Child pages
  • UMA telecon 2021-11-18

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Will continue this discussion next week

  • payer insurance codes are often opaque to the patient/covered person

Proof of Chain of Possession (POCOP) Tokens

A client can use any IDToken with any UMA ticket. The Correlated Authorization mechanism ensures that there is some open UMA transactional context included in any pushed ID claims

What is the threat that Proof of Possession (or mTLS) doens't address that requires the "chronological tamper-resistant record"?

Report on FHIR Vulns

reviewed some initial diagrams for this:

Widget Connector

  • FHIR itself is simply the data model
  • FHIR had the author refine their statement that it was 'FHIR Implmentations' that had the vulnerabilities
  • SMART on FHIR is the HL7 'approved' authorization strategy
    • UDAP → artifacts that needs to exist from a trust framework to support DCR/wide-access
    • HEART → profiles of OAuth/UMA for SMARTonFHIR scopes


  • We are planning a 3 hour working session on December 9th, we will use extend the normal call from 930-1230ET 
    • Want to make progress on some of the in-progress docs, have them in a consistent state 
    • Eve, Nancy, Alec, Andi 
    • If you're up to attend, please email Alec, or leave a comment on these minutes


As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)


  1. Steve
  2. Alec

Non-voting participants:

  1. Scott G
  2. Scott F


  1. Sal
  2. Nancy
  3. Eve