https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-10-14_______________________________________________Minutes
Roll call
- Quorum: No
Approve minutes
- Approve minutes of UMA telecon 2021-09-09, UMA telecon 2021-09-16, UMA telecon 2021-09-23, UMA telecon 2021-09-30
Deferred
Document Development
GDocs/etc. is problematic so let's find an alternative and use it for everything
- Maybe Kantara's github? good for publishing/versioning, maybe not best for commenting
- Use markdown?
- Confluence? Good for commenting/iteration, can always move to github to publish if necessary
Let's use confluence for document development.
If you need an account, it's easy to self-register (look at the top right of this page). Reach out to Alec if you have issues
Protected Dynamic Client Registration
https://github.com/uma-email/poc#protected-dynamic-client-registration
If we want wide-ecosystems, then DCR is necessary and doesn't seem to need more gates. The spec already includes software statements. What is the gap in the existing spec that needs to be addressed?
The current proposed DCR links a client to a RqP. Is the intention that the client always does DCR for each RqP, or the first RqP facilitates the clients CDR?
Delegation and Guardianship
- https://patientcentricsolutions.com/resources
- https://sovrin.org/wp-content/uploads/Guardianship-Whitepaper2.pdf
- Okta OSS implementations: "Delegate" and "Managed Access"
- Examples of attempts to layer UMA-like features on top of OAuth, maybe could also be solved by OAuth 2 extensions such as token exchange
- Very custom paths to achieve impersonation and delegation
Goal, collect a few delegation/guardianship/association use cases and show how to implement in UMA. glossary or report to analyze these cases in UMA terms? Update to UMA Legal deck → report?
There is a set of UMA business use-cases already, including delegation of decision making (substitute decision maker) and the process of establishing that delegation.
There is a new set of use-cases for another group (pp2pi) that are deliberately hard to achieve. Want to review these cases and see if existing UMA cases cover them, or if we can build new UMA guidance to address them.
On the 25th we can review the existing Use Case work, and compare with the links above
If you have delegation use-cases, please bring them forward on the mailing list
AOB
Anyone going to the FIDO Authenticate conference next week?
There are also OIDF meeting next Thursday
Recent news on FHIR vulns:
IIW quick impressions:
- hugely focused on SSI/TOIP/DID/VC, very few OAuth/web authorization based sessions
- people are trying to apply these new technologies to all transactions, need to bring existing OAuth/UMA concept back into the discussion
- separating security from the transport protocol is a very interesting idea. often the protocol security is linked to transport security (eg oauth + tls)
- challenges today are around interoperability, still trying to bring it together, ex so any did method can be used in any VC scheme
- ideally we can bring some UMA content to the next IIW, show the intersection between DID/VC and existing web authorization systems
Check out the mozilla objections to the DID spec:https://lists.w3.org/Archives/Public/public-new-work/2021Sep/0000.html
And a response from Evernym: https://www.evernym.com/blog/w3c-vision-of-decentralization/
Topic Candidates (from previous week's telcon)
- Delegation and Guardianship
Outcome of user stories discussion
PDP architecture includes the concept of governance registry/discovery
TOIP/SSI are starting to define this ecosystem function
ANCR records update
Privacy as Expected/ANCR update : 2/3 weeks out (Sal?)
Attendees
As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
- Eve
- Alec
- Steve
- Sal
- Thomas
Non-voting participants:
- Scott
- Zhen
- George
- Nancy
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma