<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    <font face="Helvetica, Arial, sans-serif">Hi,<br>
      <br>
      Here is the text that is planned to be submitted as part of the
      oauth use cases document...<br>
      <br>
    </font>
    <h3>3.12.&nbsp;
      Signed Messages</h3>
    <p>
      <br>
      Description: <br>
      <br>
      Alice manages all her personal health records in her personal
      health data store at <a class="moz-txt-link-abbreviated" href="http://www.myhealth.example.com">www.myhealth.example.com</a>. Alice's Primary
      Care Physician (PCP), which has a Web site at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a>
      recommends her to see a sleep specialist
      (<a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a>). Alice arrives at the sleep
      specialist's office and authorizes it to access her basic health
      data at her PCP's web site. The application at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a>
      verifies that Alice has authorized <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a> to
      access her health data as well as enforces that
      <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a> is the only application that can
      retrieve that data with that specific authorization.
    </p>
    <p>Pre-conditions:
    </p>
    <ul class="text">
      <li> Alice has a personal health data store that allows for
        discovery of her participating health systems (e.g.
        psychiatrist, sleep specialist, PCP, orthodontist,
        ophthalmologist, etc)
      </li>
      <li>The application at <a class="moz-txt-link-abbreviated" href="http://www.myhealth.example.com">www.myhealth.example.com</a> manages
        authorization of access to Alice's participating health systems
      </li>
      <li>The application at <a class="moz-txt-link-abbreviated" href="http://www.myhealth.example.com">www.myhealth.example.com</a> can issue
        authorization tokens understood by Alice's participating health
        systems
      </li>
      <li>The application at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a> stores Alice's basic
        health and prescription records
      </li>
      <li>The application at <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.com">www.sleepwell.com</a> stores results of Alice's
        sleep tests
      </li>
    </ul>
    <p>
    </p>
    <p>Post-conditions:
    </p>
    <ul class="text">
      <li>A successful procedure results in just the information that
        Alice authorized being transferred from the Primary Care
        Physician (<a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a>) to the sleep specialist
        (<a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a>)
      </li>
      <li> The transfer of health data only occurs if the application at
        <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a> can verify that <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a> is
        the party requesting access and that the authorization token
        presented by <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a> is issued by the
        application at <a class="moz-txt-link-abbreviated" href="http://www.myhealth.example.com">www.myhealth.example.com</a> with a restricted
        audience of <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a>
      </li>
    </ul>
    <p>
    </p>
    <p>Requirements:
    </p>
    <ul class="text">
      <li> The application at <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a> interacting with
        <a class="moz-txt-link-abbreviated" href="http://www.myhealth.example.com">www.myhealth.example.com</a> must be able to discover the location
        of the PCP system (e.g., XRD discovery)
      </li>
      <li> The application at <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a> must be capable
        of requesting Alice's authorization of access to the application
        at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a> for the purpose of retrieving basic
        health data (e.g. date-of-birth, weight, height, etc). The
        mechanism Alice uses to authorize this access is out of scope
        for this use case
      </li>
      <li> The application at <a class="moz-txt-link-abbreviated" href="http://www.myhealth.example.com">www.myhealth.example.com</a> must be capable
        of issuing a token bound to <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a> for access
        to the application at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a>. Note that a signed
        token (JWT) can be used to prove who issued the token
      </li>
      <li> The application at <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a> must be capable
        of issuing a request (which includes the token issued by
        <a class="moz-txt-link-abbreviated" href="http://www.myhealth.example.com">www.myhealth.example.com</a>) to the application at
        <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a>
      </li>
      <li>The application at <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a> must sign the
        request before sending it to <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a>
      </li>
      <li> The application at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a> must be capable of
        receiving the request and verifying the signature
      </li>
      <li> The application at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a> must be capable of
        parsing the message and finding the authorization token
      </li>
      <li>The application at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a> must be capable of
        verifying the signature of the authorization token
      </li>
      <li>The application at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a> must be capable of
        parsing the authorization token and verifying that this token
        was issued to the application at <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.com">www.sleepwell.com</a>
      </li>
      <li> The application at <a class="moz-txt-link-abbreviated" href="http://www.pcp.example.com">www.pcp.example.com</a> must be capable of
        retrieving the requested data and returning it to the
        application at <a class="moz-txt-link-abbreviated" href="http://www.sleepwell.example.com">www.sleepwell.example.com</a>
      </li>
    </ul>
    <p>
    </p>
    <a name="anchor16"></a><br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Chief Architect                   AIM:  gffletch
Identity Services Engineering     Work: <a class="moz-txt-link-abbreviated" href="mailto:george.fletcher@teamaol.com">george.fletcher@teamaol.com</a>
AOL Inc.                          Home: <a class="moz-txt-link-abbreviated" href="mailto:gffletch@aol.com">gffletch@aol.com</a>
Mobile: +1-703-462-3494           Blog: <a class="moz-txt-link-freetext" href="http://practicalid.blogspot.com">http://practicalid.blogspot.com</a>
Office: +1-703-265-2544           Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/gffletch">http://twitter.com/gffletch</a>
</pre>
  </body>
</html>