All,

Here's the link I couldn't find during the call today: https://github.com/decentralized-identity/identity-hub/blob/master/docs/permissions.md 

It would be great if some of us could read it and say how much of what the doc calls "Out of scope" is already in UMA. 

For those of you wondering what the business case or use case is, Microsoft wants vendors to outsource the management of personal data to the subjects themselves. (Treat the subject as the GDPR data controller)  https://www.computerweekly.com/news/252463379/Microsoft-working-to-support-decentralised-identity This would be ideal from a privacy perspective because the vendor might be just a GDPR data processor, responsible for security and not much more.

Note, with respect to the IP issues raised in today's call, DIF is not a standards organization and I'm not sure what the standards process will look like for "identity hubs". Our software combines UMA standards and DID standards into a personal agent / identity hub. Clearly the UMA AS corresponds to a "Service endpoint" in DID land. A DID can have multiple service endpoints. The opportunity to standardize the personal agent seems to be open at this time.

Can you help me identify the gaps between UMA + DID and a standards-based personal agent?

Adrian



 



On Tue, May 21, 2019 at 4:09 PM James Hazard <james.g.hazard@gmail.com> wrote:
Hi all, 

Pleased to see the progress and reference to CommonAccord.org.  Yes, it would let people express legal framing in the traditional way - as text transcluded into documents - while also enabling codification on GitHub.

Best, Jim


On May 21, 2019, at 12:53 PM, Eve Maler <eve@xmlgrrl.com> wrote:

To (somebody's? Lisa's?) point today about needing a term for an "agent" of the sort that acts in the interests of a person but that is made up of software, we could use (build on?) this definition already found in the Proposed Licensing for UMA report:

Electronic Agent: A computer program or an electronic or other automated means used independently to initiate an action or respond to electronic records or performances in whole or in part without review or action by an individual at the time of the action or response.

I apologize for not capturing that discussion in the notes. I'm going through and fleshing out the spreadsheet more now, and found this among the definitions in the report.

Eve Maler
Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl



On Tue, May 21, 2019 at 1:15 PM Eve Maler <eve@xmlgrrl.com> wrote:
(To get access to the spreadsheet linked below, please request access individually, and I will add you.)

2019-05-21

Attending: Eve, Nancy, Lisa, Tim, Cigdem, Adrian, Domenico, Mark

Our goals in filling out the new use cases spreadsheet are:

  • Make crystal-clear the legal-technical mappings
  • Link to definitive definitions (and figure out which concepts need new terms and better definitions, and figure out if we need to refine our definitions in a new report vs. the first report)
    • E.g., define a new Proxy/Agent/whatever term? Define a term for an organization that is the equivalent of a "data subject" (the information is "about it") only it's not an individual?
  • Get people to put their hands up in identifying which use cases they care about, and add new use cases
  • Figure out how to incorporate all the necessary complex information into licenses, such as covering Requesting Agents and Requesting Parties as required (Dr. Bob and the institution he works with, e.g.)

Our hope is that there are some kinds of licensing that you can boilerplate, a la Creative Commons. That has been the premise behind our looking at CommonAccord.org, which literally has a GitHub system for reuse of legal text (and the Ricardian system in general: prose, code, parameters). Also, jurisdictions will suggest some similarities. (See our very early UX work.) But there is extreme variability that can arise based on things like the types of resources and scopes; for example, "getting some data" is different from "controlling a smart camera".

Eve's "new permission taxonomy" lists five possible axes of control: Scope, Grantee, Environment, Usage, and Downstream. UMA as a technical layer enables three of them. Legal licensing is needed for Usage (e.g., preventing usage for marketing purposes) and Downstream (e.g., specifically, preventing sharing with a further requesting party that doesn't share the same AS as the initial requesting party).

Adrian suggests following up to learn about the work of this group.


Eve Maler
Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma


--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.