The document discusses user-authorized discovery protocols like Webfinger and User Managed Access (UMA) for improving privacy and control over shared personal information, specifically in the context of calendar sharing. It highlights the need for frameworks to manage authorization overload and to develop a taxonomy for relationship types, while proposing a pilot effort to demonstrate the viability of these combined protocols. Key concepts include proactive control over discoverable information, ensuring privacy, and managing authorization policies across various applications and devices.

1. User-Authorized Discovery
George Fletcher

2. Copyright © 2015 Cloud Identity Summit .All rights reserved. 2
Person to person Bluetooth discoveryEmail sharing NFC “tap”
Discovery Models

3. Copyright © 2015 Cloud Identity Summit .All rights reserved. 3
User-Authorized Discovery
• Machine readable
• Location of services
• Context aware
• Under user control
• Based on a “sharable identifier”
o e.g. george@discover.example.com
o QR code with embedded information

4. Copyright © 2015 Cloud Identity Summit .All rights reserved. 4
Social web site

5. Copyright © 2015 Cloud Identity Summit .All rights reserved. 5
Mint-like financial aggregation site

6. Copyright © 2015 Cloud Identity Summit .All rights reserved. 6
What!!! Are you crazy?!
Security Privacy Sharing

7. Two standards
Webfinger — RFC 7033
• Protocol for performing “relationship” discovery
User Managed Access v1.0 (Kantara Initiative)
• Protocol for allowing user defined authorization
for access to a resource

8. Webfinger example
• Query
• resource: george@discover.example.com
• relationship: http://openid.net/specs/connect/1.0/issuer
• Response
• subject: george@discover.example.com
• links
§ relationship: http://openid.net/specs/connect/1.0/issuer
§ href: https://oidc.provider.example.com
§ property
● name = http://oidc.provider.example.com/login_hint
● value = gffletch

9. Copyright © 2015 Cloud Identity Summit .All rights reserved. 9
User Managed Access (UMA)
UMA
Defined

10. Copyright © 2015 Cloud Identity Summit .All rights reserved. 10
UMA & online sharing
• I want to share this stuff selectively
• Among my own apps
• With family and friends
• With organizations
• I want to protect this stuff from being
seen by everyone in the world
• I want to control access proactively,
not just feel forced to consent over
and over

11. Proposal: UMA protect webfinger
Leverage UMA to allow for security and privacy control of
personal discovery information
• User control
• Over what’s discoverable
• Over authZ policy to access discovery information
• Privacy enhancing
• Transparency
• Audit capabilities

12. Alice & Bob Calendar Sharing
Alice’s Calendar service registers calendar endpoints
and permissions with the UMAAS
Alice’s Calendar service registers calendar endpoints
with her discovery service
Alice’s Discovery service registers calendar discovery
information as a resource set with UMAAS
Alice defines authorization policy for Discovery requests
and Calendar access

13. Copyright © 2015 Cloud Identity Summit .All rights reserved. 13
Discovery endpoint protected by UMA
UAD Identifier
UAD Identifier
Where is Alice’s
Calendar endpoint?
Please visit Alice’s
AS with this tokenThey need authZ.
Send them to me with
this token
Someone is trying
to access Alice’s
calendar
Alice’s
Discovery
Service
Alice’s
UMA
AS
Calendar
Client
Calendar
Service
Alice Bob

14. Copyright © 2015 Cloud Identity Summit .All rights reserved. 14
Bob “wins” access
Hi Bob, you have
approval to access
the data. Use this token.
Hi, I’m Bob can I
please get access to Alice’s
calendar info?
Alice’s
Discovery
Service
Alice’s
UMA
AS
Calendar
Client
Calendar
Service
Alice Bob
Can Bob at Calendar client
access your discovery
service?

15. Copyright © 2015 Cloud Identity Summit .All rights reserved. 15
Bob discovers Alice’s calendar service
Where is Alice’s
Calendar endpoint?
Here’s my token
Alice’s calendar
endpoint
Yes
Is this token
valid for Alice’s
calendar endpoint?
Alice’s
Discovery
Service
Alice’s
UMA
AS
Calendar
Client
Calendar
Service
Alice Bob
Bob’s Calendar Client
successfully discovered
calendar endpoint.

16. What’s missing
● Taxonomy of relationship types
● Easy UAD identifer for users
o gffletch@discover.me
● Mixing public and “private” discovery data
● How to register link relations as resource sets in UMA
● Optimizations to allow for returning “access tokens” from the
discovery service
● Managing user authorization overload

17. Q & A
George Fletcher
george.fletcher@teamaol.com

18. Conclusion
Webfinger + UMA seems viable
Many details left to be worked out
Pilot effort needed to prove viability

19. User Authorization Overload
● How to manage all the AuthZ policies
o Discovery
o Calendar service
o Think about a world with IoT devices, Health care,
Enterprise, etc

20. What’s missing
• Taxonomy of relationship types
• Domain-specific in most cases
• Easy PDS identifier for users
• gffletch@discover.me
• Mixing pblic and “private” discovery data
• Discovery for photos should allow for return of my
public photography site without client authentication
• How to register link relation as resource sets in UMA
• Optimizations to allow for returning UMA RPTs from the
discovery service
UserAuthorization Overload
• How to manage all the AuthZ policies
• Discovery
• Calendar service
• Think about a world with loT devices, health care,
enterprise, etc.
Conclusion
• Webfinger + UMA seems viable
• Many details left to be worked out
• Pilot effort needed to prove viability