User Managed Access
Issue/Topic: User-Managed Access (UMA) Claims 2.0
Session: Tuesday Session Session 4 Space C
Convener: Tom Holodnik
Notes-taker(s): Eve Maler
A. Tags for the session - technology discussed/ideas considered:
#UMA #authorization #policy #claims #digital-signature #self-asserted
B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
UMA has two really great ideas in it: dynamicism and claims. Dynamicism is by its nature inclusive, and claims are by their nature exclusive.
Claims are going to have to support both self-asserted data and third-party-asserted data. And there are even ways of authenticating a "walk-up" requesting party that are so lightweight that they feel like self-asserted data. E.g., if in the process of engaging with a future requesting party in person (your dentist) you give them a tear-off paper with a unique temporary password that they need to present when seeking calendar access, you've authenticated them pretty strongly and only need to correlate "the same party" in future.
If you want to share dental records on a more formally authenticated basis, other things might have to happen.
UMA needs to have a unified way of "being" a requester endpoint, even if it has different flows for how they are interacted with. We think we have that now.
Should a specific person at a company be given access to Alice's stuff, or should a role at the company (or just generically "the company") be given access? The former is brittle.
What if you want to grant any plumber who has a good certification rating access to my plumbing service record? There will be company and certifier assertions involved.
Claim format definitions clearly need to have a generic/horizontal core set, and likely we would need domain-specific plugins for specialized policies and claims.