[WG-UMA] Draft minutes of UMA telecon 2021-03-11
Alec Laws
Minutes
Roll call
Quorum was NOT reached.
Approve minutes
- Approve minutes of UMA telecon 2021-02-04, UMA telecon 2021-02-11, UMA telecon 2021-02-18, UMA telecon 2021-02-25
Deferred
ONC Annual Meeting, UMA Content For a Virtual Booth
https://www.healthit.gov/news/events/2021-onc-annual-meeting March 29-30
Need to be available at the Booth for the duration of the day (8-5?), can have an "afk" video. Same content platform at dev days, videos+pdf uploads. Colin/Nancy/Alec will cover the booth. If you're available to help, please reach out!
Planning to repurpose + modify the first half of the UMA in healthcare webinar from summary 2020. Will layer on Kantara in general content (existing + new working groups) + specific ONC value alignment
Want to showcase highlight UMA + Identity + Consent Receipt(?). A main Kantara Intro: https://youtu.be/iVyP95_OyCM
If you have a demo relevant to health care and want it included, please reach out!
Airside may have a relevant demo for healthcare to add. Forgerock has a FHIR + UMA demo to add. Patient Centric Solutions has an identity + UMA demo with ID.me, can show off the transparency (granularity) of sharing. Identos case study will cover their project for Identity + UMA in Ontario.
Nancy/Alec will be meeting again next Tuesday at 10AM EDT to iterate on the content, please reach out if you'd like to join in
Health care can become confused by the range of identity and authorization offerings. Need to show a clear message about how it works together toward a 'wide' ecosystem to bring these disparate approaches together. UMA can support many types of granularity, by resource but also by sensitivity. The data model is all there with FHIR and UMA can easily apply 'arbitrary' authorization slices over it.
Pensions Dashboard, any updates
Agreements to reference UMA and link to a Kantara hosted (but not UMA WG) hosted page with the profiles and design documents. Finding the right balance between making it open to serve the procurement needs and properly protect everyone
Profiles Discussion, relationship manager
Continue discussion on how an RS can get a PAT issued, given that the RO is interacting through a API (not directly at the RS).
In the PDP profile, the relationship manger API would be used directly from the AS (co-located with the AS), however this isn't the same in the IDENTOS implementation.
RS API needs oauth protection, so the Relationship manager has a valid token directed to the RS Relationship manager API. This is NOT the PAT, since it's aud is the RS not the AS. The relationship manager API is derivative of the Resource Registration API, however it's the available vs already registered resources.
GET /authorization_servers → list of registered authorization servers. This is easiest way to avoid the topic... assumes that Alice has previously interacted with the RS to have PATs available. If there is no way for Alice to directly interact with the RS this falls apart. Identos currently avoids by having static RS→AS registration and an RS=RO model for PAT issuance, but don't like this. It's organization custodial model vs the real RO who is Alice. Need to separate the resource rights administrator from the actual data subject (RO), in this case it's still not the RS=RO, it's RRA=RO. There are many RRA's in the model, the RO is a RRA, the RO can delegate some capabilities to another RRA, the RS may apply policy as an RRA during policy setting or resource disclosure. This layered RRA model get's complicated fast, although it's pervasive in normal B2B2C cases (data subject, controller, processor).
All the entities in the system perform AS, RS and sometime RRA functions at different times
Summertime Skew
Head's up to our non-North American members!
Attendees
As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve)
Voting:
- Peter
- Eve
- Alec
Non-voting participants:
- Tim
- Colin
- Nancy
Regrets:
- Ian
- Ken