[WG-UMA] Draft minutes of UMA telecon 2022-03-31

4 views

Skip to first unread message

Alec Laws

unread,

Mar 31, 2022, 11:32:39 AM3/31/22

to wg-uma@kantarainitiative.org WG

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2022-03-31

Minutes

Roll call

Quorum: Yes

Approve minutes

Approve minutes of UMA telecon 2021-09-09, UMA telecon 2021-09-16, UMA telecon 2021-09-23, UMA telecon 2021-09-30, UMA telecon 2021-10-14, UMA telecon 2021-10-21, UMA telecon 2021-10-28, UMA telecon 2021-11-04, UMA telecon 2021-11-18, UMA telecon 2021-12-02, UMA telecon 2021-12-09, UMA telecon 2021-12-16, UMA telecon 2021-12-23, UMA telecon 2021-12-23, UMA telecon 2022-01-06, UMA telecon 2022-01-13, UMA telecon 2022-01-20, UMA telecon 2022-01-27, UMA telecon 2022-02-03, UMA telecon 2022-02-10, UMA telecon 2022-02-17, UMA telecon 2022-02-24, UMA telecon 2022-03-03. UMA telecon 2022-03-10, UMA telecon 2022-03-24

Andi motions to approve ALL the minutes! Sal seconds. Motion Approved

Julie Use-case Report

Have resolved current comments, link to V0.2 Editor's Draft: Julie Use-case Report

Alec motions to move the Report to a Working Group Draft. Andi Seconds. Hearing no objections, motions passes!

Thanks to all the editor's and contributors who got the report to this point!!

UMA and Other Standards (UDAP, etc)

This sheets starts to organize the comparison

https://docs.google.com/spreadsheets/d/1UWxhLoLFsVNmHulGvyS_3vx5hF9u2reFXT3gxc3bRnY/edit#gid=0

The HEART WG is having a session on this topic, will be April 4 2-3PM ET. Link and invite should be shared on the oidc heart mailing list: https://meet.goto.com/785234357

Eve, Nancy and Alec plan to attend.

Show UMAs understanding in relation to other standards. Could we introduce UMA to the HL7 connectathons?

Correlated Authorization Updates

https://github.com/umalabs/correlated-authorization

European Identity Conference May 10-13, 2022 | Berlin

Kantara has a 4-hour workshop the day before the conference. Is anyone planning to attend in person? Steve, Andi, George

Do we want some of that time to present/get feedback on some of our work? Eg to review and solicit feedback on the Julie report

Potential Future Work Items / Meeting Topics

UMA vs (OAuth, OIDC, GNAP, UDAP, ....)
- compare protocols & features (eg a product comparison type matrix with and 's)
Confluence clean up, archive old items and promote the latest & greatest
Review of the email-poc correlated authorization specification
A financial use-case report (following the Julie healthcare template)
- either open banking or pensions dashboard
- openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

Upcoming Conferences

Internet Identity Workshop 34 is April 26-28 | Mountain View, CA. UMA attendees: Alec, Steve(tentative), George
Identity North Spring Workshop Apr 4-6
European Identity Conference May 10-13, 2022 | Berlin
https://identiverse.com/ June 21-24, 2022 Denver, Colorado.

AOB

Have had questions about UMA + DID and their relationships

Some OAuth folks see UMA as complex, and can rebuild the features with OAuth drafts

UMA is for wide ecosystems where the RO can control policy. OAuth doesn't go this far, everything is still oriented around 1AS/1RS

ticket is an auth_code, and an auth_code also binds a lot of server side state. ticket is a more reusable/general conception of an auth_code
there is an Oauth 'step-up model' that is more RS first, eg to upgrade or get new access tokens, when the presented one is missing enough something (eg authN)
it is possible to use Grant or FedAuthZ independently - maybe a profile of UMA to make it "look" like Oauth would help introduce people to UMA (and not see it as extra complexity)
- if you limit UMA scope: i) ask for resource ii) sent to prearranged AS iii) claims gathering
- open source UMA impls: keycloak, gluu
Could we present an UMA use-case and ask how it could be solved in OAuth?
- Alec could host at IIW

Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

Andi
Alec
Sal
Domenico
Steve
Eve

Non-voting participants:

Hanfei
George
Nancy
Scott
Chris

Regrets:

Igor Zboran

unread,

Apr 5, 2022, 2:55:51 PM4/5/22

to wg-uma@kantarainitiative.org WG

Hi all,

I don't see the UMA standard as "too complex." On the contrary, in my opinion, the UMA is an "incomplete set" of specifications, as there are lots of "outside the scope of this specification" statements. I understand the reasons why this is so. The goal of WG-UMA was to design a universal OAuth-based access management protocol.

In my opinion, UMA is not a rival to the OAuth suite. UMA is a promising, versatile trust framework.

I have been trying for some time to extend the UMA standard to become a full-fledged trust framework; see https://github.com/umalabs/correlated-authorization. I apologize for the messy text—it's a living draft. It has a somewhat futuristic use case—Authorization-Enhanced Mail System; see https://github.com/umalabs/authorization-enhanced-mail-system. In either case, UMA excels when used with multiple security domains.

Regards

-Igor

_______________________________________________
WG-UMA mailing list
WG-...@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma

Reply all

Reply to author

Forward

0 new messages