United States: +1 (224) 501-3316, Access Code: 485-071-053
Quorum was reached.
We should be driving towards revised spec text, ideally putting it into GitHub.
Last week, folks concentrated on the ASCII "spiral" diagram and draft spec text. Alec has a new draft diagram to try on us.
In the original UMA diagram, "manage" and "control" are out of scope. Alec is proposing that we bring these functions in scope. He states this explicitly by saying that he's specifying the "management and control interfaces". In UMA1 we used to call this Phase 1 vs. Phase 2. Now we think of this as the grant mechanism and the federated authorization mechanism, which is modular and optional with respect to grant. Is the wallet extension/profile modular and optional with respect to federated authorization? Alec illustrated it with a concentric Venn.
Since "wallet" is such a fraught term, calling it something else, ideally descriptive, could help us get beyond the challenge that it means something really specific elsewhere. What about "relationship manager"? That goes back to our roots. Eve asks everyone to think about what could be a good name that would serve us, for now, in a spec. Maybe something around the fact that we are finally standardizing the user side of the management and control interface (ironic that we are finally doing something about deeply standardizing "user management of access", eh?).
The cascading authorization server notion, which Pauldron implemented, bears some similarity to this idea. It has a "principal AS" within a specific domain, and a secondary AS that is RO-controlled. However, that original notion was intended to explicitly empower (in a sense) the AS against the RO's wishes, rather than to privacy-enhance the AS to protect the RO.
For those interested in HealthCare, Nancy provides this three-hour video from the FHIR meetup:
She suggests checking out at least the first half-hour. It is important to understand the perspective of the HL7 security group as they will be moving this along in Healthcare as the recognized experts. She also points to this FHIR chat (anyone can get a login). Nancy recommends that UMA's perspective be represented here. HEART came up, a little bit. Justin presented. Our webinar content could usefully be presented here.
Here is info on the video structure (original here):
|Overview of fine-grained authorization approaches in FHIR||Josh Mandel||15min||Slides here|
|Access control in aidbox||Nikolai Ryzhikov||15min||Slides here|
|XYZ||Justin Richer||15min||Slides here|
|An ABAC Architecture Approach||Matthew Tyler||15min||Yes, can't share yet|
|Classification and Locality||Chris Grenz||15min||Slides here|
|FHIR Data Segmentation for Privacy IG||Kathleen Connor||15min||http://hl7.org/fhir/uv/security-label-ds4p/2020May/|
|Parameterized compartments||Michael Hansen||15min||Slides here|
AI: Nancy: Find out how we get onto the agenda of the next HL7 meetup or the next appropriate gathering. Adrian also suggests reaching out to Josh. Nancy suggests also John Moehrke, Kathleen, and Graham.
We will, in the meantime, figure out the right content to present.
Alec reports pretty good attendance and some really good questions afterwards. Colin thought the content flowed well and was pitched just right. It was at the right technical level and had a relaxed tone. Nancy attended and thought it was great too. People can find the recording on the Kantara site's Resources area (Adrian says Safari is a better browser than Firefox due to a bug that's being worked on). The FHIR folks could handle more technical detail than was provided.
As of July 8, 2020, quorum is 6 of 10. (Michael, Domenico, Peter, Sal, Gaurav, Thomas, Andi, Maciej, Eve, Mike)