Interesting indeed. In the WG call yesterday, we talked about focusing on four UMA topics at IIW, and one of them was our legal "model text" work. I would love to learn more about how these domains are used in practice, and see where the business-legal frictions might come into play if they were used as authorization servers.Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrlOn Sat, Feb 20, 2016 at 9:23 AM, Phillip J. Windley Ph.D. <windley@gmail.com> wrote:BYU and several other schools do a Domain of One’s Own project with students. BYU has about 2000 domains right now (these are com, org, net, and us domains that the student picks and owns and can take with them after graduation). The point is to teach students about managing their own online identity independent of the administrative identities they get elsewhere (the school, Facebook, Gmail, etc.) and give them experience in being independent digital citizens. The domains are used for everything from class projects to rock bands.As part of that effort we’ve been working on ways the domain could host applications the student might use to interact with the school and other entities. As a counterpoint to our University API project, we also have a Personal API project. The first applications will likely be student profiles and portfolios.The question about manage authorizations always comes up. I always have imagined that the domain (standard Cpanel-based hosting account) would have some kind of AS running in it, but have never worked through the details. So, FWIW, there’s another personal AS scenario.On Feb 20, 2016, at 9:51 AM, Eve Maler <eve@xmlgrrl.com> wrote:_______________________________________________I agree with you both that it's technically feasible for a single person to run a personal AS.From a practical "ecosystem growth" standpoint, I wonder whether certain other service/app operators might have some (irrational? perceptual?) issue with dealing with an AS whose Operator is the Authorizing Party. We already know certain RS's (*coff* hospitals) are nervous to outsource authorization to a third party at all (the genesis of the Binding Obs work).I wonder if the best shot for people running their own personal AS's might actually be a "smart home hub". We're already seeing home VPN devices billed as "privacy" products, along with other devices that control multiple other IoT thingies.Eve Maler (sent from my iPad) | cell +1 425 345 6756Adrian;Owning/operating an AS is not unrealistic technically. It’s unrealistic In the same way that most people CAN change their own oil in their cars, but don’t.I suspect that most people’s view - even after an explanation of how UMA works - is that it would be too much trouble to own/manager their own AS. If/when the AS becomes an app on their phone, or a key fob with a one button press functionality, (assuming that carrying your AS with is a good thing) then the case would be different - and would suggest a separation of AS from IdP(s).
Sincerely,
John Wunderlich(@PrivacyCDN)On Feb 19, 2016, at 10:14, Adrian Gropper <agropper@healthurl.com> wrote:AdrianThe opportunity to own one's AS in the cloud is more realistic every day. A microservices architecture like AWS Lambda can expose HTTPS endpoints with Let's Encrypt certificates without the hassle of managing OS and OS security for a VM. AWS Lambda can run a personal UMA AS written in Node or Python (like HIE of One) using almost no resources and might cost less than the $10 / year that I pay for the personal domain. I see an UMA AS becoming like the email forwarding service offered for free by some registrars with just a more complex user interface.John,We seem to agree that the AS is naturally separate from whatever IdPs and credential brokers will evolve.On Fri, Feb 19, 2016 at 9:54 AM, John Wunderlich <john@wunderlich.ca> wrote:It seems to me that this elides several use cases. If we set aside the currently unrealistic expectation that each person will own one or more AS’s, then the most likely location for a self-owned AS is in the home, or in a cloud service provided to the individual (a cloud home so to speak). I can see where I’ll want to use an authoritative IdP for some kinds of transactions and identities - health (hospital as IdP) and finance (bank as IdP) - but I can see multiple scenarios involving social identity where I would want to self assert to have the capability for multiple (disposable) identities. This isn’t just the case for teenagers and trolls, but would also be the case for human rights workers and democracy activists in any number of countries.
Sincerely,
John Wunderlich(@PrivacyCDN)On Feb 18, 2016, at 19:47, Eve Maler <eve@xmlgrrl.com> wrote:A question to Adrian about the goal of making an AS lighter and more generic so that each individual can own one: Do you think it's likely that the AS function and the IdP function are likely to remain entirely separate, and not be co-located in at least some instances? (I'm guessing your answer will be yes, because you've separated out the "lightweight AS" and the "RS-as-IdP" roles here, but I may be wrong.)_______________________________________________On Thu, Feb 18, 2016 at 11:05 AM, Adrian Gropper <agropper@healthurl.com> wrote:AdrianTo be clear, my suggestion about IdP in the #wideeco is for the #wideeco AS to be given the option of using the RS as Bob's IdP. That is very different from the RS being the IdP and AS if that's how I read the minutes.
