[WG-UMA] Draft minutes of UMA telecon 2012-06-07

Eve Maler eve at xmlgrrl.com
Sun Jun 10 20:27:45 EDT 2012

Roll call
Quorum was not reached.

Approve minutes of 2012-05-31 meeting
Deferred due to lack of quorum.

Issue #20
Okay to leave this out of scope and have a third party write a profile for an UMA-protected discovery service?

What would we lose if UMA doesn't solve this natively? Endpoint discovery is really important for a lot of use cases we care about, like the healthcare scenario. The IETF group that's grappling now with WebFinger vs. SWD seems like it might solve part of this problem. Do we believe there is more required for solving "protected discovery" than doing OAuth-protected (or UMA-protected) web discovery calls? The goal would be to allow Alice to choose who is allowed to find out who she uses as her provider for some claim or content.

The "naive" way of solving UMA-protected endpoints would be that the requester would discover the endpoint by accessing a totally ordinary resource (whose value is the endpoint), and then get sent back to the AM if they don't qualify to get through to that endpoint without an existing permission. OpenID Connect has already added the notion of an "endpoint token" to optimize this naive flow, enabling the requester not to be bounced back to an AM. Of course, this is an OAuth token, not an UMA token (requester permission token). On the discovery side of things, OIC uses SWD (if someone gives you an identifier that has a domain embedded in it, you can bootstrap finding their OIC OP endpoint). On the claims side of things, when OIC gives you back "distributed claims", it gives you back an endpoint and an optional endpoint token. If you ask OIC for a "driver's license", an OP that doesn't have it but knows where it is hands you back the endpoint and maybe a token.

We do think that the WebFinger+SWD direction is positive for what we need, but we wouldn't necessarily be crazy about their emerging "RPC-ish" approach to API design. Hopefully we can influence that. But then, since a host presenting that interface can register resource sets with the AM through UMA however it likes, does it matter? Maybe not, though it would still be valuable to standardize the actual API.

Are there any sequence diagrams available for the Street Identity use case or any other use case that needs a solution to issue #20? Eve will ask around.

As of 22 May 2012, quorum is 6 of 10.

Maler, Eve
Hardjono, Thomas
Fletcher, George
Catalano, Domenico
Non-voting participants:

Nederkoorn, Cordny
Cox, Kevin

Drake, Trey
Moren, Lukasz
D'Agostino, Sal
Machulak, Maciej
Next Meetings
WG telecon on Thursday, 14 June 2012, at 9am PT (time chart)
WG telecon on Thursday, 21 June 2012, at 9am PT (time chart)
WG telecon on Thursday, 28 June 2012, at 9am PT (time chart)

Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20120610/d27179fb/attachment.html 

More information about the WG-UMA mailing list