Hello Kantara,
We had a great ANCR Launch session on Privacy Day, and to follow up we are hosting a Data Privacy Hack/Workshop Jan 30.
A key hack we are working on is Enforceable Privacy and the use of Notice Receipts for each legal justifications to provide enforceable privacy rights in context.
The base schema is the 'explicit consent notice receipt’ which we are working on in the ANCR WG. In our last hackathons we have been working on for privacy agreements that better interact with terms of use.
* Contract Notice Receipt
* Legitimate Interest Notice Receipt
* Legal Obligation Notice Receipt
* Vital Interest Notice Receipt
* Public Interest Notice Receipt
(a receipt is its a notice of record - and all receipts are inherently data receipts)
In addition to Consent Notice Receipts, which cover the spectrum of legal/social consent and include: Explicit, Implied, Directed & Altruistic Consent, for the transfer of liability through transparency of privacy risk. All are welcome, so please pass this on to your groups.
Best Regards,
Mark
The calendar invites below is for the Legal Hacking Workshop - (more info on ANCR WG homepage)<https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=14080…>
These are the goto meeting call details, and some guiding policy:
- you do not have to login to GotoMeeting to access the call,
- we will be recording the event - and we intend to share this on the Public ANCR WG page
- And, as a result, we do not require to put your video on, and you do not have to share information in the call,
- This is not an official ANCR work group meeting, details for work group sign up are provided after the launch.
You can join the ANCR WG Launch from your computer, tablet or smartphone. And stay in the Video Call for the Demo’ Sessions -
https://global.gotomeeting.com/join/562338533
You can also dial in using your phone.
United States: +1 (646) 749-3112
Access Code: 562-338-533
New to GoToMeeting? Get the app now and be ready for your the ANCR Launch meeting
starts: https://global.gotomeeting.com/install/562338533
Open Consent Group: Data Privacy Legal Hackathon - Launch
DPLH- Hack’s 4 Demo’s
Scheduled: Jan 28, 2021 at 8:45 AM to 10:00 AM
Location: https://global.gotomeeting.com/join/562338533
10am to 2 pm Edt
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-01-28
Minutes
Roll call
Quorum was reached.
Approve minutes
Approve minutes of UMA telecon 2021-01-21 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-01-21>
Deferred
UMA and FAPI discussion
What is FAPI: https://openid.net/wg/fapi/ <https://openid.net/wg/fapi/>
Oauth/OIDC security profiles started for Open Banking purposes. UK open banking <https://standards.openbanking.org.uk/> has accepted FAPI as their security profile. Many UK industries are moving towards FAPI as the baseline security profile.
How do the FAPI profile interact with our own profiling work, both UMA as a profile of OAuth, and downstream profiles such as the Pensions Dashboard? Are there was to converge FAPI and UMA such that they can easily be used together? They are not 'competing' profiles, FAPI is around security and UMA is around delegation + sharing.
As the pensions dashboard profile is part of the 'financial' industry, there is a likely requirements to realize the FAPI profiles, specifically for strong customer authentication (SCA).
GNAP ("OAuth 3") is a 'backwards incompatible' iteration of OAuth, incorporating many other protocol goals, including UMA. Suggest we park this and focus on OAuth 2 profiles/efforts.
FAPI is similar to the HEART initiative for Health Care. HEART was security profile of OAuth2+UMA2, including the definitions of FHIR and associated scopes. There is some prior work of using HEART with additional FAPI requirements to secure an UMA implementation. This is the Nordic health UMA profile(https://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/78439/MyData-nordic-model.pdf <https://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/78439/MyData-nor…>). Suggest FAPI should take up an UMA 2 security profile in addition to the OAuth2/OIDC profiles.
There is a push to open data control to end-users "Life-tech" (at least in the UK). FAPI is not enough to realize this(?). FAPI is setup with trust list/directories that in theory create open/wide ecosystems of dynamic client registration between RPs and AS/RS providers. In practice, there are a lot of operational challenges to a dynamic ecosystem. UMA has considered these wide ecosystem questions from both the protocol but also the whole "BLT".
