target. Perhaps
> within the UMA-core draft, we could cite Oauth2.0 version.
> For example: [OAuth2-draft11], instead of just [Oauth2].
> (2) Move paragraph on UMA Profile Patterns to separate section and
> I would recommend moving the following to paragraph (Section 3,
> Step-2) to a separate section, since this is an "advance" set of
> concepts and may confuse the first-time reader.
> If the requester is acting on behalf of a requesting party that is
> corporation or other legal person, or a natural person who is not
> same as the authorizing user, it MUST use an UMA profile pattern
> does not involve use of the OAuth end-user authorization endpoint,
> allow for issuing an access token that does not require the
> authorizing user's presence at the time of issuance. If the
> requester is acting on behalf of a natural person who is the same
> person as the authorizing party, it MUST use an UMA profile pattern
> that involves use of this endpoint, such that this person
> synchronously approves token issuance through presenting user
> credentials to the AM and consenting.
> (NB. I think this is absolutely valuable stuff, a notch above
> Oauth2.0. Please keep the paragraph and expand it.)
> (3) Question: Which Oauth profiles
> Does UMA only use (refer-to or depend-on) the OAuth2.0 web server
> (or do we need the other OAuth2.0 profiles).
> (4) "Access Grant" terminology (Oauth2.0 draft-11):
> I found the introduction of the "access grant" terminology in
> OAuth2.0-draft11 to be confusing (but that's just me).
> Does the "access grant" terminology alter our UMA terminology in any
>> -----Original Message-----
>> From: wg-uma-bounces at kantarainitiative.org [mailto:wg-uma-
>> bounces at kantarainitiative.org] On Behalf Of Eve Maler
>> Sent: Tuesday, December 14, 2010 7:08 PM
>> To: wg-uma at kantarainitiative.org UMA
>> Subject: Re: [WG-UMA] New rreg and core specs
>> Christian has posted them at:
>> On 14 Dec 2010, at 3:00 PM, Eve Maler wrote:
>>> Sorry this isn't uploaded yet -- my fault. I wanted folks to take
>> look at this as soon as possible... This is the latest resource reg
>> spec and also a slightly revised core spec to correct the language
>> around resource registration and the registration endpoint. I tried
>> accommodate or at least capture as many of the issues documented in
>> 'pad (http://openetherpad.com/uma-rreg-todo) as possible.
>>> Eve Maler
>>> +1 425 345 6756
>>> WG-UMA mailing list
>>> WG-UMA at kantarainitiative.org
>> Eve Maler
>> +1 425 345 6756
>> WG-UMA mailing list
>> WG-UMA at kantarainitiative.org
Eve Maler http://www.xmlgrrl.com/blog
+1 425 345 6756 http://www.twitter.com/xmlgrrl
More information about the WG-UMA