Child pages
  • UMA telecon 2021-03-11
Skip to end of metadata
Go to start of metadata

UMA telecon 2021-03-11

Date and Time



Roll call

Quorum was NOT reached.

Approve minutes


ONC Annual Meeting, UMA Content For a Virtual Booth March 29-30

Need to be available at the Booth for the duration of the day (8-5?), can have an "afk" video. Same content platform at dev days, videos+pdf uploads. Colin/Nancy/Alec will cover the booth. If you're available to help, please reach out!

Planning to repurpose + modify the first half of the UMA in healthcare webinar from summary 2020. Will layer on Kantara in general content (existing + new working groups) + specific ONC value alignment

Want to  showcase highlight UMA + Identity + Consent Receipt(?). A main Kantara Intro:

If you have a demo relevant to health care and want it included, please reach out!

Airside may have a relevant demo for healthcare to add. Forgerock has a FHIR + UMA demo to add. Patient Centric Solutions has an identity + UMA demo with, can show off the transparency (granularity) of sharing. Identos case study will cover their project for Identity + UMA in Ontario. 

Nancy/Alec will be meeting again next Tuesday at 10AM EDT to iterate on the content, please reach out if you'd like to join in

Health care can become confused by the range of identity and authorization offerings. Need to show a clear message about how it works together toward a 'wide' ecosystem to bring these disparate approaches together. UMA can support many types of granularity, by resource but also by sensitivity. The data model is all there with FHIR and UMA can easily apply 'arbitrary' authorization slices over it. 

Pensions Dashboard, any updates

Agreements to reference UMA and link to a Kantara hosted (but not UMA WG) hosted page with the profiles and design documents. Finding the right balance between making it open to serve the procurement needs and properly protect everyone

Profiles Discussion, relationship manager

Continue discussion on how an RS can get a PAT issued, given that the RO is interacting through a API (not directly at the RS).

In the PDP profile, the relationship manger API would be used directly from the AS (co-located with the AS), however this isn't the same in the IDENTOS implementation. 

RS API needs oauth protection, so the Relationship manager has a valid token directed to the RS Relationship manager API. This is NOT the PAT, since it's aud is the RS not the AS. The relationship manager API is derivative of the Resource Registration API, however it's the available vs already registered resources. 

GET /authorization_servers → list of registered authorization servers. This is easiest way to avoid the topic... assumes that Alice has previously interacted with the RS to have PATs available. If there is no way for Alice to directly interact with the RS this falls apart. Identos currently avoids by having static RS→AS registration and an RS=RO model for PAT issuance, but don't like this. It's organization custodial model vs the real  RO who is Alice. Need to separate the resource rights administrator from the actual data subject (RO), in this case it's still not the RS=RO, it's RRA=RO. There are many  RRA's in the model, the RO is a RRA, the RO can delegate some capabilities to another RRA, the RS may apply policy as an RRA during policy setting or  resource disclosure. This layered RRA model get's complication fast, although it's pervasive in normal B2B2C cases (data subject, controller, processor). 

All the entities in the system perform AS, RS and sometime RRA functions at different times

Summertime Skew

Head's up to our non-North American members! 


As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve)


  1. Peter
  2. Eve
  3. Alec

Non-voting participants:

  1. Tim
  2. Colin
  3. Nancy


  1. Ian
  2. Ken
  • No labels