- WG-UMA - mailman.kantarainitiative.org

Notes from UMA legal telecon 2016-06-03
by Eve Maler 04 Jun '16

04 Jun '16

http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+note… 2016-06-03 - NOTE: No subgroup telecon next week - Privacy@Scale report - Status of outlining/editing of newly planned document deliverables - UMA Legal Primer - UMA Legal Use Cases Attending: Eve, Paul, John W, Mary, Ann, Kathleen, Adrian, Mark *Privacy@Scale and other event reports:* John and Eve both attended on Monday of this week; it was the 2nd annual, and their first. Facebook hosts it. It was in DC this year. John was very vocal. You can find two of the three report deliverables commissioned by Facebook from Ctrl-Shift at this site <http://thedatadriveneconomy.com/>. The third report is coming soon. Eve spoke at FB’s behest on the roundtable process that fed into those reports, and mentioned UMA and Consent Receipts. John points out Omri Ben-Shahar <http://www.law.uchicago.edu/faculty/ben-shahar>’s research (he wrote a book called More Than You Wanted to Know: The Failure of Mandated Disclosure) purporting to show that privacy notices are pointless (he was doing a “point-counterpoint” talk with Lori Cranor). Mark contrasts this (?) with the Project IF <https://projectsbyif.com/> work on “data licenses”, where it seems to matter. On Tue-Wed of this week, Adrian attended the NIST Named Data Networking meeting. This work has significant privacy implications. Relative to UMA, there was a mention of longitudinal health records. But he doesn’t expect movement on this soon. PPR has its annual Health Privacy Summit. Remember: It’s free and streamed. Contact Adrian to get an invite! *New UMA Legal document deliverables:* John did a draft outline of an “UMA Legal Primer”. Eve has her slide deck as a start for something like an “UMA Legal Use Cases” document. What should the real names of these documents mean? “Legal” comes after something like “Business”, “Strategic”, “Real-Life”, etc. The use cases are ideally tackled in a fashion that doesn’t introduce UMA terminology, at least at first. They can introduce UMA terminology as a mapping exercise in a second chapter or something, or even point to the other document. What real-life digital resources should we use for examples in the use cases? Health data is a very real example, but how much should we use this? There’s a sense that we should either spread the examples around, or be cautious/aware about using health examples because of its specialty characteristics. We could introduce RACI mappings once we come out of the “UMA technical” term explanations into the “data *” mappings. Kathleen notes that when we have a 1yo (actually a minor who is legally incompetent but old enough to be aware) Johnny, he is legally incompetent to consent and thus may give assent vs. consent; this maps to “Resource Subject that is not at a Responsible level” or something. IOW, RACI is an imperfect system to map to (as we concluded previously). However, the point is that RACI maps well to “data *”. (John writes this part. :-D ) Further, mapping UMA-technical roles to data-* roles leaves a hole: the AS. It’s not a data-anything. This is the innovation of UMA. The contract roles and relationships is the third plane. We should treat it on its own. The goal of the UMA Model Clauses section would be melding the three dimensions all together. We should take a lightweight approach, point to a couple of illustrative clause samples, and in essence serve as clause documentation. We might need a subsection somewhere in this doc (not as a separate dimension/plane) for the UMA-legal definitions, to support the clause explanations. Eve (John?) will import this into a GDoc for collaborative editing. *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

1 0

Determinism of sets of scopes
by Eve Maler 03 Jun '16

03 Jun '16

John W asked in Skype whether deterministic sets, as we were just talking about in the call today, would allow for overrides of a policy for purposes of data localization or regulation etc. My response was that it's an AS that represents the results of the RO's policy in a token, and it's an RS that might override those results once the client brings that token over to the RS (the "Adrian clause"). Thus, I wondered if the RS's actual granted access should be considered a sixth set of a scopes that we should track, describe, etc. in the spec. It would probably be useful in the UMA Legal work, at a minimum! I also noted that the RS might need to do overrides in an out-of-band-of-UMA situation. As we've discussed in the past, such a situation might include court order or a "break glass" situation. This would mean that this set of scopes could be interestingly disjoint from the original five sets. Thoughts? (BTW, I've sent out Slack invitations, as we'd promised, to everyone who currently gets Google Calendar invitations to our WG meetings, plus whoever else asked for an invitation. If you'd like to get an invitation in addition, drop me a private note.) *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

