- WG-UMA - mailman.kantarainitiative.org

UMA Deep Dive
by Igor Zboran 25 May '21

25 May '21

Hi Eve, Alec, Hi everyone, UMA was originally designed for B2B scenarios, whereas OAuth2 was designed for B2C scenarios. In OAuth2 the roles of the authorization server, resource server and client are co-located. This does not apply to the UMA protocol. RqP's role is not co-located with other UMA roles, RqP is like a foreigner with a passport issued in his home country. We need to specify how to issue this "passport", and how to use and control it. A good starting point could be this idea: UMA should convey the permission ticket in the form of a ticket digest to the claims provider, to have it digitally signed together with user claims and return all this as a claims token, which is pushed to the AS in an uma grant request. What does it mean? The permission ticket is extended to embrace the claims provider. Regards -Igor

2 3

Fwd: [Cups-friends] [CFP] Seventh International Workshop on Privacy Engineering (IWPE'21)
by Eve Maler 23 May '21

23 May '21

This may be of interest. > Begin forwarded message: > > From: Blagovesta Kostova <blagovesta.pirelli(a)epfl.ch> > Subject: [Cups-friends] [CFP] Seventh International Workshop on Privacy Engineering (IWPE'21) > Date: 13 May 2021 at 10:06:27 AM CDT > > CFP: Seventh International Workshop on Privacy Engineering (IWPE'21) > http://iwpe.info/ <http://iwpe.info/> > co-located with the IEEE European Symposium on Security and Privacy <https://www.ieee-security.org/TC/EuroSP2021/index.html> > September 7th, 2021 - online > > ************************************************************ > IMPORTANT DATES > Deadline of paper submission: May 15, 2021 (extended) > Notification of acceptance: June 8, 2021 > Accepted Paper camera ready: June 22, 2021 (non-archival option available) > ************************************************************ > We are pleased to invite you to participate in the 7th International Workshop on Privacy Engineering (IWPE'21). > > Ongoing news reports regarding global surveillance programs, massive personal data breaches in corporate databases, and notorious examples of personal tragedies due to privacy violations have intensified societal demands for privacy-friendly systems. In response, current legislative and standardization processes worldwide aim to strengthen individual’s privacy by introducing legal, organizational and technical frameworks that personal data collectors and processors must follow. > > However, in practice, these initiatives alone are not enough to guarantee that organizations and software developers will be able to identify and adopt appropriate privacy engineering techniques in their daily practices. It is also difficult to systematically evaluate whether the systems developed comply with legal frameworks, provide necessary technical assurances, and fulfill users’ privacy requirements. It is evident that research is needed in developing techniques and tools that can aid the translation of legal and normative concepts, as well as user expectations into systems requirements. Furthermore, methods that can support organizations and engineers in developing systems that address these requirements are of increasing value. > > In this context, privacy engineering research is emerging as an important topic. Engineers are increasingly expected to build and maintain privacy-preserving and data-protection compliant systems in domains such as health, energy, transportation, social computing, law enforcement, public services; based on different infrastructures such as cloud, grid, or mobile. While there is a consensus on the benefits of an engineering approach to privacy, concrete proposals for models, methods, techniques and tools that support engineers and organizations in this endeavor are few and in need of immediate attention. > > To cover this gap, the topics of the International Workshop on Privacy Engineering (IWPE'21) focus on all the aspects of privacy engineering, ranging from its theoretical foundations, engineering approaches, and support infrastructures, to its practical application in projects of different scale. Specifically, we are seeking the following kinds of papers: > (1) technical papers that illustrate the engineering or application of a novel formalism, method or other research finding (e.g., a privacy enhancing protocol) with preliminary evaluation; > (2) experience and practice papers that describe a case study, challenge or lessons learned from in a specific domain; > (3) early evaluations of methods, tools and other infrastructure that support privacy-related tasks; > (4) interdisciplinary studies or critical reviews of existing privacy engineering concepts, methods, tools and frameworks; > (5) vision papers that take a clear position informed by evidence based on a thorough literature review. > > IWPE’21 welcomes papers that focus on novel