- WG-UMA - mailman.kantarainitiative.org

Authorization-Enhanced Mail System
by Igor Zboran 16 Sep '20

16 Sep '20

Hello UMAnitarians, I'd like to ask if someone from WG UMA would be interested to participate in the Authorization-Enhanced Mail System proposal. Please see the attached document. It is an early draft proposal I've been working on for over a month. Please send your questions, comments and suggestions to the WG-UMA mailing list. Regards Igor Zboran

3 4

The technical components of interoperability as a tool for competition regulation
by Adrian Gropper 13 Sep '20

13 Sep '20

Thank you @Paul-Olivier Dehaye !! This https://osf.io/6er3p/ is by far the best paper on interoperability I’ve ever seen.On the last two paragraphs on p28 you will see much of what is proposed with Gold Button: https://docs.google.com/document/d/1kZ7_Skcn4zb3zOfEu7XZDrYAmLR1T_pbBoSk8AE… I. Brown paper does not capture the idea of a sustainable self-sovereign agent very clearly nor does it understand how self-sovereign communities can reduce the importance of regulation to the overall goal of human-centered tech. It does get a lot of things right including the importance of IETF and W3C and Free / Libre software. - Adrian

2 1

Agenda for UMA telecon 2020-09-10
by Alec Laws 10 Sep '20

10 Sep '20

Date and Time Alternate-week Thursdays 10am PT Screenshare and dial-in: https://global.gotomeeting.com/join/485071053 <https://www.google.com/url?q=https://global.gotomeeting.com/join/485071053&…> United States: +1 (224) 501-3316, Access Code: 485-071-053 See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar <http://kantarainitiative.org/confluence/display/uma/Calendar> Agenda Relationship Manager profile AOB Best, - Alec

1 0

Draft minutes of UMA telecon 2020-09-03
by Eve Maler 03 Sep '20

03 Sep '20

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-09-03 MinutesRoll call Quorum was not reached. Approve minutes - Approve minutes of UMA telecon 2020-07-09 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-09> , 2020-07-16 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-16> , 2020-07-23, <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-23> 2020-07-30, <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-30> 2020-08-06, <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-08-06> 2020-08-13, <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-08-13> 2020-08-20, <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-08-20> 2020-08-27 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-08-27> Deferred. PKCE status Alec edited the UIG with the new text. People can take a look and see what they think. Relationship Manager profile See the policy manager API in this email thread <https://groups.google.com/g/kantara-initiative-uma-wg/c/1BcBSR_FnJA>. Also see Policy Manager Extension #363 <https://github.com/KantaraInitiative/wg-uma/pull/363>. Eve proposed a list of things to discuss and Adrian added one more thing: - One API (AS only) or two (also RS)? - (Each) API protection model? - Topological and trust assumptions or lack thereof? What can be co-located? How many of each thing can there be? - Any rules needed for policy (“policy condition”) priority between RM and AS (the “cascading” scenario) - A clean way to model or illustrate the scenario when the RS is hosting claims (the “turtles” scenario) - Customer requests for functionality that Eve discussed last time – this was the discussion of consent management servers (CMS's) Would these (putative) CMS's have "read/write" APIs that allow resource owners to "put policies into" any of the servers? (What Adrian has been thinking of as bidirectional APIs.) Nancy notes that think hasn't been discussed in quite some time and these don't exist yet. A privacy concern is that a user (RO) who has a policy that touches on, say, HIV information