WG-UMA

Download

wg-uma@kantarainitiative.org

March 2025

5 participants
2 discussions

UMA-based Pensions Dashboard Programme final standards approved and being used
by Eve Maler 20 Mar '25

20 Mar '25

I’m subscribed to the UK Pensions Dashboard Programme emails, and saw a notice today that all of its related standards, including the “technical standards” (among which are its UMA profiles), were approved for use as of March 13th. <https://www.pensionsdashboardsprogramme.org.uk/standards/technical-standards> pensionsdashboardsprogramme.org.uk<https://www.pensionsdashboardsprogramme.org.uk/standards/technical-standards> [X]<https://www.pensionsdashboardsprogramme.org.uk/standards/technical-standards> They also announced on March 5th that three ecosystem participants have successfully connected. <https://parliamentlive.tv/event/index/6c8b9018-cc69-4510-960d-ce001147cb0f> [share.jpg] Parliamentlive.tv<https://parliamentlive.tv/event/index/6c8b9018-cc69-4510-960d-ce001147cb0f> parliamentlive.tv<https://parliamentlive.tv/event/index/6c8b9018-cc69-4510-960d-ce001147cb0f> Pretty cool! [VF Logo Light Green Mix (on Dark BG) for email sig.png] Eve Maler, president and founder Cell and Signal +1 (425) 345-6756<tel:+1-425-345-6756>

3 2

Security Notification: Pass the permission ticket vulnerability
by Alec L 19 Mar '25

19 Mar '25

Hi, This is a notice of an identified vulnerability in the UMA 2 specification. Please refer to the attached documents for full details, including recommended next steps for mitigation if your implementation is affected. Many thanks to Gabriel Corona for his efforts in finding, documenting and explaining these issues to us! Please reach out if you'd like to discuss further, Best, - Alec *Am I impacted?* You are probably not impacted if UMA clients only interact with known resource and authorization services. You might be impacted if the following are true: * the UMA client is able to start flows with any UMA resource server * the UMA client is able to start flows with any UMA authorization server * the authorization server supports open dynamic registration of clients, without any pre-registration process or requirements for the client. In this case, you probably can't be sure that the client isn't a malicious AS Alec Laws CTO Engineering | IDENTOS Inc. [image: mobilePhone] (647)-822-1529 [image: emailAddress] alec(a)identos.ca [image: twitter] <https://twitter.com/identos_inc> [image: linkedin] <https://www.linkedin.com/company/identos-inc/>

3 4