Minutes

Roll call

Quorum was reached.

Approve minutes

• Approve minutes of UMA telecon 2020-10-01, 2020-10-15, 2020-10-22, 2020-10-29, 2020-11-05, 2020-11-12

MOTION: APPROVED by acclamation.

MOTION: Moved by Domenico, seconded by Andi: The Working Group recognizes and appreciates the significant contributions made by the outgoing vice-chair, Maciej Machulak, to the development and progress of the UMA specifications. APPROVED by acclamation.

Continue Policy Manager / Trust Model discussion and agree on use cases

The discussion last week was about how UMA fits into existing trust models. Identos's motivation in developing the draft user stories was that having even more OAuth-like flows could promote adoption. UMA AS's have have trust schemes for all the parties but needs to have knowledge of the resource semantics. That's where the user story elements of "recognized standards", "resource types and scope", and "push RARs" come from. The last user story came out of a discussion with George. Alec has seen some work in GNAP around this, but it's difficult to do.

With permission requests, there can be multiple resource IDs and scopes, and you may not know what RS they originally came from. It's a no-no to give a client a token that it can redeem in multiple places. The reason we care about this, since this would have been impossible in "regular UMA", is because we're inventing something new here: The client could request a resource by type, and that means all of the resources that satisfy that type could span resources. Reminder: We are enabling C → AS first. The "community AS" has become a virtual registry of resources on each RO's behalf that can cross RS's. (Shades of Liberty Discovery Service.) It's not just C → AS, it's actually enabling the RqP to do something new at the AS, and that's where we have higher-level user stories:

As RqP Bob, I want to be able to request access to a set of Alice's resources directly from Alice's AS without knowledge of their location, because I don't have to bother getting or caring about all the locations from Alice first.

As client C used by RqP Bob, want to be able to request access to a set of Alice's resources directly from Alice's AS on Bob's behalf without knowledge of their location, because I don't have to retrieve the locations first.

Maybe there are more low-level/technical stories here to do with request_submitted and different ways of handling it, but we can deal with that later.

In our 2020-11-05 call, three "models/degrees of freedom" were defined. The ecosystem gets further and further constrained with each choice. They function as profiling – and compliance – choices. There's 1) a data model underlying the API being used by the client (by analogy think of a "media type"); 2) the authorization protocol protecting that API, such as OAuth (by analogy think of a "scheme"); and 3) the trust model that actually constrains access by that specific client in making API calls using that authorization protocol (back to a CA). There is a persistent desire to get more distributed about that last one.

Resource Definitions is one distinct deliverable we want to have. "Trust model" isn't a spec deliverable, but we think we should ponder the concept and see if it generates any (e.g.) security considerations for each new spec we do generate.

As an example of walking through every (pair of) entities/parties, the old "binding obligations" spec shows how we did it back in the old days.

Next time: Domenico's EU report (and UMA implications), and Alec's user stories docs.

Attendees

As of October 26, 2020, quorum is 5 of 9.  (Michael, Karim, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve)

1. Michael
2. Domenico
3. Peter
4. Thomas
5. Andi
6. Alec
7. Eve

Non-voting participants:

1. Scott
2. Lisa
3. Tim
4. Colin
5. Nancy