[WG-UMA] Reminder: UMA legal subgroup telecon 2015-08-21

Eve Maler eve at xmlgrrl.com
Fri Aug 21 11:01:10 CDT 2015

Attending: Eve, Andrew, Jon, Adrian, Randy, Dazza, Tom, Mark, Jeff

> Analyze new (positive and negative) use cases sent to the list
> Is this list complete enough to be going on with, for our purposes?
> Do we need to capture use cases for different “topologies" (deployment ecosystems) too?
> What would “structuring the transaction” look like in terms of accomplishing our mission?
> How would consent receipts/logging/auditing come into play?
Dazza can sweep questions and answers into the wiki <https://github.com/KantaraInitiative/wg-uma/wiki>. The idea with the “roles” page is also to capture term definitions. “Principal” is often used in the law for a individual person. There’s also “Agent” and “Third Party”, to complete the triangle. So perhaps we can leverage “Principal” when we talk about any one use case — if we focus on Alice, is she the principal? or is, say, someone else the principal in this use case?

Does UMA allow RqPs to connect to the data of ROs “by reference”? No; RqPs (and their client applications) really do “get” the data. Adrian wants to stress that UMA differs from traditional PHR models, however. In contrast to shinkwrapped licenses, consent directive models, and any static prior-consent model, UMA enables fine-grained revocation, adjustment, remediation, and transactional authorization of data access.

The value proposition, as Adrian sees it, to putting this type of system in place, is that breaches would be detected instantly rather than in many months. (This is interesting but offtopic; can Adrian write this up for further consideration?)

Consent vs. Authorization - should we see a distinction here? There are definitions of consent in various laws.

User Control vs. User Management - let’s suss this out too. Does this come out of 29100? Let’s just collect use cases and note their potential applicability to the terms.

Is the use case where Alice runs her own RS interesting to us? Adrian believes it’s not particularly interesting (personal clouds/data stores aside). His interest runs to a personally run AS. Let’s take a use case with that assumption and work it through. Eve believes we also need to run through an institutionally run AS. Where would the consent receipts get sent? They would kind of go to the same place that they’re generated. Is that a problem?

This seems to be our first “minimal pair” of use cases. If we assume Alice is the principal, that’s our perspective. What vertical (if any) should we pick? Healthcare has the danger of being not very cross-jurisdictional. Could we pick something like students and schools, which has privacy concerns (in the US it would be FERPA), or merchant and consumer transactions (which have trade and sale-of-goods laws)?

As an aside, Eve notes that the UMA authorization framework could actually be used as a payment framework. “Claims” demanded for access could be something like a receipt proving payment. Dazza mentions US’s FCRA coming into play in that case. And then the FIPPs come in.

Adrian’s concern about schools is that they tend to use identity federations, which he doesn’t want to put into play. Could we avoid that element in putting together our use cases? Eve’s point about “topologies” above was about how many "access federation" parties are in the picture, and we have been talking about that so far — but can we just leave the equivalent identity federation topologies aside?

AI: Dazza and Eve: Coordinate on producing 2 or 3 candidate distinctive use cases that flesh out the AS possibilities, non-vertical-specific and identity-federation-agnostic.

Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-uma/attachments/20150821/80017225/attachment-0001.html>

More information about the WG-UMA mailing list