would be potentially revealing to a server that they have HIV. Adrian agrees that policies are personal information – "they need to be protected as if they were private keys". Organizational policies of the enterprise, which could include authorization policies and other operational policies – should be safe. The RS gets to publish openly any "XACML fragments" (bits of policy, doesn't have to be XACML) that represent its own policies. The AS gets to pick up these fragments and combine them with whatever policies the RO chooses to add. (If XACML is actually used, then this usage pattern exemplifies a way that it was meant to be used – combinatorially, with priority able to be established.) "Consent work" would need to be done to figure out the downstream privacy implications of combining these policies. Where would this work take place? HEART? Here? Somewhere in the SSI community? Eve has been wondering how bad the situation is wrt policies as PI: doesn't any one AS have to know some policies (if not "all the policies of an RO") in order to function, and so doesn't some PI have to pass to a server that may possibly at best be a limited fiduciary? The requirement Alec was trying to meet was for the AS – through the relationship with the RM (or PM or whatever we end up calling it) – to not see PHI (PI) such as an email or birthdate of the RO's. The "Nancy paradox" is that policies are also PI. The policy manager gives the opportunity to generate random UUID's and tie those to the relevant policies that the AS needs in order to grant access, issue tokens, etc. This was also the motivation for the resource definitions work. If a RO uses a service/app (client) for the first time and doesn't trust it (fully) yet, they can nonetheless see the scopes and resources they're about to grant access to by virtue of the client becoming "operational enough" through meeting the requirements for the patterns it was registered for. Andi asks: How much of this needs to be made interoperable in a spec, and how much of this is implementation choice? Alec brought up the pseudonymous stuff because that's what they implemented. We totally want to understand if there are multiple applications of the base technology. For example, Domenico's work illustrating a "widget" for a policy manager way back when (see slides 10 and 15 here <https://www.slideshare.net/domcat/uma-trusted-claims>) was one such application. Slide 15 in particular shows how Alice is protecting her photo with UMA. Bob is presenting claims in order to get access to it. What if those claims are UMA-protected? Can we call that a "trusted claims" scenario? (Eve was calling that the "turtle" scenario for "turtles all the way down" but that didn't gain favor.) This scenario doesn't depend on using policy managers but could use it. What scenarios do we actually have here? What does "cascading" mean? Eve thought it was combining policies from multiple sources so that an AS can function when it needs to. There is only one final AS that operates to grant access and issue access tokens, even if there are multiple AS's (as in the Pauldron/VA type of scenario). Adrian has testified that something like HEART's "btg" ("break the glass") scope implementation scenario should be an instance of the *RS* (not the AS) needing to being able to observe a jurisdictional or regulatory policy, and so it needs to use the "Adrian clause". If we are able to nail down these concepts and terms, do we require an interoperable policy language to make any of them work, or not? Attendees As of September 3, 2020 (pre-meeting), quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Gaurav, Thomas, Andi, Maciej, Eve) 1. Michael 2. Domenico 3. Andi 4. Eve Non-voting participants: - Alec - Patrick - Scott - Adrian - Nancy - Tim *Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