As a heads up to implementors/vendors. In the UK, the Pension Dashboard software provided to Pension Providers(RS) will need to realize all of the pensions dashboard profile, the FAPI security profiles and the Open Banking data APIs.
If we believe that FAPI should support a UMA2 security + privacy profile, should we produce and contribute this? Yes. Alternatively, should UMA 2 adopt(recommend?) FAPI as the security profile, and keep all the good privacy work in UMA? Is there any barrier today to using FAPI and UMA? Likely not, but this would require some analysis.
Let's work towards completing this analysis. Bringing the disparate profiles together removes a lot of uncertain around how different efforts work together. Presumably the financial-grade security is useful in many industries. WG members are encouraged to review FAPI and send any comments/notes to the mailing list.
How does the FAPI work benefit other industry (health care) use-cases? Should be immediately useful as a strong security profile? Health care in the US is working towards very UMA aligned features/requirements. How can our WG better represent UMA in those forums?
Pensions Dashboard update
Still working through IPR concerns. Ideally want to reference a completely open + free specification. They support the Kantara + WG process, more questions of timing around the profiles availability.
Other profiles next steps
Deferred
- Alec
Hi,
We are very excited about the opportunities to collaborate and look forward to a reviewing and sharing.
This is very much an open invitation and happy to review and share, as I believe we have a new wiki space we can add it to.
Thank you Lisa,
Mark
PS I sent multiple emails but they didn’t get through to the ISI-WG list. But at last this last invite was from Smart Species email address
> On Jan 27, 2021, at 9:00 PM, Lisa LeVasseur <lisa.levasseur(a)me2ba.org> wrote:
>
> Hi Mark,
>
> Looks like an interesting couple of meetings. Unfortunately, I’m unable to make tomorrow’s call.
>
> I notice that[IEEE P7012](https://standards.ieee.org/project/7012.html#Standard)(Machine Readable Personal Privacy Terms) isn’t included in your landscape, and I think there may be meaningful overlap.
>
> Our most recent work in P7012 is the drafting of a baseline data schema that can describe private, legally binding, information sharing agreements, whether they are (a) notice & choice [aka “consent”], (b) two-party contract, or (c) license. This proposed structure is syntax-agnostic; Mary (Hodder) is currently creating a version of the Creative Commons No Stalking terms in the[Accord Project’s](https://accordproject.org/about/)syntax using our draft schema, for example.
>
> We haven’t fully tackled interop yet, but Bernd Blobel is advocating for aligning with ISO 23903 (Health informatics — Interoperability and Integration Reference Architecture – Model and Framework ) for interoperability; we’re still navigating that.
>
> It would be great if we could get some synergy across these efforts.
>
> Thanks!
> Lisa
>
> From:WG-UMA <wg-uma-bounces(a)kantarainitiative.org>On Behalf OfSmart Species
> Sent:Wednesday, January 27, 2021 4:36 PM
> To:Salvatore D'Agostino <sal(a)idmachines.com>; Vitor Jesus <Vitor.Jesus(a)bcu.ac.uk>
> Cc:wg-uma@kantarainitiative.org WG <WG-UMA(a)kantarainitiative.org>; Kantara Leadership Council <lc(a)kantarainitiative.org>; wg-isi(a)kantarainitiative.org
> Subject:[WG-UMA] ANCR WG Launch Invitation
>
> Hello Kantara Community
>
> We hope this email finds you and yours safe and well.
>
> We are ecstatic to invite you- to the ANCR WG introduction (on Jan 28th where we are discussing data governance interoperability with notice and consent receipts work and discussion that is in progress.
>
> Information for the sessions tomorrow are below.
>
> Kind Regards,
>
> - Mark
>
> Goto meeting call details, (with some guidance):
>
> - you do not have to login to GotoMeeting to access the call,
>
> - we will be recording the event - and we intend to share this on the Public ANCR WG page
>
> - And, as a result, we do not require to put your video on, and you do not have to share information in the call, but, we recommend our normal practice of showing your video when you speak.
>
> - This is not an official ANCR work group meeting, details for work group sign up are provided after the launch.
>
> You can join the ANCR WG Launch from your computer, tablet or smartphone. And stay in the Video Call for the Demo’ Sessions - https://global.gotomeeting.com/join/562338533
>
> You can also dial in using your phone.
> United States: +1 (646) 749-3112
>
> Access Code: 562-338-533
>
> New to GoToMeeting? Get the app now and be ready for your the ANCR Launch meeting
> starts: https://global.gotomeeting.com/install/562338533
>
> ANCR WG - Launch
>
> Session 1: - Data Gov Interop Landscape 2021
>
> Scheduled: Jan 28, 2021 at 8:45 AM to 10:00 AM
>
> Location: https://global.gotomeeting.com/join/562338533
>
> Introductions to topic, each other & WG
>
> Kantara ANCR WG - Sal & Vitor
>
> ISO 29184/27560 - Mark
>
> W3C -DPVC - CG - Beatrix
>
> ToiP-ISIWG - DDE Architecture (MMM)- Paul
>
> UMA Legal Editor - Tim Reinegar
>
> MyData/aNG, : Matthias, Olivier
>
> ANCR WG -Demo’s
>
> Session 2: Demo's - Receipts and Dynamic Data Economy
>
> Scheduled: Jan 28, 2021 at 10:00 AM to 11:45 AM
>
> (Up to 9 min Demo’s +2-3 min chat)
>
> - Vitor - Privacy As Expected: Consent Gateway
>
> - Paul - Data Immunity Passport
>
> - Christoph - Data Sharing Hub
>
> - Lal - iGrant
>
> - Xavier - Fair Data
Hello Kantara Community
We hope this email finds you and yours safe and well.
We are ecstatic to invite you - to the ANCR WG introduction (on Jan 28th where we are discussing data governance interoperability with notice and consent receipts work and discussion that is in progress.
Information for the sessions tomorrow are below.
Kind Regards,
- Mark
Goto meeting call details, (with some guidance):
- you do not have to login to GotoMeeting to access the call,
- we will be recording the event - and we intend to share this on the Public ANCR WG page
- And, as a result, we do not require to put your video on, and you do not have to share information in the call, but, we recommend our normal practice of showing your video when you speak.
- This is not an official ANCR work group meeting, details for work group sign up are provided after the launch.
You can join the ANCR WG Launch from your computer, tablet or smartphone. And stay in the Video Call for the Demo’ Sessions -
https://global.gotomeeting.com/join/562338533
You can also dial in using your phone.
United States: +1 (646) 749-3112
Access Code: 562-338-533
New to GoToMeeting? Get the app now and be ready for your the ANCR Launch meeting
starts: https://global.gotomeeting.com/install/562338533
ANCR WG - Launch
Session 1: - Data Gov Interop Landscape 2021
Scheduled: Jan 28, 2021 at 8:45 AM to 10:00 AM
Location: https://global.gotomeeting.com/join/562338533
Introductions to topic, each other & WG
Kantara ANCR WG - Sal & Vitor
ISO 29184/27560 - Mark
W3C -DPVC - CG - Beatrix
ToiP-ISIWG - DDE Architecture (MMM)- Paul
UMA Legal Editor - Tim Reinegar
MyData/aNG, : Matthias, Olivier
ANCR WG -Demo’s
Session 2: Demo's - Receipts and Dynamic Data Economy
Scheduled: Jan 28, 2021 at 10:00 AM to 11:45 AM
(Up to 9 min Demo’s +2-3 min chat)
- Vitor - Privacy As Expected: Consent Gateway
- Paul - Data Immunity Passport
- Christoph - Data Sharing Hub
- Lal - iGrant
- Xavier - Fair Data
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-01-21
Minutes
Roll call
Quorum was reached.
Approve minutes
Approve minutes of UMA telecon 2021-01-07 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-01-07>, UMA telecon 2021-01-14 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-01-14>
Sal moves to approve. MOTION PASSES
Pensions Dashboard status update
Still working through IPR issues, this prevents the PDP from opening their procurement. The Pensions Dashboard Program is still planning to contribute some initial updates to the Origo contributed profiles. One option being explored is a separate Kantara WG for the purpose to working on this profile, that has a different group IPR policy. PDP wants the profiles to be open, so that there are no barriers for suppliers/vendors to implement
Sal notes there always seem to be IPR issues at some point. Changing work group IPR is hard, as the effect on previously created documents is not clear. There is some recent precedent with the proposed ANCR (advanced notice and consent receipt) WG with a different IPR policy from the ISI WG.
LC Speakers Corner topic
There is a new Kantara initiative to have a new once a month session where a WG can share a topic with the wider Kantara community and receive feedback/input. The first session is tentatively scheduled for Feb 17 at 11:30 ET. UMA is up first!
Two current work items to be shared are the UK Pensions Profile and the Wallet profiles
If there are other topics that group members are interested in sharing with the wider Kantara community. Please reach our to Alec or the mailing list!
There was some work on delegation within UMA done by Eve/Lisa that would be interesting to heard at our UMA WG. This would also be a great topic to share more widely with Kantara to get more input
UMA + US Health Care Update
There are some US Health care initiatives looking at decentralized consent. There have been many issues raised with sharing 'consent' between system, specifically in sharing the PHI inherent in any consent record. Instead of 'federated' Sal suggests a 'decentralized' approach which may address some of the sharing of consent. In UMA, the consent record isn't shared, the decision or outcome is. With a 'consent repository' what could be shared is a 'pointer' to the consent, similar to a resource uri, and proper authorization would need to be attained before seeing the content of the consent record. The FHIR consent resource has PHI like all FHIR resources, however the authorization/sharing of 'other' FHIR resources is often dependant on the existence of a Consent resource. The UMA AS or wallet model protects the consent and separates it from the protected resources, however, the pure UMA model get's into multiple ASs hosted by many health care sites, the Person must then manage consent many places. UMA and
UMA + Standard OAuth mix-up attack and mitigation
There is a new IETF Draft (OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response <https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00>) to standardize of the Mix-up attack mitigations. Our current Implementer's Guide references the OAuth BCP <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-4.4> as additional considerations for UMA implementations. Should we reference this new draft?
Mix-up only relevant where an RP talks to many Authorization Servers, ie a wide ecosystem where a client is introduces dynamically to new AS's. The main mitigation from the BCP is to use a unique redirect uri for each AS. The new draft allows reuse of the callback, by adding a new `iss` param only the callback which the RP must compare to their expect value, ie where the sent the user for authorization.
No major impact on UMA. Alec will update the UMA implementors Guide to reference this new draft to help people find it
AOB
Ian has a topic for next call around FAPI/UMA
Attendees
As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 9. (Michael, Karim, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve)
Voting:
Sal
Domenico
Michael
Thomas
Alec
Non-voting participants:
Ian
Ken
Nancy
Scott
George
Tim
Best,
- Alec
UMA telecon 2021-01-21
Date and Time
• Primary-week Thursdays 6:30am PT
• Screenshare and dial-in: https://global.gotomeeting.com/join/485071053
• United States: +1 (224) 501-3316, Access Code: 485-071-053
• See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar
Agenda
• Approve minutes of UMA telecon 2021-01-07, UMA telecon 2021-01-14
• LC Speakers Corner topic
• Pensions Dashboard. continue profile review
• AOB
Best,
- Alec