solutions on the recent developments in the general area of privacy engineering. Topics of interest include, but are not limited to: > -Integrating law and policy compliance into the development process > -Privacy impact assessment during software development > -Privacy risk management models > -Privacy breach recovery Methods > -Technical standards, heuristics and best practices for privacy engineering > -Privacy engineering in technical standards > -Privacy requirements elicitation and analysis methods > -User privacy and data protection requirements > -Management of privacy requirements with other system requirements > -Privacy engineering strategies and design patterns > -Privacy-preserving architectures > -Privacy engineering and databases, services, and the cloud > -Privacy engineering in networks > -Engineering techniques for fairness, transparency, and privacy > -Engineering privacy in AI and ML > -Privacy engineering in the context of interaction design and usability > -Privacy testing and evaluation methods > -Validation and verification of privacy requirements > -Privacy Engineering and design > -Engineering Privacy Enhancing Technologies (PETs) > -Integration of PETs into systems > -Models and approaches for the verification of privacy properties > -Tools and formal languages supporting privacy engineering > -Teaching and training privacy engineering > -Adaptations of privacy engineering into specific software development processes > -Pilots and real-world applications > -Evaluation of privacy engineering methods, technologies and tools > -Privacy engineering and accountability > -Privacy engineering and business processes > -Privacy engineering and manageability of data in (large) enterprises > -Organizational, legal, political and economic aspects of privacy engineering > This topic list is not meant to be exhaustive; since IWPE'21 is interested in all aspects of privacy engineering. > > ************************************************************ > PAPER FORMAT & SUBMISSION > We solicit unpublished short position papers (up to 4 pages) and long papers reporting technical, research or industry experience (up to 8 pages) on all dimensions of the privacy engineering domain. Each paper, written in English, must follow IEEE Proceedings format. > Submission of a paper should be regarded as an undertaking that, should the paper be accepted, at least one of the authors will attend the workshop to present the paper. All papers must be submitted via EasyChair at https://www.easychair.org/conferences/?conf=iwpe21 <https://www.easychair.org/conferences/?conf=iwpe21> > IWPE offers the choice of archival and non-archival paper submissions. The non-archival option is offered to avoid precluding future submissions to area-specific venues. Accepted archival submissions will be published in IEEE eXplore, which is indexed by EI Engineering Index, ISI Conference Proceedings Citation Index (CPCI-S), Scopus, etc. > > ************************************************************ > If you have any questions regarding IWPE'21, please contact iwpe21(a)easychair.org <mailto:iwpe21@easychair.org> > > IWPE’21 Organizing Committee > Jose M. del Alamo > Isabel Wagner > Kim Wuyts > Isabel Barberá > Blagovesta Kostova > > > _______________________________________________ > Cups-friends mailing list > Cups-friends(a)mailman.srv.cs.cmu.edu <mailto:Cups-friends@mailman.srv.cs.cmu.edu> > https://mailman.srv.cs.cmu.edu/mailman/listinfo/cups-friends <https://mailman.srv.cs.cmu.edu/mailman/listinfo/cups-friends> Eve Maler | cell and Signal +1 425.345.6756

1 0

Draft minutes of UMA telecon 2021-05-20
by Alec Laws 20 May '21

20 May '21

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-20 MinutesRoll call Quorum was reached. Approve minutes - Approve minutes of UMA telecon 2021-04-22 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-22> , UMA telecon 2021-04-29 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-29> , UMA telecon 2021-05-06 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-06> , UMA telecon 2021-05-13 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-13> Deferred Pension Dashboard Update https://kantarainitiative.org/uma-profile-for-uk-pensions-dashboard-program… No changes, will remove from Agenda until September. Some people have found the profile through the webpage. OIDF Liaison Trying to find out if one exists or yet to be assigned. This came up recently in context of creating an UMA FAPI profile. Is there any takers to draft how this would look? Relationship Manager Review https://mattrglobal.github.io/oidc-client-bound-assertions-spec/ 2021-05-20 13.24 UMA Working Group.mp4 <https://kantarainitiative.org/confluence/download/attachments/144016363/202…> AOB Attendees As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve) Voting: 1. Peter 2. Eve 3. Alec 4. Michael 5. Steve Non-voting participants: 1. Scott 2. Colin Regrets:

