[WG-UMA] Review UMA core spec rev8 until pargr. 2

Thomas Hardjono identity at hardjono.net
Wed May 25 14:38:43 EDT 2011


Hi Cordny & Eve,

>>>> Is the use of SHOULD done because of giving the 
>>>> implementer the choice of using the statement?
>>>>
>> This is a good question. Thomas, I think you made this 
>> choice; were you following OAuth's lead? It's worth discussing 
>> whether we should make certain parts of the UMA flow 
>> "optional together". For example, what if the resource 
>> server is colocated with the authorization server and 
>> has a closer relationship with it that doesn't require
>> an expensive interoperable messaging protocol? Is this 
>> a case where we should define "conformance profiles"?

Yes, I think the question of "conformance profiles" will need to be
discussed sooner or later, as there maybe multiple ways UMA could be
deployed/ implemented.

To answer Cordny's specific question, I have loosely used SHOULDs to
mean "better to implement" to achieve highest degree of Interop.
Perhaps in future Revs we could tighten-up more (and avoid confusion)
by using MUSTs.

/thomas/

_________________

From: wg-uma-bounces at kantarainitiative.org
[mailto:wg-uma-bounces at kantarainitiative.org] On Behalf Of Eve Maler
Sent: Tuesday, May 24, 2011 4:53 PM
To: Cordny Nederkoorn
Cc: wg-uma at kantarainitiative.org
Subject: Re: [WG-UMA] Review UMA core spec rev8 until pargr. 2

Glad to give you something to play with. :-)

More below:

On 24 May 2011, at 11:46 AM, Cordny Nederkoorn wrote:


Hi all,

If you ask a tester like me to review specs it's playtime.
For rev8 I reviewed until pargr2

Here goes:

Pargr1
Phase 2,3 together are described in section2; are the main 3 cors
Steps still Protect a Resource, Get and Use a Token?

This was a philosophical trick to figure out. While it still seems
useful to summarize the value of UMA by talking about three phases (of
which the latter two are similar to OAuth), phase 3 is rather
unexciting -- it's just the successful conclusion of the whole
sequence. So, really, section 2.1.5 (with all of its predecessor
steps) is phase 3! Is it worth pointing specifically to this
subsection when talking about phase 3?



Par2
Thumbs up for describing steps with If...Then; We testers love it.

2.1-2.5: no examples from last revision?

Maciej has promised to supply example content. I think we kept all
example content that was in the older drafts that was still accurate.


Is the use of SHOULD done because of giving the implementer the choice
of using the statement?

This is a good question. Thomas, I think you made this choice; were
you following OAuth's lead? It's worth discussing whether we should
make certain parts of the UMA flow "optional together". For example,
what if the resource server is colocated with the authorization server
and has a closer relationship with it that doesn't require an
expensive interoperable messaging protocol? Is this a case where we
should define "conformance profiles"?



That's it, feedback is welcome and more will follow.

Wonderful!

	Eve



Cheers, Cordny Nederkoorn


> 
> http://kantarainitiative.org/confluence/display/uma/UMA+1.0+Core+Pro
tocol


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl




More information about the WG-UMA mailing list