Minutes

Roll call

Quorum was reached.

Approve minutes

• • Approve minutes of UMA telecons 2019-10-03, 2019-11-21, 2019-12-05, 2019-12-12, 2019-12-19

Deferred.

Fastest route to publishing current UMA relationship material?

Relevant docs:

• Business-Legal Framework and Use Cases (GDoc)
• Mapping Graphics (GSlides)
• Legal Role Definitions (GSlides)
• Definitions and Use Cases Spreadsheet (GSheet)

Adrian is the common element between UMA and the DI world. He just reviewed an Indian privacy law. Several of the bills he has reviewed have an authorization server intermediary. They don't dictate technology, but they all have this characteristic. This is new as of the last year. This intermediary approach is gaining traction. Also, a lot of people are working on consent management. Google, IBM, likely Amazon, Microsoft, Salesforce, and Oracle are working on this. At least in healthcare and also more generally, giant platform vendors are desperate to introduce consent management solutions. These 4-7 "platform wannabes" for managing data that could be used for ML and decision support. Without "consent" (or something improved), open APIs enable massive access to personal data.

In the case of highly sensitive data, the use case of encrypted data vaults is arising. The question of who pays for storage is arising: the individual or the service provider. In a storage medium that the RO doesn't control (call it an RS), the "cascading OAuth" type of model where the RS wants to assert its right to "mask" (prevent) access even if the RO wants to give access comes to the fore.

Serious question: Should we be promoting the esoteric delegation use cases (the subject of our business-legal work), or is the time ripe to do more promotion of our basic use cases (Alice-Bob)? The latter sounds like it would be hugely beneficial. Nancy recommends making a presentation to the FAST (FHIR At Scale Taskforce) group. Sal notes in the chat: "Look at the need of "operators", human-legal entity->policy- controller->(service) operator <- needs AS, perhaps... so then this is about the service context which would lead to a real customer.." He noted that there is a Kantara FIRE (Federated Identifiers for Resilient Ecosystems group that has produced a spec for Distributed Identity Assurance (not related to UMA's distributed authorization model) as well.

A subtlety that we have recognized is that Dr. Bob (RqP) might be using a client (the UMA client) and that Bob might be working on behalf of a different entity. "Just because you have a wallet doesn't mean you control the keys." Entity-to-wallet binding is a fundamental problem. Everything in DI is keys, and DPKI. The next subtlety is the difference between DIDs and VCs.

Is the next step a webinar where we all (e.g., vendors) show our wares? Enthusiasm from Mike and Eve.

GTM booted us off the call right at the bottom of the hour, but on Skype afterwards, Andi suggested that anyone at RSA get together on-site for further coordination.

Attendees

As of 16 Jul 2019, quorum is 5 of 9. (Domenico, Peter, Sal, Thomas, Andi, Maciej, Eve, Mike, Cigdem)

1. Domenico
2. Sal
3. Andi
4. Eve
5. Mike
6. Cigdem

Non-voting participants:

• Nancy
• Adrian
• Scott
• Lisa