1 0

Agenda for UMA telecon 2021-05-20
by Alec Laws 20 May '21

20 May '21

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-20 Date and Time - *Alternate-week Thursdays 10:00am PT* - Screenshare and dial-in: https://global.gotomeeting.com/join/485071053 <https://www.google.com/url?q=https://global.gotomeeting.com/join/485071053&…> - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes of UMA telecon 2021-04-22 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-22> , UMA telecon 2021-04-29 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-29> , UMA telecon 2021-05-06 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-06> , UMA telecon 2021-05-13 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-13> - Pension Dashboard Update - Relationship Manager Review - AOB

1 0

Draft minutes of UMA telecon 2021-05-13
by Alec Laws 13 May '21

13 May '21

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-13 MinutesRoll call Quorum was reached. Approve minutes - Approve minutes of UMA telecon 2021-04-22 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-22> , UMA telecon 2021-04-29 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-29> , UMA telecon 2021-05-06 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-06> Deferred Pension Dashboard Update https://kantarainitiative.org/uma-profile-for-uk-pensions-dashboard-program… There will be no press release/promotion while the invitation to tender is open, until ~September. There have been a few RFX's that have included UMA in past couple years. Can we collect some of the references together? Alec will look at some Canadian ones Relationship Manager Review We went back through the different proposed profiles <https://groups.google.com/g/kantara-initiative-uma-wg/c/iOfz_kYZ8f8/m/i4HI1…> and the recent Relationship Manager Draft (recent draft text <https://groups.google.com/g/kantara-initiative-uma-wg/c/2QoKpm1Md7g/m/F5foo…>). I In the recent RM draft, the concept of exposing the resource to the client works nicely, as it closely follows the UMA Fedz resource registration api. However, the addition of authorization server management and protection here has been awkward. In some of the early proposed "Wallet" profile drafts <https://groups.google.com/g/kantara-initiative-uma-wg/c/vcB9S3mksn8/m/-YTD6…>, this concept doesn't exist. Instead the Wallet Client (Relationship Manager) registers a credential (pub key) with the RS, allowing i) the RM to create signed permissions at the AS, over the Policy API and ii) the RS to verify the permission is signed by the credential, eg directly trace to the RO, not only trusting the AS. This mechanism also worked with the Resource Definition profile, as the RS has registered general resource types with the AS, it can get a specific resource conveyed through the RO permission. The credential idea becomes an intersections between the W3C standards and UMA, now using W3C Verifiable Credentials instead of the loose proposal in the Wallet draft. We looked at a OIDC based credential issuance api <https://mattrglobal.github.io/oidc-client-bound-assertions-spec/>, and spoke about how it could be used to issues UMA resource definitions as credentials to the RM. AOB Attendees As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve) Voting: 1. Michael 2. Alec 3. Domenico Non-voting participants: 1. Scott 2. Steve V, Recently joined Forgerock, history working with IAM going back to Boeing. 3. Colin Regrets: 1. Eve 2. Ian 3. Ken

1 0

Agenda for UMA telecon 2021-05-13
by Alec Laws 13 May '21

13 May '21

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-13 UMA telecon 2021-05-13Date and Time - *Primary-week Thursdays 6:30am PT* - Screenshare and dial-in: https://global.gotomeeting.com/join/485071053 <https://www.google.com/url?q=https://global.gotomeeting.com/join/485071053&…> - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes of UMA telecon 2021-04-22 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-22> , UMA telecon 2021-04-29 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-29> , UMA telecon 2021-05-06 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-06> - Pension Dashboard Update - AOB

