I'm sorry that I had to miss Friday's call. I just had a chance to read this UMA Legal Primer and I find it inscrutable even as I'm finding the discussions in HEART more confusing week by week. Here's an alternative suggestion:
Let's start with "UMA adds three dimensions of variability to OAuth:
- Multi-party (Are clients registered with the AS or the RS? does it need to be both?)
- Asynchronous (Alice can start by just delegating and add policies only after she gets some insight into what the Bobs want - forces us to focus on delegation)
- One delegation / location (Alice's authorization server is not domain-specific - neither should the legal agreements between RS and AS be domain specific.)
Let's focus on these three dimensions from a legal perspective. The BLT approach does not help. Neither does mentioning HEART help because HEART is even more confused than UMA. Once we get the Legal 3-D core down, a discussion of Business and Technical impacts on the Legal core might be unnecessary or just illustrative.
Adrian