1 0

Agenda for UMA telecon 2020-09-03
by Eve Maler 03 Sep '20

03 Sep '20

We continue the relationship manager work. Some things I think we need to figure out (ideally from proposals or lists of options): - One API (AS only) or two (also RS)? - (Each) API protection model? - Topological and trust assumptions or lack thereof? What can be co-located? How many of each thing can there be? - Any rules needed for policy (“policy condition”) priority between RM and AS (the “cascading” scenario) - A clean way to model or illustrate the scenario when the RS is hosting claims (the “turtles” scenario) What else? Eve Maler (sent from my iPad) | cell +1 425 345 6756

3 2

Policy Manager
by Alec L 02 Sep '20

02 Sep '20

Hi, To our discussions, I’ve started to break out just the RO policy manager component of the original wallet spec Best, - Alec Alec Laws 647 822 1529 alec(a)identos.ca — ## 1. Introduction This document extends [UMA Fedz] in order to specify the interface provided by the AS to the RO for policy management. This is achieved by introducing a Policy Management API specification and client type which represents the RO: the UMA Policy Manager. This new client type is authorized to use the policy API after being authorized by the RO as the AS. THis is the same mechanism used by an RS to put resources under protection, the RS is issued a PAT by the AS. This new client provides a few key benefits to an UMA ecosystems - The AS may delegate policy management user expereince and advicce to another party - The RO is able to choose this client, where they may not be able to choose an AS or RS. The RO receives a consistent policy management interface - The RO may manage resources at many AS's to have a complete view of their resources and policy For example, there are two UMA AS's, one being operated by the Alice's local health authority and one operated by Alice's personal Bank. Alice's resource servers are only able to accept authorization decisions from those RS, effectively Alice must use those RSs to protect her resources. When those AS's support this profile, they give back some agency to Alice in how she manages her resources and policy, and reduce their own need to provide this UX (maybe each AS provides on UMA Policy Manager by defaults, but also accept third party policy management services). Alice may then manage policy across all of her RS's and AS's from a single control panel. ### 1.1 Notational Conventions ### 1.2 Abstract Flow ``` +------------------+ | resource | | owner | +------------------+ | | v +------------------+ | Policy | | Manager | +------+-----------+ | | manage (a PAT type authz?) | | v +-----------+ | policy | | API | +-----------+ +---------------+--+ | | | authorization | | server | | | +------------------+ ``` This specification uses all of the terms and concepts in [UMAGrant] and [UMA Fedz]. This figure introduces the following new concepts: - UMA Policy Manager - Policy API The API presented by the AS to the Policy Manager. This API is OAuth protected ### 1.3 HTTP Usage, API Security, and Identity Context ## 2 Authorization Server Metadata TBD ## 3 Policy API note: this API is very similar to the permission endpoint, expect the payload includes an RS sub, additional policy condition, and is signed by a RO-RS credential The API available at the policy_endpoint enables the policy manager the modify policy over the RO's protected resources. These policies define the claims gathering requirements for an RqP to gain access to the resource, and should also indicate the intended purpose/use for resource access. Management of the policy beings on successful creation and ends on successful revocation. The relationship manager uses a RESTful API at the authorization server's policy endpoint to create, read, update, and delete policy descriptions, along with retrieving lists of such descriptions. note: I think it's also useful to allow the RO to read a list of registered resources, I don't think would live under the policy_endpoint, it's essentially like the GET API from the resource_registration_endpoint with additional information about the RS? note: through the ` "user_access_policy_uri":"http://as.example.com/rs/222/resource/KX3A-39WE/policy"` the RS could also let the relationship manager know (though manage API) what path to use at the AS to modify policy for this resource?? This restricts Figure TDB illustrates the policy API operations, with requests and success responses shown. ``` FIGURE TDB ``` - user authz to use the API, same as RS getting a PAT -> continuity of resources, "account at the AS" - read rs's - read registered resources - organized by RS? - manage policy - resource(s) + acceptable claims conditions ### 4.a Policy Description A policy is a JSON document, that describes the a policy sufficiently for the authorization server to make a decision for a resource request. A policy document MAY be provided as a signed JWT to ensure it's integrity to the RS during enforcement. A policy description has the following parameters resource_id REQUIRED The resource id registered at the AS that this policy applies to resource_scopes REQUIRED The approved scopes if the claims requirements are met claims REQUIRED An array of claims/attributes that must be presented by the RqP in order to access this resource under this policy optional/extension/discussion: sub The subject known by the RS for this RO (useful for general resource definitions) resource_server (again, useful for general resource definitions) client_id The client application that may be used to access this resource intent The purpose/intention of resource use the RqP must accept For example... ``` { resoruce_id: "KX3A-39WE", "resource_scopes": [ "read-public", "post-updates", ], claims: [ ??? ] } ```

