[WG-UMA] Draft Minutes of UMA telecon 2021-07-15

[Alec Laws]

https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-07-15

Minutes

Roll call

Quorum was NOT reached.

Approve minutes

• Approve minutes of  UMA telecon 2021-06-10, UMA telecon 2021-06-17, UMA telecon 2021-06-24, UMA telecon 2021-07-01, UMA telecon 2021-07-08

Deferred

ANCR/UMA initial understanding

https://groups.google.com/g/kantara-initiative-uma-wg/c/EzbI7kjc_MU/m/NLX_0eYZCQAJ

Short flow

1. Alice visit's Bob's Organization(site/service) website
2. Bob returns a notice that references a third party registry
3. Alice is able to independently lookup Bob's notice from the registry
4. Alice requests a notarized receipt from the registry, including Bob's notice and her Rights (eg the law's of the country she lives in)
5. Alice includes this receipt in requests as she interacts with Bob's service
6. Bob is able to use the receipt token to interact with Alice's information, either in requests for authorization/information (eg as a token/claim)

ANCR current state: documentation of the receipt: Bob's notice, Alice's rights assertion, the notarized ANCR receipt

Next steps: Getting ANCR receipt fields to be part of the ISO 27560 consent receipt 1.2 spec, publish within Kantara. Move from receipt definition to flows/protocol integrations

The receipt creates transparency for Alice to discover and understand the sites/services terms, controller, etc. Steps 1-5 would be part of a Browser/extension implementation and could be broadcasted through headers (for example). Alice could include in her notarized receipt where BOb's service could discover her information, eg her UMA Auth server or relevant resource locations. 

From initial contact, Alice is able to monitor service term changes through the registry. The 'registry' doesn't necessarily need to be a 3rd party, the site itself could host this to achieve the transparency outcome. Self assertion like this can still reference third parties, who don't need to know about ANCR. For example in the UK there is a public business registry with the Controllers listed, the site itself can reference that endpoint.
Can a service be registered with multiple registries? yes

ANCR is having an off cycle meeting 1130(?) Monday. They usually meet Wednesday at 1030ET

Advanced Notice and Consent Receipt: Advanced Notice & Consent Receipt - ANCR-WG

Anyone attending HIMSS?

IDENTOS will have some representation there (not Alec), presenting their TrustSphere project in BC 

Has Kantara ever provided funding support to attend/present posters/papers? Kantara is open for funding requests, if interested please reach out to Alec(or any WG chair) and they'll help with the request to the Leadership Council. Largely attendance have been self-funded

Relationship Manager - user stories

Review the Diagram: https://groups.google.com/g/kantara-initiative-uma-wg/c/WAnizgl08Fg/m/YjflL1EbAwAJ

Last week we got into the details and questions around discovery. It may not need to be part of the core UMA AS function, and could be a 3rd service specification (with some intersection to the ANCR registry concepts)

Implementing the UMA spec is not enough, need to have use-cases to fill the gaps and details (and to 'get creative'). This has made interop challenging between implementations. There's a bunch of work around UMA that are required to show implementation. Maybe a simple interop profile around a use-case would allow us to show us working together. One example, who owns + stores the PAT. Communicating the handle (uri) from RO to RqP

AOB

Please welcome Kay Chopard as the new  Kantara Executive Director!

Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

1. Steve
2. Alec
3. Sal

Non-voting participants:

1. Zhen
2. Scott

Regrets: