There will not be an UMA call this week as many are celebrating US
Thanksgiving!
Hope you all have a great week, see you Dec 2
Best,
- Alec
ps. reminder that the Dec 9th call will be extended to 1230ET and used as a
working session
I am at a conference in NY, best to the Umanitarians.
Sl
IDmachines
1264 Beacon Street, #5
Brookline, MA 02446
+1 617.201.4809
@idmachines
https://idmachines.com
Please note I have a new email certificate, please update the public key you
use for encrypted messages to me. It is part of this (S/MIME) email.
Disclaimer
The information contained in this communication from the sender is
confidential. It is intended solely for use by the recipient and others
authorized to receive it. If you are not the recipient, you are hereby
notified that any disclosure, copying, distribution or taking action in
relation of the contents of this information is strictly prohibited and may
be unlawful. If you have received this email in error, please delete it and
advise the sender.
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-11-11
MinutesRoll call
- Quorum: No
Approve minutes
- Approve minutes of UMA telecon 2021-09-09
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-09>
, UMA telecon 2021-09-16
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-16>
, UMA telecon 2021-09-23
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-23>
, UMA telecon 2021-09-30
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-30>
, UMA telecon 2021-10-14
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-14>
, UMA telecon 2021-10-21
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-21>
, UMA telecon 2021-10-28
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-28>
, UMA telecon 2021-11-04
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-11-04>
Deferred
*The Kantara All members meeting is Dec 8th, 11-1230ET (it's virtual, link
TBD)*
FIDO authenticate conference recap
- creating new authentication requirements with US Gov
- specifically around anti-phising
- lots of case-studies of people implementing FIDO/"passwordless"
- Verizon, DNC, ebay, capitalone, microsoft, visa, fb
- deltect erp software, integrated to product
- blocker to adoption: user friendly recovery of lost credentials
- cross device key sharing, backup/recovery
- apple/google have proprietary ways to share keys between devices.
- contentious as one FIDO premise is the key won't leave the device
- starting to look at MDL ISO 18013-5(?), combination session with
OIDF
- there is also an AAMVA(american association of motor vehicles
associations) rfp out, includes the public key directory
1.
Alex Weinert at Microsoft enumerated attributes of a secure
authentication credential:
-
Unguessable
-
Undisclosable
-
Multi-factor
-
Single--user
-
Local
-
Uninterceptable
-
Unphishable
Interesting that "strength" isn't in the list of attributes. ie is being
discussed vs what is being taken for granted/table-stakes
UP: user prescense (tap the device)
UV: user verification (pin/face rec) → unlock entire store of keys
RP decides what is required of the authenticator (UP or UV)
New FIDO Spec, Device On-board, secure provisioning of IOT devices.
Any FIDO device users?
Will Apple/Google be the mDL device providers of the future? Wil there be
other competitors?
On going work to be done about the convenince vs security of solutions, eg
with private keys that can follow between devices like how pw managers work
Other ongoing/upcoming confernces?
- IETF meetings are happening this week
- ISSE next week
- East coast physical security
A lot of (US) conferences are requiring people to setup the clear pass, and
provide recent/on-site tests
OAuth vs UMA content
Defer
Delegation Use Cases
Reviewed more pp2pi <https://www.drummondgroup.com/pp2pi/> use-cases,
broken down by objective and mapped to whther uma or uma delegation can
meet the goal
Will continue this discussion next week
*Report on FHIR API Vulnerabilities
<https://kantarainitiative.org/confluence/display/uma/Report+on+FHIR+API+Vul…>
*
- topic for next week, review a first draft of this report
- Alec to take a pass and email the list when there's something more
substantial to review
AOB
- We are planning a 3 hour working session on December 9th, we will use
extend the normal call from 930-1230ET
- Want to make progress on some of the in-progress docs, have them in
a consistent state
- Eve, Nancy, Alec, Andi
- If you're up to attend, please email Alec, or leave a comment on
these minutes
Topic Candidates (from previous telcons)
- Delegation and Guardianship
-
Outcome of user stories discussion
-
PDP architecture includes the concept of governance registry/discovery
-
TOIP/SSI are starting to define this ecosystem function
-
ANCR records update
-
Privacy as Expected/ANCR update : 2/3 weeks out (Sal?)
