[WG-InfoSharing] CR - Implementors Feedback

David Turner david.turner at voltagegate.com
Wed Nov 30 12:08:33 CST 2016


Are there any outstanding concerns with the schema (CR Schema v1_0_0 DRAFT3.json) or is it ready for v1 of the spec? 

 

From: Samuli Tuoriniemi [mailto:Samuli.Tuoriniemi at oulu.fi] 
Sent: Monday, November 21, 2016 1:33 AM
To: Joss Langford <joss at coelition.org>; David Turner <david.turner at voltagegate.com>; Mark <mark at smartspecies.com>
Cc: wg-infosharing at kantarainitiative.org; Simon Crossley <scrossley at mylifedigital.co.uk>
Subject: RE: [WG-InfoSharing] CR - Implementors Feedback

 

Hi,

 

Comments inline.

 

-Samuli

 

From: Joss Langford [mailto:joss at coelition.org] 
Sent: 21. marraskuuta 2016 10:35
To: Samuli Tuoriniemi; David Turner; Mark
Cc: wg-infosharing at kantarainitiative.org <mailto:wg-infosharing at kantarainitiative.org> ; Simon Crossley
Subject: RE: [WG-InfoSharing] CR - Implementors Feedback

 

Samuli

 

This is very helpful stake in the ground. Thank you.

 

*         I notice that that publicKey is outside the dataController object. I think the specification needs to set who/what this is a public key for. If it is for the agreement, it is the right place, but who controls it? If it is for the data controller then it needs to be inside that object.

[Samuli]: Based on the current spec it’s not part of dataController. OTOH spec also says it is “The PII Controller’s public key used to sign the consent receipt.” so maybe should  be part of controller.

*         You have specified the data controller address as an object – which I think it right. How do we specify the fields in that object, both technically within the schema and the standard?

[Samuli]: Haven’t had time to look this yet but the spec says the format is  <https://schema.org/PostalAddress> https://schema.org/PostalAddress . 

*         I see you have included ‘oneOf' – is this in the latest spec? I don’t understand its purpose if it is.

[Samuli] “oneOf” is JSON schema keyword  that makes it possible to have alternative schemas. It’s used here to require “thirdPartyName” if “thirdPartyDisclosure” is true.

 

Best regards

Joss

 

 

 

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.

Coelition is a non-for-profit company limited by guarantee registered in England & Wales (8402657) 48 Chancery Lane, London WC2A 1JF

 

From: Samuli Tuoriniemi [mailto:Samuli.Tuoriniemi at oulu.fi] 
Sent: 20 November 2016 13:56
To: David Turner <david.turner at voltagegate.com <mailto:david.turner at voltagegate.com> >; Mark <mark at smartspecies.com <mailto:mark at smartspecies.com> >
Cc: wg-infosharing at kantarainitiative.org <mailto:wg-infosharing at kantarainitiative.org> ; Joss Langford <joss at coelition.org <mailto:joss at coelition.org> >; Simon Crossley <scrossley at mylifedigital.co.uk <mailto:scrossley at mylifedigital.co.uk> >
Subject: RE: [WG-InfoSharing] CR - Implementors Feedback

 

Hi,

 

Attached fixed schema.

List of changes:

-Changed “address” type to “object”

-Changed ”required” : ”jti” -> ”consentReceiptID”

-Added: “minimum” :0 to “consentTimestamp

-Moved “policyUrl” to correct place

-Removed format keywords

-Removed “retention”

-Removed "additionalProperties": false

 

-Samuli

 

From: David Turner [mailto:david.turner at voltagegate.com] 
Sent: 18. marraskuuta 2016 23:15
To: Mark
Cc: wg-infosharing at kantarainitiative.org <mailto:wg-infosharing at kantarainitiative.org> ; Joss Langford; Simon Crossley; Samuli Tuoriniemi
Subject: Re: [WG-InfoSharing] CR - Implementors Feedback

 

Sigh, it must be Friday. Samuli let me know that I sent the wrong file. This is the correct one. 

 

Sorry about that. 

 

On Fri, Nov 18, 2016 at 12:53 PM, David Turner <david.turner at voltagegate.com <mailto:david.turner at voltagegate.com> > wrote:

Hello all,

 

I have attached the schema that Samuli modified to add proper validation. (thanks Samuli). I also changed "jti" to "consentReceiptID" because "jti" is a reserved name in JWT, and I added dataRention (see below).

 

>>> Mark Added - "Public Key should be in Data Controller section"

[dt] I don't agree. Each receipt will have just one key. If there are more complex scenarios requiring multiple keys from different authorities then we can deal with that in a future version, or we can assume it will be an implementation-specific detail.


>>> Mark Added "Add Data Retention Field as suggested in v.0.9.3” 

[dt] I added this to the attached schema as a "string", like purposeTermination. Mark, please provide text for the field description. 

 

David

 

On Wed, Nov 16, 2016 at 4:15 PM, Mark <mark at smartspecies.com <mailto:mark at smartspecies.com> > wrote:

Hi Everyone, 

 

We have had a lot of last minute feedback from people leading consent receipt implementations.  As it happens, this feedback is just in time, as we have the opportunity to go through it tomorrow on the call. 

 

So to begin with I want to thank the implementors for your feedback, as well as welcome these gentlemen to the work group.  

 

*	Simon Crossley - from My Life Digital - running a team looking to launch next year
*	Joss Langford - from Coel - OASIS - looking to integrate the consent receipt into the Coelition ecosystem
*	Samuli Tuoriniemi -  from My Data and the University of Oulu integrating consent into My Data Operator

I hope the three of you can make the call tomorrow to discuss the outstanding items.  (The call is at 3:30pm UK time <https://global.gotomeeting.com/join/983443893>  - )

 

Thanks for the feedback and sharing about implementation. 

 

Kind Regards,

 

Mark 

 

For Next Meeting Nov 16

 

David has complied a list of the feedback; which we are close to addressing.  

 

*From David; —>  The biggest issues are based on implementers' feedback. Here's my recommendation as the editor (as opposed to an implementer)."

 

v1

*	Conformance is missing ; Major schema change to add validation. (Samuli can explain)
*	‘PII Principle ID” is used without reference or definition. I assume that this is the data subject (which seems like a more intuitive name). PII Principle. i.e., the individual's name is missing.
*	I think you’ll need an array of strings to name multiple third parties.
*	We need an array for multiple controllers in json – this is suggested in the spec but no array is available. 
*	Mark Added - "Public Key should be in Data Controller section"
*	Mark Added "Add Data Retention Field as suggested in v.0.9.3” 

v1.x

*	Need an explanation of the relationship between the elements.
*	publicKey: currently string, should this be JWK object? 
*	collectionMethod: table says type is object, schema says type is string, I guess string is correct
*	Consent type - requests for both content and JSON structure
*	Purpose termination / data retention

 

 

 

 

 

_______________________________________________
WG-InfoSharing mailing list
WG-InfoSharing at kantarainitiative.org <mailto:WG-InfoSharing at kantarainitiative.org> 
http://kantarainitiative.org/mailman/listinfo/wg-infosharing

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20161130/1fdb25fa/attachment-0001.html>


More information about the WG-InfoSharing mailing list