In general, I'm looking for ways to make the AS lighter and more generic so that each individual can own one. In the HIE of One brand #wideeco model, the UMA AS is also always an OpenID Connect Client so that any RS that chooses to support OIDC Dynamic OP can offer this as part of the resource registration agreement with a #wideeco AS. This also enables the AS to register other well-known IdPs like Google and make these available as a NASCAR to Bob. As blockchain ID catches on (onename and uPort), the #wideeco AS will be able to offer this as an option as well.On Thu, Feb 18, 2016 at 1:09 PM, Eve Maler <eve@xmlgrrl.com> wrote:_______________________________________________Great meeting, all!http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-02-18Minutes
Roll call
Quorum was reached.
Approve minutes
Minutes of UMA telecon 2016-01-07 approved.
Issue #239
- Proposal: Regardless of other decisions, develop a non-normative analysis of the attack and mitigations; revise as appropriate depending on other decisions taken (Sarah has this AI already)
Proposal accepted.
- Proposal: Develop an extension specification, Enhanced Claims-Gathering Security Extension, to require cycling of the permission ticket when using the claims-gathering extension
Sal and Eve just discussed in email whether a stronger authentication mitigation would work. Session fixation happens after victim authentication, so it wouldn't help.
Robert mentioned to Eve offline that Wikipedia has some comments on session fixation that might be useful. Eve believes that since the permission ticket gets passed in UMA JSON messages, the countermeasures there may not apply, but we could look (for purposes of the non-normative analysis if ultimately nothing else).
- For discussion: Consider also handling issue #167 in this extension if it has a security rationale
If the AS uses the flexibility to give a new endpoint, then there's the danger of giving an attacker new information outside of the discovery document that it didn't have before, which is a degradation of security. If the AS doesn't avail itself of the flexibility, then it doesn't seem to add anything. In any case, we're not thinking of a security rationale for adding this feature to the extension. In any case, it sounds like taking up #167 as part of the extension work doesn't meet our "#security use case bucket" goals, so we'll defer that till such time as we take up "#simplify use case bucket" work.
Consensus: We want to write and publish the extension specification.
- For discussion (thanks Andi for these two new bullets!): Consider updating the UMA Core spec in some way to point non-normatively to the extension spec, and/or mention it from the UIG
- For discussion (possibly at a later juncture): Consider if/when/how to fold the extension into a future UMA version (likely to be captured as a GitHub issue)
The WG itself can self-approve a technical specification, and the LC can approve that group output. (Are these "WG Reports"? Eve will check with the LC.) In other words, this could remain at a level sort of equivalent to an IETF I-D and not progress to an "RFC" level before it eventually gets absorbed into a later version of the UMA Core spec. We do want to recommend that everyone using the claims-gathering endpoint use this approach, but it all depends on the timing of any new UMA "V.next" version. We basically need to defer the decision about its "track" until we execute on the rest of our roadmap.
AI: Eve, Domenico, Maciej: Write the extension spec.
Can we publish these by next Thursday? Let's give the old college try. We want to publish and publicize the draft docs at the same time.
Wide ecosystem challenges
Eve presented a set of high-level statements that describe the dual nature of the challenges. Eve/James and Maciej will share some material on the challenges.
John observes that it's an ouroboros – a snake eating its own tail (or as Eve likes to call it, the bubble under the wallpaper that you can move but you can't remove).
Some discussion arose about different solutions, e.g.:
- UMA-protected user claims endpoint ("UserInfo")
- Agreed-on central authority (e.g. hospital) serving as a claims endpoint/AS (?) – akin to the question that has arisen over the last decade-plus about "who's the IdP"
The group agreed to collect all the potential solutions "without fear or favor" and then analyzes how well they solve the challenges.
Attendees
As of 16 Feb 2016, quorum is 6 of 10. (François, Domenico, Kathleen, Sal, Thomas, Andi, Robert, Maciej, Eve, Mike)
- Eve
- Kathleen
- François
- Domenico
- Sal
- Mike
- Maciej
Non-voting participants:
- John W
- Sarah
- Adrian
- George
- Scott
- Mark
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma
--Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-umaThis email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
--Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.<signature.asc>
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma