Reminder: We're not meeting tomorrow (Thursday), but instead on Friday, just after the Legal call. We will plan to close the remaining issues (as outlined in this thread) and consider a motion something like the following: "Approve the draft UMA 2.0 specifications [as amended according to the instructions of UMA telecon 2017-05-12] as Draft Recommendations for public comment and IPR review." I'll publish a formal agenda if I have time to do so -- I'll be traveling back from Munich between now and Friday. *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl On Sun, Apr 30, 2017 at 11:10 PM, Eve Maler wrote:

We really don't have a lot of 2.0 issues https://github.com/KantaraInitiative/wg-uma/issues?q=is%3Aopen+is%3Aissue+la... left. A few new ones are coming to light now...which is good. The sooner the better. :)

BTW, I've just published Grant 03 https://docs.kantarainitiative.org/uma/ed/oauth-uma-grant-2.0-03.html and FedAuthz 03 https://docs.kantarainitiative.org/uma/ed/oauth-uma-federated-authz-2.0-03.h..., with a bunch of strictly editorial cleanup.

Current status:

- #303 https://github.com/KantaraInitiative/wg-uma/issues/303: JSON usage and OIDC for client authentnication: These security considerations have been removed from the drafts, and it doesn't seem they'd be missed. Unless anyone yells, we'll close this issue for May 12. - #304 https://github.com/KantaraInitiative/wg-uma/issues/304: Do we need the invalid_request issue? It would only be for FedAuthz (the protection API). I've taken it out for now. Request messages have their own custom errors for specific things that could go wrong. Basically, yell if you see a need to add it (or any other more-specific errors) back, or we'll close this with no action by May 12. - #306 https://github.com/KantaraInitiative/wg-uma/issues/306: Best to keep downscoping undefined when refreshing? I've now included a rationale in the refreshing language in Grant. Given the current state of Grant and FedAuthz, let's plan to close this without action by May 12 unless someone has a problem. - #307 https://github.com/KantaraInitiative/wg-uma/issues/307: Lower-priority, but nice to think about since there are already a bunch of profiles and extensions: Should we create a "pseudo-IANA-registry" for profiles and extensions? - #308 https://github.com/KantaraInitiative/wg-uma/issues/308: Really kind of low-priority: Should we flatten the innards of need_info to remove the error_details layer? If no one pays attention to this before May 12, let's close without action. - *#310* https://github.com/KantaraInitiative/wg-uma/issues/310: NEW and important, highlighted by Mike: Our requirement to have the client pre-register for scopes is likely at least somewhat problematic. See the issue for why. (Domenico, this would potentially affect your Venn...) - *#311* https://github.com/KantaraInitiative/wg-uma/issues/311: NEW and would be nice to look at: We go on and on about how the PAT is susceptible to implicit grant threats, but this seems like just a generic OAuth threat (especially with our refactoring now), and everyone is familiar with it. Remove?

Please review, and in particular please weigh in on 310, 311, and any other new issues that get submitted between now and our May 12 meeting. Thank you!

*Eve Maler*Cell +1 425.345.6756 <(425)%20345-6756> | Skype: xmlgrrl | Twitter: @xmlgrrl