[WG-UMA] Draft minutes of UMA telecon 2011-11-03

Paul C. Bryan paul.bryan at forgerock.com
Thu Nov 3 13:37:15 EDT 2011


http://kantarainitiative.org/confluence/display/uma/UMA+telecon
+2011-11-03

Attendees

     1. Bryan, Paul (chair pro tem)
     2. Hardjono, Thomas
     3. Alam
     4. Catalano, Domenico
     5. Morrow, Susan
     6. Szpot, Jacek
     7. Moren, Lukasz
     8. Wolniak, Maciej
        

Minutes


Roll call

Quorum was not reached


Approve minutes of 2011-10-13, 2011-10-20 and 2011-10-27 meetings

Deferred due to lack of quorum.


Review 2011Q4 timeline

      * Thomas attended Kerberos conference at MIT; will be working on
        next Internet-Draft this week.
      * Paul planning on starting spin-off REST API Internet-Draft this
        week. Brief discussion re: relying on other Internet-Drafts,
        renewals, etc.
        

Upcoming webinar

      * Reminder to everyone please participate in the Doodle Poll for
        best date/time to host the next UMA webinar.
      * General agreement that Maciej should perform the demo, so need
        to confirm his participation.
        

UMA core spec issues


Issue #8: Does the returned permission ticket need an expiration field?

      * Paul: Short answer: no, tokens are opaque.
      * Paul: Longer answer: As long as tokens are opaque, expiration
        field is not necessary. This will change if/when we support
        tokens with semantics that host can use to make authorization
        decision. If/when we get to this point, we'll also possibly need
        other PKI-ish functions such as signature verification and token
        revocation mechanism. 
      * Paul takes AI to comment on this ticket in GitHub and close
        issue.
        

Issue #14: Filtering the token validation request

      * Deferring for discussion next week.
        

Issue #15: Must the host give access if the requester has suitable
permission?

      * Paul: Short answer: no.
      * Paul: Longer answer: as, discussed last week: UMA is focused on
        discretionary access control (DAC). Mandatory access control
        (MAC) is out of UMA scope. Host SHOULD give access if the
        requester has suitable permission. Discretionary access control
        should not override mandatory access controls.
      * Paul takes AI to comment on this ticket in GitHub, modify the
        spec to SHOULD, and close the issue.
        

Issue #16: Must the host register a permission?

      * Paul takes AI to discuss with Eve in more detail and comment on
        the ticket.
        

Issue #17: Claims formats that are supported (?)

      * Thomas takes AI to include the OpenID
        

Issue #24: Possible to audit host's compliance in giving access based on
a legitimate active permission from the AM?

      * Paul: Short answer: no.
      * Paul: Longer answer: AM provides advice to host, and is not
        direct party to the interaction between requester and host.
      * Paul takes AI to comment on ticket in GitHub.
        

Issue #25 (bonus!): Possible to reduce requester's reliance on AM to ask
for only the claims it strictly needs?

      * Paul: Short answer: no.
      * Paul: Longer answer: There is no testable way we can require the
        AM to ask for only the claims actually needed in making an
        authorization decision, because:
              * policies are intentionally opaque to requester and host
              * there is no known automated way to test the
                reasonableness of requested claims for a given
                permission
      * Paul takes AI to comment on ticket in GitHub.
        

Next Meetings

      * WG telecon on Thursday, 10 Nov 2011, at 9am PT (time chart)
        – NOTE: back in sync on most apparent time differences around
        the world – ALSO NOTE: – Eve regrets; who will serve as chair
        pro tem?
      * WG telecon on Thursday, 17 Nov 2011, at 9am PT (time chart)
        – NOTE: Likely Eve regrets; who will serve as chair pro tem?
      * NO WG telecon on Thursday, 24 Nov 2011 – U.S. Thanksgiving
        holiday
      * WG telecon on Thursday, 1 Dec 2011, at 9am PT (time chart)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20111103/8e6d7ef5/attachment.html 


More information about the WG-UMA mailing list