3 4

Agenda for UMA legal telecon 2016-06-03
by Eve Maler 03 Jun '16

03 Jun '16

http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+note… Date and Time - *Fridays,* 8-9am PT - Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines <https://www.turbobridge.com/join.html>), room code 178-2540# - Screen sharing: http://join.me/findthomas - *NOTE:**IGNORE* the join.me dial-in line shown here in favor of the dial-in info above (Kantara "line C" and the Skype line) - UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar 2016-06-03 - NOTE: No subgroup telecon next week - Privacy@Scale report - Status of outlining/editing of newly planned document deliverables - UMA Legal Primer - UMA Legal Use Cases *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

1 0

Draft minutes of UMA telecon 2016-06-02
by Eve Maler 02 Jun '16

02 Jun '16

http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-06-02 MinutesRoll call Quorum was reached. Approve minutes Approve minutes of UMA telecon 2016-05-26 <http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-05-26>: APPROVED. MPD Discussion about the arrow "request token with permission ticket" and asking for scopes: The RS would/might still have registered a permission with scopes that it judged to be necessary, so the RS and the client would both have an "opinion" about what the extent of access should be. There are two inputs here into what the ultimate granted access should be. Justin suggests it should be completely deterministic how the five relevant sets are combined: 1. The universe of scopes the RS has registered for the resource set 2. The scopes the client has registered for at the AS (if it has done this at all) 3. What the RO has attached to the policy for the resource set 4. What the RS requests for at the permission endpoint (in order to get a ticket) 5. The scopes the client requests at the token endpoint OAuth's ability for a client to ask for multiple scopes up front makes it less chatty than something that uses a strict least-privilege approach. His early trials with UMA showed that people generally gave out more privileges than that anyway. If TTL strategies and RO (and RS) preferences would prefer to see bundles of scopes handed out anyway, and if some clients can only handle some types of scopes, then does it especially make sense to have the client indicate what scopes it can handle? Justin's ultimate rationale for having clients request the scopes they want is that they are software programmed to use an API, and so they are the proper entity to request what they want. Can we do away with the permission ticket and simply use the bearer token response? Apparently not, because a permission ticket still is needed to preserve UMA loose coupling and RO context in the doing. However, giving the RS a decision/judgment call to make about the client's extent of access is actually a hard problem, and seemingly not worth it. Given that the design of an API, and particularly the resource set vs. scopes dividing line, is up to the discretion of a designer (that is, it's not a clean object vs. verb philosophical line), letting the client ask for what it wants could be philosophically cleanest. An asynchronous grant flow has interesting benefits to the RO in terms of letting them be free to "edit"/uncheck scopes free from the collusion of the RS and client, vs. synchronous grant flows, so there's less concern over a client just "getting its way". Justin's set math implementation can be viewed here <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/m…>. (The license is Apache2.) We think the notion of scopes as "registerable" by clients in the OAuth world is directly usable in our new concept of UMA set math. We just need to work out a flow chart of how a client's registered scopes interact, in a specific case, with policies. This is our next step, and then to turn it into spec text. So step #4 could be entirely uninteresting and deterministic, say, identifying the resource set ID (or possibly multiple resource set IDs? that would be a judgment call). "Scope design" as a discipline becomes a new thing now, as the RO has a new interactive experience with it, and as RS's convey their semantic intent to an AS at a separate organization (through RSR) for display. OAuth previously has not had this. Even standardized APIs with standardized OAuth scopes haven't had this. Swimlane edits needed: - The "request token with permission ticket" arrow should mention the issue number regarding "client should be able to request scopes" (165) Attendees As of 15 Apr 2016, quorum is 7 of 12. (François, Domenico, Kathleen, Sal, Nagesh, Thomas, Andi, Robert, Maciej, Eve, Mike, Sarah) 1. Domenico 2. Kathleen 3. Sal 4. Maciej 5. Eve 6. Robert 7. Mike 8. Sarah Non-voting participants: - Justin - Colin - Adrian - James - John W - Arlene - Ishan - Jin - George *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

