[WG-UMA] Notes from UMA 2012-05-08 legal ad hoc meeting
eve at xmlgrrl.com
Tue May 8 13:34:27 EDT 2012
Attending: Eve, Dazza, Kevin, Tom, Sal, Domenico, Scott
We recorded the session. You can listen to the recording by dialing +1-605-562-3099 and giving the same access code as we used for the original call: 919-726#. This recording has the reference number 1.
Dazza is proprietor of civics.com. Kevin's company works on requiring an individual to be their own IdP. Tom runs the ABA group on fed IdM. Sal is a trust model geek.
One caution is jumping back and forth between the legal context and the technical context. "Entities" is multiply defined, so this presents an immediate challenge to the reader. Software doesn't have legal capacity. Operators run software. Can we say "software programs" instead of "software entities"? This document uses "parties" for, uh, entities with legal capacity. (Some people don't have legal capacity! Like young children, the infirm, etc.) Perhaps we can define "party" formally as "with legal capacity". We should also summarize all the terms specially defined in this document into a glossary section. By omission, any term not so defined is signaled to the reader to be "ordinary English" and not to be relied on.
Should we use the formalism of init-capping special terms, again to highlight which are defined and which aren't special?
The protocol spec has "testable assertions" in the sense of software test suites. Contracts can have objectively testable legal concepts in them that don't have to resort to a court of law, such as "you must show up every Tuesday to clean my house'. To achieve statistical scale, over millions of users, the harder-edged you can make the contractual tests, likely the better, since every loophole will be exploited.
Since endpoints, as defined, are essentially roles (the same running software app can take on multiple ones) and parties are also roles (the same entity with legal capacity can take on multiple ones), do we want to use the word "role" formally? Can we use Role and role with intention in the doc?
What about using "Entity" init-cap as an intermediate term instead of "Party" (as we're using it now)? Role isn't a term of legal art, though it conveys a sense of a set of duties, and rights, and functions. E.g., a policeman role in one country has a different set of duties from a policeman role in another country.
It would probably be useful, in any case, to clarify that the same entity in real life may be in a position to fill multiple roles. The analogue in the technical spec is that a running software program may be in a position to fill multiple roles. By analogy in baseball, the role is "pitcher" but the entity filling the role is (some famous baseball pitcher's name :-).
Since we're already being a bit confusing by using "authorizing user" at both the legal and the technical layers, would it be useful to use "authorizing party" in this doc? The SAML concept of a "principal" is quite useful in this general area. Then we can clarify that a "principal" uses an "agent", perhaps (in the sense of a "user agent" that is a running software program). Security is neutral with respect to the difference between natural and legal persons, but privacy is not neutral with respect to that.
(CBLFs = carbon-based life forms. Check out "They're made out of meat": http://www.mit.edu/people/dpolicar/writing/prose/text/thinkingMeat.html)
The simple diagram of bidirectional arrows wouldn't necessarily confuse a lawyer, since a two-party relationship isn't assumed to be reciprocal. The next diagram breaks them out modularity, so maybe the first diagram is okay. However, the "trust relationship" language isn't serving us very well. In essence, we really are trying to make these be formal responsibilities that can rise to the level of a contractual or legal duty. The practical goal for someone who wants to operate an UMA-conforming service is to let them layer these duties and rights into higher-order ecosystems that they're participating in.
Would "legal relationship" or "binding relationship" or "contractual relationship" be a good substitute name? Or "binding obligation"? There's a heck of a lot of baggage around the word "trust". Should we not even call this document a "Trust Model"? It's really a kind of contractual framework.
A frequent problem in dealing with contractual relationships is the agency problem. If you delegate something to someone else, they need to formally take on responsibility. In legal situations, assignment and negotiation are often confused. Delegation of duties doesn't extinguish the original responsible party's duty to the benefited party.
The fifth and sixth columns of all the TR charts are the key bits. Think of each row like this: "When [TR is formed], the [responsible party] is obligated to the [expecting party] to [list of behavior]." Would making these into full sentences make easier to snap the UMA framework into contracts or laws? At the World Economic Forum, there's been some work done on control rights of people with respect to their data (this is where the "PDRL" idea came from, from the technical subgroup). Also, the W3C ODRL touches on this. See also the Chain-Link Confidentiality paper: @@add link
Should we consider adding to this document a baseline requirement for subsequent (chained) authorizing users who used to be requesting parties to attenuate access rights further down the chain? "Comparative and contributory negligence" is a nascent area of law that's somewhat related; e.g., in a car crash, you might have multiple parties responsible in percentages. We could perhaps use this concept to reduce duties of the upstream authorizing parties to ensure that downstream parties take their duties seriously? This has to do with damages being awarded. So "attenuation" seen with a technical lens could be seen as "gaining more duties" with a legal lens.
The colors in the numbered TR diagram are "larger" buckets of the small modular buckets of duties.
We should look at the Uniform Electronic Transactions Act (http://www.nccusl.org/Act.aspx?title=Electronic%20Transactions%20Act) for the definitions of "electronic agent" and "automated transaction". These may help this doc.
Let's convene more of these! Eve will schedule another ad hoc call for a few weeks hence.
Eve Maler http://www.xmlgrrl.com/blog
+1 425 345 6756 http://www.twitter.com/xmlgrrl
More information about the WG-UMA