<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Good – thanks for the clarification.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Justin Richer [mailto:jricher@mit.edu]
<br>
<b>Sent:</b> Thursday, April 23, 2015 11:55 PM<br>
<b>To:</b> Mike Jones; openid-specs-heart@lists.openid.net<br>
<b>Cc:</b> Eve Maler; Debbie Bucci; Don Thibeau<br>
<b>Subject:</b> RE: [Openid-specs-heart] UMA Profile Skeleton<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">All the text is new text, I didn't copy anything in this document from outside. You're mis-interpreting what I said, which I realize is easy to do when the rendered version isn't available yet. I'm not sure it even complies yet.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This profile does a few things to uma in the same way that the OAuth profile does a few things to OAuth. It does this by specifying new text that notifies uma, which is included by reference. It's a profile, that's its job. The normative
document links aren't all set up yet though, so it's reference by hand-waving at the moment.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So, rest assured, no worries.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="composer_signature">
<div>
<div>
<p class="MsoNormal"><span style="font-size:7.0pt">-- Justin<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:7.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:7.0pt">/ Sent from my phone /<o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br>
-------- Original message --------<br>
From: Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
<br>
Date: 04/23/2015 10:07 PM (GMT-05:00) <br>
To: Justin Richer <<a href="mailto:jricher@MIT.EDU">jricher@MIT.EDU</a>>, <a href="mailto:openid-specs-heart@lists.openid.net">
openid-specs-heart@lists.openid.net</a> <br>
Cc: Eve Maler <<a href="mailto:eve.maler@forgerock.com">eve.maler@forgerock.com</a>>, Debbie Bucci <<a href="mailto:Debbie.Bucci@hhs.gov">Debbie.Bucci@hhs.gov</a>>, Don Thibeau <<a href="mailto:don@oidf.org">don@oidf.org</a>>
<br>
Subject: RE: [Openid-specs-heart] UMA Profile Skeleton <br>
<br>
Hi Justin,<br>
<br>
Wearing my board member hat, I need to ask about the IPR provenance of the text that you checked in. What prompted me to write was your description that your checkin "does a few things to UMA", making me think that you took existing text from an IETF or Kantara
UMA spec, modified it, and checked it into an OpenID repository. The potential problem with that is that text may owned by another organization and the HEART working group may not have a clear license to use it.<br>
<br>
One way to solve this would be to have the other organization that owns the text join the HEART working group and explicitly contribute the text to the OIDF. There may be other ways as well, such as a clear licensing statement in the original text allowing
unrestricted derivative works.<br>
<br>
I hope that that can be resolved post haste. If not, as a board member, I will have to ask you to remove the text owned by others from any OIDF repositories until such time as it has been unambiguously contributed to the HEART working group.<br>
<br>
I hate to sound obstructionist, but my intent is exactly the opposite. I'm trying to *enable* IPR-clean specs to emerge from the HEART working group, so that all will be free to use them.<br>
<br>
-- Mike<br>
<br>
-----Original Message-----<br>
From: Openid-specs-heart [<a href="mailto:openid-specs-heart-bounces@lists.openid.net">mailto:openid-specs-heart-bounces@lists.openid.net</a>] On Behalf Of Justin Richer<br>
Sent: Thursday, April 23, 2015 2:38 PM<br>
To: <a href="mailto:openid-specs-heart@lists.openid.net">openid-specs-heart@lists.openid.net</a><br>
Subject: [Openid-specs-heart] UMA Profile Skeleton<br>
<br>
An updated skeleton of the UMA profile has been uploaded into the repository. This is still very thin and short, and presently example-free, but it basically does a few things to UMA to bring it inline with the OAuth and OIDC specs:<br>
<br>
- Inherit everything from the OAuth and OIDC profiles (this helps keep everything short)<br>
- All tokens (AAT, PAT, RPT) are JWTs and are introspectable, with a required set of claims pointing to specific values<br>
- All tokens are the bearer profile defined in UMA<br>
- Two claims-gathering flows are defined, both are MTI<br>
- Client presents an OIDC ID token directly to the RPT endpoint<br>
- Client sends the requesting party to an endpoint on the AS where the requesting party logs in with OIDC to provide claims directly<br>
<br>
There are placeholders for token lifetimes, but no values yet. The OAuth token lifetimes are based on my personal deployment experience and some previous profiling work (RHEx), but I don’t have a similar feel for the UMA tokens. Should these be specific to
the type of client as well?<br>
<br>
Another question, should we have classes of protected resources? Since they’re OAuth clients as well, but they’re always a web API of some type, perhaps there’s less specificity needed here.<br>
<br>
I’m still working with the OIDF folks to have a place to publish the rendered HTML versions of the specs, but I’m hoping to have that up in the next couple weeks timeframe.<br>
<br>
— Justin<o:p></o:p></p>
</div>
</body>
</html>