1 0

Agenda for UMA telecon 2016-06-02
by Eve Maler 31 May '16

31 May '16

http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-06-02 Date and Time - *Thu Jun 2,* 9-10am PT - Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines <https://www.turbobridge.com/join.html>), room code 178-2540# - Screen sharing: http://join.me/findthomas - *NOTE:* *IGNORE* the join.me dial-in line shown here in favor of the dial-in info above (Kantara "line C" and the Skype line) - UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Roll call - Approve minutes of UMA telecon 2016-05-26 <http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-05-26> - MPD - Review sequence diagram <http://www.websequencediagrams.com/files/render?link=2DdzslbnVj3ShhlrLVV-> and focus on the last bit, going more slowly through the flows this time - Any last-minute CIS plans/news - AOB *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

2 2

Self Introduction
by Mohammad Chowdhury 29 May '16

29 May '16

Dear All, First of all, thank for allowing me to the group. I really appreciate Eve for her welcome note. I am Jabed, currently a PhD student at Swinburne University of Technology, Melbourne, Australia. My research interests are information security, Internet of things and cyber forensic. While I was working with my Phd research problem related to user based cross domain access control, I found Maciej's phd thesis. From his work, I learned about this working group. Our university research group is specialized in context-aware and adaptive computing. I am planning to extend UMA for context-awareness, specially for ubiquitous environment (pervasive and IoT enable). I am also interested to examine the privacy part of it. I have read about UMA from different available online documents. I have also downloaded and configured OpenUMA( from ForgeRock) to gain hands on experience. I am still learning about it. I hope to learn a lot from this group. I am also hopeful that I will get Eve and Maciej's expert guidance/feedback from time to time. Looking forward to collaborate. Best regards, Jabed

2 1

Slack team
by Eve Maler 27 May '16

27 May '16

James P has offered to create a Slack team for our WG for better between-meeting communication and work. Thanks, James! (The UMA Dev WG is planning to do the same thing.) *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

1 1

Notes from UMA legal telecon 2016-05-27
by Eve Maler 27 May '16

27 May '16

http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+note… 2016-05-27 - Review Digital Contracts event - DG - CommonAccord directions - Legal POC appetite - ... - IDE directions - Model definitions: next steps Attending: Eve, John W, Adrian, Ann, Jon N (Andrew regrets) Adrian is on the FHIR group, along with Kathleen. The conversation at that table around "policies on the wire" is very live there. The motivation to source policies from multiple places in the FHIR conversation seems to be internal to a single domain. Given our capturing of notes last week, we'd like to write a short document for a nontechnical, legally inclined, even regulatorily inclined audience. John has stuck his hand up to outline such a doc, and he and Eve can review the results together at Privacy@Scale <http://privacyatscale.com/> (run by FB) next Tuesday. (Microsoft is running a similar event the next day(s), NIST is running a Named Data Networking <http://www.nist.gov/itl/antd/named-data-networking.cfm> event on May 31-Jun 1, and there's a Health Privacy Summit <https://patientprivacyrights.org/2016-health-privacy-summit/> at Georgetown Law June 7-8, and it will be streamed.) Looking at it from a business/strategic point of view, the benefits are privacy-preserving because no authorization/permission policy transmission is needed, and the AS is not a data controller, and individual/patient/consumer/citizen-centric because the AS exists to enable that party's wishes (their "agent" in some fashion). Looking at it from a legal point of view, we are working on a system of model text to protect the interests of all the parties engaging with each other. (As we said last week, if an institution running that domain wants to federate policies in some fashion a la the methods that XACML <https://en.wikipedia.org/wiki/XACML> makes available, they're free to, behind the "UMA façade" of the standardized APIs of AS. If it turns out to be valuable to develop a companion technical paper that answers questions that technical people have about the architecture that supports our contentions, we could write that afterwards.) It seems like we really need a proper use case document now too, identifying why and how the parties might be equivalent or not equivalent (note that in UC4, "offlice Alice/gov agency", the Grantor happens to be the ASO, but in UC1-3, it's not). We need more use cases showing how the Grantor could equal the Grantee, the Grantee could not equal the human end user that is acting on behalf of the Grantee (like Dr. Bob working for the hospital that wants access), etc. Once we have a full, non-repeating set of use cases, we'll know we're close to being done with the model term definitions. [image: (smile)] Eve's interested to coauthor; John W's tentatively interested to coauthor; Jon N's interested to review. There's a new Kantara Blockchain and Smart Contracts Discussion Group <http://kantarainitiative.org/confluence/display/BSC/Home> – feel free to join! Note that the actual original EU Model Clauses are under threat <http://www.blplaw.com/expert-legal-insights/articles/model-clauses-under-th…>. But we seem to be happy with the lowercase phrase for our work, still. We should have a CHEDDAR rundown on a future call. *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

