There will not be an UMA call this week as many are celebrating US
Thanksgiving!
Hope you all have a great week, see you Dec 2
Best,
- Alec
ps. reminder that the Dec 9th call will be extended to 1230ET and used as a
working session
I am at a conference in NY, best to the Umanitarians.
Sl
IDmachines
1264 Beacon Street, #5
Brookline, MA 02446
+1 617.201.4809
@idmachines
https://idmachines.com
Please note I have a new email certificate, please update the public key you
use for encrypted messages to me. It is part of this (S/MIME) email.
Disclaimer
The information contained in this communication from the sender is
confidential. It is intended solely for use by the recipient and others
authorized to receive it. If you are not the recipient, you are hereby
notified that any disclosure, copying, distribution or taking action in
relation of the contents of this information is strictly prohibited and may
be unlawful. If you have received this email in error, please delete it and
advise the sender.
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-11-11
MinutesRoll call
- Quorum: No
Approve minutes
- Approve minutes of UMA telecon 2021-09-09
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-09>
, UMA telecon 2021-09-16
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-16>
, UMA telecon 2021-09-23
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-23>
, UMA telecon 2021-09-30
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-30>
, UMA telecon 2021-10-14
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-14>
, UMA telecon 2021-10-21
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-21>
, UMA telecon 2021-10-28
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-28>
, UMA telecon 2021-11-04
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-11-04>
Deferred
*The Kantara All members meeting is Dec 8th, 11-1230ET (it's virtual, link
TBD)*
FIDO authenticate conference recap
- creating new authentication requirements with US Gov
- specifically around anti-phising
- lots of case-studies of people implementing FIDO/"passwordless"
- Verizon, DNC, ebay, capitalone, microsoft, visa, fb
- deltect erp software, integrated to product
- blocker to adoption: user friendly recovery of lost credentials
- cross device key sharing, backup/recovery
- apple/google have proprietary ways to share keys between devices.
- contentious as one FIDO premise is the key won't leave the device
- starting to look at MDL ISO 18013-5(?), combination session with
OIDF
- there is also an AAMVA(american association of motor vehicles
associations) rfp out, includes the public key directory
1.
Alex Weinert at Microsoft enumerated attributes of a secure
authentication credential:
-
Unguessable
-
Undisclosable
-
Multi-factor
-
Single--user
-
Local
-
Uninterceptable
-
Unphishable
Interesting that "strength" isn't in the list of attributes. ie is being
discussed vs what is being taken for granted/table-stakes
UP: user prescense (tap the device)
UV: user verification (pin/face rec) → unlock entire store of keys
RP decides what is required of the authenticator (UP or UV)
New FIDO Spec, Device On-board, secure provisioning of IOT devices.
Any FIDO device users?
Will Apple/Google be the mDL device providers of the future? Wil there be
other competitors?
On going work to be done about the convenince vs security of solutions, eg
with private keys that can follow between devices like how pw managers work
Other ongoing/upcoming confernces?
- IETF meetings are happening this week
- ISSE next week
- East coast physical security
A lot of (US) conferences are requiring people to setup the clear pass, and
provide recent/on-site tests
OAuth vs UMA content
Defer
Delegation Use Cases
Reviewed more pp2pi <https://www.drummondgroup.com/pp2pi/> use-cases,
broken down by objective and mapped to whther uma or uma delegation can
meet the goal
Will continue this discussion next week
*Report on FHIR API Vulnerabilities
<https://kantarainitiative.org/confluence/display/uma/Report+on+FHIR+API+Vul…>
*
- topic for next week, review a first draft of this report
- Alec to take a pass and email the list when there's something more
substantial to review
AOB
- We are planning a 3 hour working session on December 9th, we will use
extend the normal call from 930-1230ET
- Want to make progress on some of the in-progress docs, have them in
a consistent state
- Eve, Nancy, Alec, Andi
- If you're up to attend, please email Alec, or leave a comment on
these minutes
Topic Candidates (from previous telcons)
- Delegation and Guardianship
-
Outcome of user stories discussion
-
PDP architecture includes the concept of governance registry/discovery
-
TOIP/SSI are starting to define this ecosystem function
-
ANCR records update
-
Privacy as Expected/ANCR update : 2/3 weeks out (Sal?)
Attendees
As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
1. Andi
2. Steve
3. Sal
4. Alec
Non-voting participants:
1. Joe - w/ FR IAM backgroud
2. Scott
3. Nancy
Regrets:
- George
