Attending: Eve, Gil, Allan, Colin We discussed the impending “grand unified theory” that seems to involve CommonAccord, consent receipts, dynamic OAuth client credentials issuance, etc. Some of this involves ideas for major UMA extensions or value-add on top. Allan strongly suggests that any business logic that complicates “core UMA” be layered carefully, so that it doesn’t compromise the spec. No one wants a new X.400. :-) We do have a “Modular” design principle, so we should adhere to that. There is definitely a challenge coming with “multi-AS” environments on a technical level, not just on a legal level (a la the business models described here: https://github.com/KantaraInitiative/wg-uma/wiki/UMA-Legal:-Business-Models ). How would such an environment work as we look at more complex use cases? This could give color to the “Free-Love” business model. This is where Justin has been heading with his critiques of our V1 design, and we know that certain simplifying assumptions have made certain value-add features work nicely in “single-AS” environments. On the other hand, solving all the problems of multi-AS environments is really really hard, and it impacts user experiences too. Maybe imagine that a single RO has to deal with multiple AS’s in their life. What problems need to be solved? Another piece of simplifying assumption is when the AS = IdP. When they’re not, what does this mean? What changes? What attack vectors might there be, specifically in the context of chained delegation, if there are multiple AS’s and a requesting party has a different AS? An RS might hesitate to engage in these interactions if it’s not sufficiently protected. This is perhaps precisely where we need “UMA-specific model clauses” that are not just about privacy, not just about security, but about access control that goes beyond what the technology can enforce. This is what the Binding Obs doc attempted (imperfectly) to do. The enterprise UMA use cases are where Gil comes in. Employees would have contractual requirements with their employer, for example. In these cases, corporate policy would take effect, and it would probably be single-AS for the most part (a la Google Apps for Business?), and the PAT and AAT would likely be issued silently based on those employment agreements. Actually, multi-organizational sharing/delegation that has proper trust elevation would be a great use case that goes one better than Google. :-) What if we could take this as a multi-AS use case to solve? We’d be looking at “PDP proxies” here or something, or policy sharing. XACML!!!!!! :-) (Side note: Gil is moving back to the US in January.) Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com