https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-09-24

Minutes

Roll call

Quorum was not reached.

Approve minutes

Deferred.

Leadership team changes

Thanks to Maciej for his long and distinguished service to the Work Group as Vice-Chair!

Policy Manager extension spec

  • Spec location (unchanged from last week) and issues (label "policymgr")
  • Issue backlog status report
  • Scope of current extension effort (new issue #364, captured after today's discussion – see the "pretty diagram" captured there)

As we outlined them last week, there are three pieces, which were presented as encompassing options:

  1. AS-RO API (policy manager/policy API)
  2. Add the RS-RO API (manage API)
  3. Add the cascading AS solution ("the"? really? (smile) )

Adrian suggests we solve the third bit and it will influence how we solve the first bit. Alec suggests the opposite. Eve has trouble even defining what the third bit is (she tried to convey it to the LC and failed, but believes she succeeded on the first two). Alec thinks this makes his point. Can Adrian define the third bit? Here is his definition:

"At the time of resource registration between the RO and the RS, the RS might offer both a wide ecosystem (unrestricted AS) choice as well as a secondary AS to be picked from a federated list." It's both bring-your-own-AS and a fallback option or set of options (perhaps a timeout, just as happens with the Kantara UX's IdP choice)."

This may be a valid use case, but appears to be different from the third bit we discussed last week, which was about "set math" and "RqP claims" and such. It seems to be related to impacts on how the first and second bits interact. Eve wonders if "cascading AS" is even a good term for the use case because once the RO chooses an AS for protection of that resource, there is just the one AS protecting it as usual. Can we avoid the word "cascading" except in the case of the issue #260 sense?

Should we pursue this new use case, which let's call RO choice of AS at resource reg time? Nothing in the spec says that Alice has a free choice of AS. We'll close the matter.

The third bit we discussed last time was more like: The RqP goes to one AS and is redirected to some other AS for claims collection. Alec suspects we just don't need to solve this yet. (Eve suspects we'll eventually go down the rabbit hole and have to solve it, but by then we'll understand the problem better. So, win win.)

UN Panel on Digital Cooperation

Tim updated us on this panel's latest work. It's largely funded by the Gates Foundation. They believe there needs to be an individual's ability to control their personal information. They also believe we need a multi-stakeholder (vs. multi-lateral) approach to information governance. This was a constant theme. Could we offer resources to comment or present? ID2020 was the original relevant initiative. There may be a formal way to follow up through Kantara's liaison efforts. It seems they're broadening from identity to data control/authorization.

UMA and UDAP

  • Eve's promised thoughts
  • Any others'?

Eve presented a four-bubble Venn. Alec and Adrian are willing to comment seriously on it so she'll distribute it to them for comment.

What about the NIST Zero Trust Architecture? How do each of these solutions account for it? Adrian will comment on that aspect. Alec will check all of the intersections.

Attendees

As of September 3, 2020 (pre-meeting), quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Gaurav, Thomas, Andi, Maciej, Eve)

  1. Michael
  2. Domenico
  3. Thomas
  4. Eve

Non-voting participants:

  • Alec
  • Adrian
  • Tim
  • Anik

Eve Maler
Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl