To be clear, my suggestion about IdP in the #wideeco is for the #wideeco AS to be given the option of using the RS as Bob's IdP. That is very different from the RS being the IdP and AS if that's how I read the minutes.

In general, I'm looking for ways to make the AS lighter and more generic so that each individual can own one. In the HIE of One brand #wideeco model, the UMA AS is also always an OpenID Connect Client so that any RS that chooses to support OIDC Dynamic OP can offer this as part of the resource registration agreement with a #wideeco AS. This also enables the AS to register other well-known IdPs like Google and make these available as a NASCAR to Bob. As blockchain ID catches on (onename and uPort), the #wideeco AS will be able to offer this as an option as well.

Adrian



On Thu, Feb 18, 2016 at 1:09 PM, Eve Maler <eve@xmlgrrl.com> wrote:
Great meeting, all!

http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-02-18

Minutes

Roll call

Quorum was reached.

Approve minutes

Minutes of UMA telecon 2016-01-07 approved.

Issue #239

  • Proposal: Regardless of other decisions, develop a non-normative analysis of the attack and mitigations; revise as appropriate depending on other decisions taken (Sarah has this AI already)

Proposal accepted.

  • Proposal: Develop an extension specification, Enhanced Claims-Gathering Security Extension, to require cycling of the permission ticket when using the claims-gathering extension

Sal and Eve just discussed in email whether a stronger authentication mitigation would work. Session fixation happens after victim authentication, so it wouldn't help.

Robert mentioned to Eve offline that Wikipedia has some comments on session fixation that might be useful. Eve believes that since the permission ticket gets passed in UMA JSON messages, the countermeasures there may not apply, but we could look (for purposes of the non-normative analysis if ultimately nothing else).

  • For discussion: Consider also handling issue #167 in this extension if it has a security rationale

If the AS uses the flexibility to give a new endpoint, then there's the danger of giving an attacker new information outside of the discovery document that it didn't have before, which is a degradation of security. If the AS doesn't avail itself of the flexibility, then it doesn't seem to add anything. In any case, we're not thinking of a security rationale for adding this feature to the extension. In any case, it sounds like taking up #167 as part of the extension work doesn't meet our "#security use case bucket" goals, so we'll defer that till such time as we take up "#simplify use case bucket" work.

Consensus: We want to write and publish the extension specification.

  • For discussion (thanks Andi for these two new bullets!): Consider updating the UMA Core spec in some way to point non-normatively to the extension spec, and/or mention it from the UIG
  • For discussion (possibly at a later juncture): Consider if/when/how to fold the extension into a future UMA version (likely to be captured as a GitHub issue)

The WG itself can self-approve a technical specification, and the LC can approve that group output. (Are these "WG Reports"? Eve will check with the LC.) In other words, this could remain at a level sort of equivalent to an IETF I-D and not progress to an "RFC" level before it eventually gets absorbed into a later version of the UMA Core spec. We do want to recommend that everyone using the claims-gathering endpoint use this approach, but it all depends on the timing of any new UMA "V.next" version. We basically need to defer the decision about its "track" until we execute on the rest of our roadmap.

AI: Eve, Domenico, Maciej: Write the extension spec.

Can we publish these by next Thursday? Let's give the old college try. We want to publish and publicize the draft docs at the same time.

Wide ecosystem challenges

Eve presented a set of high-level statements that describe the dual nature of the challenges. Eve/James and Maciej will share some material on the challenges.

John observes that it's an ouroboros – a snake eating its own tail (or as Eve likes to call it, the bubble under the wallpaper that you can move but you can't remove).

Some discussion arose about different solutions, e.g.:

  • UMA-protected user claims endpoint ("UserInfo")
  • Agreed-on central authority (e.g. hospital) serving as a claims endpoint/AS (?) – akin to the question that has arisen over the last decade-plus about "who's the IdP"

The group agreed to collect all the potential solutions "without fear or favor" and then analyzes how well they solve the challenges.

Attendees

As of 16 Feb 2016, quorum is 6 of 10. (François, Domenico, Kathleen, Sal, Thomas, Andi, Robert, Maciej, Eve, Mike)

  1. Eve
  2. Kathleen
  3. François
  4. Domenico
  5. Sal
  6. Mike
  7. Maciej

Non-voting participants:

  • John W
  • Sarah
  • Adrian
  • George
  • Scott
  • Mark

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/