1 0

Draft minutes of UMA telecon 2021-05-06
by Alec Laws 06 May '21

06 May '21

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-06 MinutesRoll call Quorum was reached. Approve minutes - Approve minutes of UMA telecon 2021-04-22 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-22> , UMA telecon 2021-04-29 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-29> Deferred Pension Dashboard Update https://kantarainitiative.org/uma-profile-for-uk-pensions-dashboard-program… Kantara is waiting to make a press release on this topic. Next steps, reach out and get latest versions of profile + design docs from PDP This program has started to generate some new inbound requests/question about UMA! Asking about US implementation/deployments. Focus was financial/enterprise use-cases, not health care. UMA profile of FAPI anyone? The topic of UMA + <other standard> continues to come up. (UMA + Openbanking, UMA + UDAP, UMA + SSI). There has some *very early* interest for Kantara (and Direct Trust, EHNAC, SafeIdentity) to assess + certify UDAP solutions. This re-raises the idea to create a UMA certification process/program. Implementors Page Please feel free to update your entry with any developments or deployments! UMA Implementations <https://kantarainitiative.org/confluence/display/uma/UMA+Implementations> IIW Review and Thoughts There is a lot of different communities and group to follow, all working on very similar (but different!) technology stacks, and very few in true production (beyond pilots). On the Good Health Pass front, there has been some 'softening' of the SSI positioning such that it will also interop and trust x509 based certifications, not only DID registries. The use of certs + cert chains is exactly the technology used in the passports + their chips. mDL is also using x509/certs and achieving the same outcome of distributed trust. Single root (Root CA vs DID registry) that has distributed authority through (certification vs VCs). A major challenge is the ability of technology to be live & deployed, by the time tech solutions are available, the need has changed (contact tracing → testing → vaccines). EU green cards or physical vaccination receipts will be the most ubiquitous way to demonstrate vaccination. For US Citizens re-entering US, the solution today is that the airline MUST ask for vaccination, and the traveller MUST answer accurately. No test result or quarantine requirements. The liability is on the traveller to answer accurately. Profiles Discussion, relationship manager draft Identos has started to implement parts of this profile, will have some api specs to share from this effort. Still looking to find some overlap with SSI and VC issuance, e.g. through https://mattrglobal.github.io/oidc-client-bound-assertions-spec/ . Through the impl, will not implement any of the authorization server management api, instead focus on the RS declaring available resources and letting Alice capture those resources as 'credentials', such that proof of ownership can be including the RPT/introspection. Giving the RS a mechanism to verify not only Alice's relationship to the AS, but also Alice's explicit approval of the RPT issuance. AOB Attendees As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve) Voting: 1. Michael 2. Peter 3. Alec 4. Domenico 5. Eve Non-voting participants: 1. Nancy 2. Colin Regrets: 1. Ken 2. Ian <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-06>

1 0

Agenda for UMA telecon 2021-05-06
by Alec Laws 06 May '21

06 May '21

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-05-06 Date and Time - *Alternate-week Thursdays 10:00am PT* - Screenshare and dial-in: https://global.gotomeeting.com/join/485071053 <https://www.google.com/url?q=https://global.gotomeeting.com/join/485071053&…> - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes of UMA telecon 2021-04-22 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-22> , UMA telecon 2021-04-29 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-29> - Profiles Discussion, relationship manager draft - AOB Best, - Alec

1 0

Draft minutes of UMA telecon 2021-04-29
by Alec Laws 29 Apr '21

29 Apr '21

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-29 MinutesRoll call Quorum was NOT reached. Approve minutes - Approve minutes of UMA telecon 2021-04-22 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-22> Deferred Pension Dashboard Update Under resources, the PDP profile and license are up. There will be some fine tuning over the coming days https://kantarainitiative.org/uma-profile-for-uk-pensions-dashboard-program… IIW Review and Thoughts Huge focus on DIDs and SSI. They're is a lot of ssi community discussion to move past the issues as they arise eg the growing number of DID methods. Discussions are starting to move up the stack towards the user. OAuth focused solutions are being used in practice to solve real-world problems. Helps to explain why there is less discussion on these topic vs DID/SSI. There seem to be some other forums for ietf/oauth vs at IIW. The focus on mobile apps will hinder the SSI, there is some new efforts to standardize HTTP based API, a lot of current projects use web based keys systems (did:web & did:peer). The focus on wallet/user controlled software is good from privacy perspective, but pushes a lot of liability to the user. The chain of trusted systems is broken if wallets aren't assured as part of this chain (from issues→verifier, or OP→RP). The discussion is very low building block levels around the control of identifiers. There is a shift from blockchain only solution to more witness based key rotation/control (KERI). At TOIP, Mark has been working on a privacy controller credentials to define how parties who receive information must give the user a record of having their data(?). The 'accountable person' from a gdpr perspective is often not the subject/company, but some other party eg a lawyer/law firm. Interesting to see if browser vendors start to pay attention if they can put wallets in the browser. This would seriously improve adoption and make it *easy* for people. Sal notes there is a push to this, trying to make it a clear request. Firefox has a concept of 'personas' ~5years ago. The DHS SVIP was based around a browser extensions functionality (CHAPI). Microsoft has all the pieces to do this (vested interests in DID, and they own a browser). For privacy, browsers have been pushing against tracking + RP collusions (eg restrictions on third party cookies.) We need notice + transparency before transactions occur, similar to how OAuth works today (show notice and user has choice before sharing). A lot of current high assurance requirements mean browsers cannot see any of the credentials/PII, and increase the *desired* collusion between parties (everyone is well well known) Reliance on Browsers/mobile OS risk "centralizing" or restricting the options, against the agency principles of SSI. Receipts can remove dependencies and provide interop between wallets. There are ways to use a receipt to show provenance to get a new credential issued. In this context a receipt isa credential, it can be a VC if it needs some of those functions. How do zero knowledge proofs affect these discussions, change the surveillance possible. ZKP is part of the challenges with the many DID methods, the DID methods tends to define ZKP functionality of identifiers/keys which changes/removes the interoperability of the VC objects. ZKP needs to be understood by the verifier Are notice specifications a type of data provenance for a VC? Data provenance - when was it collected, constraints, purpose of use... Data sharing is system to system, however notice is inherently something for a human person. Today, user/person has little ability to assert the use of their data, this is something that must be added/built into a platform. A notice resulting in a receipt allows a person to communicate with the data controller and assert their rights as agreed upon. A physical receipt establishes the trust that the merchant won't take more than the printed amount. Want to separate rights from services, people need support manage their identities and private keys, and that's why account services exist. The decentralized goal is somewhat of a red-herring, the vast majority of people want and need support to manage this technology. There will be some people (eg cryptocurrency community) however if this technology is entirely hidden, it ends up being a different technical mechanism for providers to hide from the person. If there is some transparency/portability out of the box maybe this is the person value, however this hasn't been demonstrated, it's the same as an with current web technologies, there needs to be integration/testing between the domains. The issues/holder/verify split is logical, in practice all parities end up performs all three roles. This requires additional definition of responsibility/accountability in an ecosystem. OAuth has a clear delineation in this case (OP< RS< RP <RO) Profiles Discussion, relationship manager draftAOB ANCR workshop around adding standard notice/policies, adding governance to open source projects. Goal to drive to interoperable policies https://github.com/Open-Notice/ANCR-Hack-Worshop-May4th-2021/blob/main/READ… Attendees As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve) Voting: 1. Michael 2. Thomas 3. Alec 4. Sal Non-voting participants: 1. George 2. Colin 3. Nancy 4. Scott 5. Mark Regrets: 1. Domenico

3 2

Agenda for UMA telecon 2021-04-29
by Alec Laws 28 Apr '21

28 Apr '21

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-29 Date and Time - *Primary-week Thursdays 6:30am PT* - Screenshare and dial-in: https://global.gotomeeting.com/join/485071053 <https://www.google.com/url?q=https://global.gotomeeting.com/join/485071053&…> - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes of UMA telecon 2021-04-22 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-04-22> - IIW Review and Thoughts - Profiles Discussion, relationship manager draft - AOB

1 0