1 0

Agenda for UMA Legal telecon 2016-05-27
by Eve Maler 26 May '16

26 May '16

We will continue the threads begun last week. Please forgive the lack of a formal agenda, and see the link below for all details: http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+notes Eve (sent from my iPhone, possibly with Siri's "help": +1-425-345-6756)

1 0

Draft minutes of UMA telecon 2016-05-26
by Eve Maler 26 May '16

26 May '16

http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-05-26 MinutesRoll call Quorum was reached. Approve minutes Approve minutes of UMA telecons 2016-04-14 <http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-04-14> and 2016-05-19 <http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-05-19>: So approved. Review of MPD We're looking at the swimlane. The first batch of changes in MPD is around discovery. These are backwards-incompatible, but not particularly invasive. Justin and Sarah note that the discovery document (currently known as AS configuration data) is relevant to both the RS and the client, and thus it isn't specific to what UMA calls Phase 1. The alignment done here is to OIDC; OAuth is undergoing its own alignment to OIDC as well. Do we want to align with the other specs in terms of terminology: discovery document vs. configuration data? We have consensus to do this. Justin suggests an editorial comment in the spec commenting that it's a good idea to use an interactive grant flow when, as is typically the case, an individual end-user is a resource owner. This gives the developer the clearest guidance as to which grant to choose. This would be paired with stronger normative text that identifies the RS as an OAuth client. The editorial comment could then also briefly mention the converse case of an organization ("legal person") using the client credentials grant (and point off to the UIG if warranted). If there's a discovery document at .well-known, is it ever a good idea to rely on discovery some other way? Should we make discovery by that means optional? We're covered on this by saying "as needed" already. The UMA client now needs client credentials, not because it needs an AAT (one of the reasons before), but because it would need it for the exact role that an OAuth client would normally need it – and now, Bob the RqP would be the end-user who is using that client at the AS (specifically, the *token*endpoint that the AS already has, and has had all this time, along with a newly conceived *claims* endpoint). The loop in the swimlane involves trading a ticket for a token – repeatedly, until success. This is very analogous to an authorization code flow. Per OAuth, OIDC, and our recent security work, tickets are now one-time-use only. Note that the "claims" process treats what was previously a separate flow – step-up authentication – as subsumed into the same flow. It's possible for the client to send claims directly to the token endpoint directly. One question to discuss on the next call: Is there an in-band mechanism by which the RqP can authorize that flow? The claims endpoint can be treated as a "dispatch" endpoint. Swimlane tasks: - We should take out the Phase 1 label from the swimlane. Spec tasks: - Align the terminology and syntax of the discovery document format. - Insert the editorial comment about which grants are appropriate and normative text about the RS being an OAuth client. (Also consider a figure about the protection API being protected by OAuth.) - Implement the change for issue #155. - Where the protocol flow currently casually uses declarative text, switch to using normative RFC 2119 text. Attendees As of 15 Apr 2016, quorum is 7 of 12. (François, Domenico, Kathleen, Sal, Nagesh, Thomas, Andi, Robert, Maciej, Eve, Mike, Sarah) 1. Domenico 2. Nagesh 3. Andi 4. Robert 5. Eve 6. Mike 7. Sarah Non-voting participants: - Justin - Adrian - Colin - Jin - John - James Regrets: - Maciej - Sal? *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

1 0