4 3

Draft minutes of UMA telecon 2020-08-27
by Eve Maler 28 Aug '20

28 Aug '20

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-08-27 MinutesRoll call Quorum was reached. Approve minutes - Approve minutes of UMA telecon 2020-07-09 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-09> , 2020-07-16 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-16> , 2020-07-23, <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-23> 2020-07-30, <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-30> 2020-08-06, <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-08-06> 2020-08-13, <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-08-13> 2020-08-20 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-08-20> Deferred. Sustainable Self-Sovereign Agents (S3A) There was a meeting held earlier today – notes and a recording here <https://docs.google.com/document/d/1kZ7_Skcn4zb3zOfEu7XZDrYAmLR1T_pbBoSk8AE…>. For more info or to get involved, contact Adrian. UMA is being put in play. PKCE and UMA wrapup Any final *quick* comment on this? Alec has suggested some updates to his latest wording in this email thread <https://groups.google.com/g/kantara-initiative-uma-wg/c/t72iQgd2qEU>, though he's not perfectly happy with it. Eve suggests putting it in the UIG anyway, and drawing people's attention to the (non-normative) wording for use and comment. Adrian notes that a UserInfo endpoint, interacted with in a fashion that is sort of variable in the SSI context (e.g. the first contact could be a QR code), could be an interactive claims gathering endpoint. We have also in the past discussed how we need notification functionality, which requires out-of-band endpoints. Relationship Manager profile Alec sent thoughts on the policy manager API in this email thread <https://groups.google.com/g/kantara-initiative-uma-wg/c/1BcBSR_FnJA>. Let's see if we can capture a deeper "why"/comparison statement that could go into the profile. (See the openings of the UMA2 specs for an example.) Alec's new wording does contain this sort of why/comparison/motivation. In other words, in the case where the AS is a "multi-user" AS and Alice (the RO) has no choice about which one it is that she has to use, we want to make sure to preserve as much of Alice's agency (control) in the situation as possible. So pushing policy management out of the AS and into a client app gives Alice this point of control. She wants some freedom to independently verify who is providing advice about what policies to choose. We have, in the past, discussed AI engines that implement things like relationship-based policy. This client could provide such functionality. The token that protects this policy management interface is different from the PAT but is similar to it. Let's call it a "PMT" right now, for argument's sake. The FPX work that is being dropped here is the policy manager's interaction with the RS. The previous discussions we were having about "cascading" AS's had to do with the situation when the server-side (multi-user) AS might hold some policy and the client-side (Alice-specific) relationship manager/policy manager might hold some policy too, and then you have to figure out policy ordering. But Alec has left that out for the sake of simplicity. Adrian objects to working on this profile because it optimizes for a situation where the server-side AS isn't Alice's fiduciary. Alec believes there is nothing in the profile that precludes the RS from presenting 10 AS's and letting the RO choose. Eve believes that Tim has previously concluded that any server-side AS that serves multiple users would have a hard time being anything more than a limited fiduciary (but we have to check). As well, a key requirement expressed by a number of healthcare players has been to "federate" policy management across multiple servers, so this seems to be consistent in a certain sense. Her past discussions with Nancy revolved around "consent management servers" (CMS's) and she brainstormed a "consent access token" (CAT?) to protect a "consent API". Domenico notes that PSD2 has the concept of a collector – an aggregator of data from multiple bank institutions. This is what this "RO client" (can we call it that? Thomas suggests it) enables the RO to do with policies, across any number of AS's, whether the RO chose them or not. Scott has been context-switching every time he hears "client", thinking it means our classic "UMA client" that the RqP uses, so we should also qualify "client" when we mean the one that the RO uses. Should we go back to the RO-client interfacing with both AS's and RS's? Let's think about that. Adrian loves the notion that the market wants some kind of policy management wallet or agent. [image: (smile)] Is this bidirectional? Is it a read/write API? He suggests extending the "Adrian clause" to the AS as well the RS. Let us ponder that. Eve adds on top: We may want to think about another modular profile that we should consider drafting, a "prove to Bob that Alice is who she says she is" profile, now that we'll have an RO-client that incidentally allows for Alice-authentication. This would help us solve for CIBA-like use cases (which we've discussed ad nauseam before). *Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

2 4

PKCE + Interactive Claims Gathering
by Alec L 27 Aug '20

27 Aug '20

Hi, We’ve had some requests to add PKCE [1] to the interactive claims gathering flow [2], eg example for public clients. Technically, there is little challenge to directly apply the PKCE code challenge/verifier, with the assumption that the authorization code is equivalent to the uma ticket Has anyone done this? Any additional considerations? Thanks, - Alec Alec Laws 647 822 1529 alec(a)identos.ca [1] PKCE: https://tools.ietf.org/html/rfc7636 <https://tools.ietf.org/html/rfc7636> [2] https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html#clai… <https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html#clai…>

2 4

MyData Program Planning Zoom - Thursday 8/27 10AM EST
by Adrian Gropper 27 Aug '20

27 Aug '20

MyData is offering the SSI communities a significant platform to promote our standards and broaden our outreach at and around their annual meeting in December. I'm organizing a program proposal on DID and UMA-centered interoperability and hoping for broad participation. The details, including a novel idea, are in this document: https://docs.google.com/document/d/1kZ7_Skcn4zb3zOfEu7XZDrYAmLR1T_pbBoSk8AE… Please join a program planning Zoom 8/27 10 AM EST. - Adrian

2 1

Agenda for UMA telecon 2020-08-27
by Eve Maler 27 Aug '20

27 Aug '20

1 0