The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.

Custodianship in and around UMA FORGEROCK.COM Eve Maler [email protected] March 9, 2015

Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by , 2017-02-06 08:20:03

Custodianship in and around UMA - OpenID

Custodianship in and around UMA FORGEROCK.COM Eve Maler [email protected] March 9, 2015

Custod
in and aro

Eve Maler
[email protected]

March 9, 2015

dianship
ound UMA

FORGEROCK.COM

Examples

■  Under-13 student using a
completed homework ass

■  Elderly parent with interm
social networking and he

■  Developmentally disabled
online bank accounts and

a school portal to share
signments
mittent dementia using
ealth-related apps
d adult with access to
d related data

2

Goal

■  Bring various benefits of
even to those who are at
with respect to consent, i

user-managed access
some level “incapacitated”
if possible

3

Reminder about
architecture

t UMA

The challenge: Can the person
who manages the resources be
trusted to control their access?

4

A “PAT” represents th
the RS to outsource p

he RO’s consent for
protection to the AS

Plain old OAuth token
representing an important
UMA concept, and likely to
be associated with “binding
obligations” in trust
frameworks

5

Notes

■  UMA does not have a for
ROs” (like “joint bank acc

–  Rationale: V1.0 speed and sim
clashing policy between ROs; G
successful single-RO model

–  Mitigating this “lack” at the app
ranging admin or further-down
can grant them

■  As an aside, the RS and
instances of the same ap

rmal notion of “multiple
counts”)

mplicity; inherent complexity in
Google Apps as existence proof of

p level: If an API exposes wide-
nstream share scopes, then an RO

C may, in fact, be
pp

6

Generic roles us
following discus

■  Guardian (custodial role)
■  Ward (in custody)
■  Agent (representative of r

sector bureaucracy)

sed in the
ssion

relevant public/private

7

Some options fo
custodianship in
UMA

You may have others in mi

or handling
n and around

ind…

8

Option 1: offlin

RqP (becoming a downstream
the control of an “offline” gua
1.  Guardian executes a paper
2.  Agent creates an RO accoun
3.  Agent issues PAT on guardia
4.  System-default policy under

manually – issues relevant R
ward
5.  Ward can function normally
however…
6.  Guardian, through agent, ca
ward’s access as an RqP as

ne guardian

m RO) account initiated under
ardian
consent form
nt record on guardian’s behalf
an’s behalf
r trust framework – or agent,
RqP permissions to associated

as a downstream RO;

an monitor control, and revoke
s required

9

Option 1 discu

■  This a fairly “top-down” p
■  The offline/proxy pattern

current public-sector and
■  The PAT gives some aud
■  Policies/trust framework f

accountability
■  The onus is on agents to

work
■  …

ussion

pattern
seems to match many

d financial use cases
ditability
force some formal

make the whole thing

10

Option 2: onlin

RO account initiated by a
framework bounded by an
1.  Ward registers for an RO

requires linking a verified
treated as an automatic
2.  System-default policies
with others besides guar
ensures that ward can m
disclosures; standard sc
access by guardian

ne guardian

a ward but in a trust
n “online” guardian
O account; process
d guardian’s account,
RqP
limit ward’s ability to share
rdian RqP; trust framework
monitor uncontrolled
copes ensure extent of

11

Option 2 discu

■  This is a fairly “bottom-up
■  The online pattern seems

private-sector use cases
■  System-default policies a

give guardian some real “
ward’s activity
■  …

ussion

p” pattern
s to be closer to some
and, particularly, scopes
“teeth” for overseeing

12

Option 3: “outs

Enhanced AS handles RO imp

■  Kennisnet has chosen this op
Netherlands for K-12 students

–  http://www.laceproject.eu/blog/give-s
–  http://panelpicker.sxsw.com/vote/320

■  Mark Dobrinic of Kennisnet sa

–  “We have decided that dealing with c
case, this means that we have move
to the AS completely. This is visualiz
the mother that logs in at the Dashbo
her children she wants to use the da
thinking in the design, but we have is
projecting it on the AS would allow u

side UMA”

personation duties

ption for its LACE Project in the
s, currently in UX mockups:

students-control-data/
086

ays:

custodians is a problem by itself. In our
ed the relationship between child-custodian
zed in the Dashboard(AS) application, by
oard(AS), and she can select which one of
ashboard for. …. So, it has been part of our
solated it away from UMA and thought that
us to focus on the rest of the case study.”

13

Option 3 discu

■  Impersonation approache
avoid!

■  But there hasn’t been gui
go beyond

■  …

ussion

es are what UMA tries to
idance to date on how to

14


Click to View FlipBook Version