Attendees
As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
1. Andi
2. Steve
3. Sal
4. Alec
Non-voting participants:
1. Joe - w/ FR IAM backgroud
2. Scott
3. Nancy
Regrets:
- George
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-11-04
Minutes
Roll call
- Quorum: No
Approve minutes
- Approve minutes of UMA telecon 2021-09-09
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-09>
, UMA telecon 2021-09-16
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-16>
, UMA telecon 2021-09-23
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-23>
, UMA telecon 2021-09-30
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-30>
, UMA telecon 2021-10-14
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-14>
, UMA telecon 2021-10-21
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-21>
, UMA telecon 2021-10-28
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-28>
Deferred
*The Kantara All members meeting is Dec 8th, 11-1230ET (it's virtual, link
TBD)*
FHIR Vulnerability Report
Working document here: Report on FHIR API Vulnerabilities
<https://kantarainitiative.org/confluence/display/uma/Report+on+FHIR+API+Vul…>
Please take a look, all comments/contributions welcomed! There original
report is attached to the confluence page
OAuth vs UMA content
previous discussion: UMA telecon 2021-09-16
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-09-16>
Who is the right audience for this content? a version at different
'levels'? Show value to Business & Technical separately,
At biz level, there is buy into 'OAuth is awesome' and creates the question
"so why do I need UMA?"
- 'putting you lock on the wrong locker' UMA helps prevent this mistake
- you can apply Oauth to protect an API, however the solution still
needs to consider who's who (authN) and who has access to what (authZ)
Maybe it's 'what's oauth' and then a 'what's UMA to follow up'
Here' the problem UMA addresses: it allows a person to control their stuff,
and how they want to share it with somewhere else. OAuth is an underlying
technology to authorize the requestor. eg give Alice the ability to call
the help desk to give her Mom or spouse access to her record. UMA gives
Alice the ability to do this herself. THe cost reduction of self-service
access is similar to removing manual 'forgot password' flow.
By using UMA, it reduces the custom development of these features in
existing stacks. UMA services come with these features off the shelf, shift
custom impl to configuration. (Except policy which is... left to the reader)
Removes requirements from the enterprise by given the user the direct
ability to manage their stuff themselves.
Google drive sharing is the best practical example of this (even though it
doens't use UMA [image: (sad)]).
What is the best format for this content?
- 2-3 slides that members can easily re-use
What about UMA vs GNAP? Will GNAP replace OAuth and UMA?
Have never heard a customer request GNAP, only discussion within the
IETF/OAuth/UMA communities.
Check out the recent GNAP progress here:
https://github.com/ietf-wg-gnap/gnap-core-protocol
Is there a clear UMA → GNAP transition?
PAT lifecycle management
PAT lifecycle management, it is a OAuth access token, with expiration and
refresh token
When it's needed (eg when a client makes a request) it can be expired
How long should it live?
- the PAT itself it an access token and should expire in a short window
(eg normal access token, such as 5mins)
- the refresh token can have a loooong lifetime, eg months/years
- the PAT represents the ROs authorization for the RS to trust the AS,
and for the AS to protect the RS's API
- it should expire aligned with that human level policy around
expiration
What to do if the PAT and it's refresh have expired? Need the RO to come
back and regenerate it
- should there be a different message to the client? It's not the RO at
the client, instead it's the RqP. We shouldn't expose the maintenence of
the PAT to the RqP
- the RS can't issue a ticket to the RqP
- there is no definied response in this case, is it a 403? there is no
appropriate www-authenticate type redirect
- UMA Implementer's
Guide#pat-invalidResourceServerErrorHandlingWhenthePATIsInvalid
<https://kantarainitiative.org/confluence/display/uma/UMA+Implementer%27s+Gu…'sGuide-pat-invalidResourceServerErrorHandlingWhenthePATIsInvalid>
- return a 403 with http error and header 'Warning: 199 - "UMA
Authorization Server Unreachable"'
- ideally there is some RS → RO notification to renew
Depends on the RO model. When the RO is the RS, the RS can always get a new
PAT using it's client credentails
If the RO is a proper subject, then these challenges all exist
Could the AS always allow a RS=RO PAT, how would this interact/intersect
with proper subject RO bounded PATs?
A not-uma solution (relationship manager solution)
RS <> AS: resources registered (eg /patient)
RS → RO: 'id token' with the subject id (alec123)
RO → AS: the RS knows me as alec123, I want to give Bob access to /patient
for that subject
AS → RS: introspection result returns resource and subject id
AOB
- We are planning a 3 hour working session on December 9th, we will use
extend the normal call from 930-1230ET
- Want to make progress on some of the in-progress docs, have them in
a consistent state
- Eve, Nancy, Alec, Andi
- If you're up to attend, please email Alec, or leave a comment on
these minutes
Next week, Steve will give a de-brief of the FIDO authenticate conference
Topic Candidates (from previous week's telcon)
- Delegation and Guardianship
-
Outcome of user stories discussion
-
PDP architecture includes the concept of governance registry/discovery
-
TOIP/SSI are starting to define this ecosystem function
-
ANCR records update
-
Privacy as Expected/ANCR update : 2/3 weeks out (Sal?)
Attendees
As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
1. Sal
2. Alec
3. Domenico
4. Steve
Non-voting participants:
1. Scott
Regrets:
1. Nancy
2. Eve
