From my perspective, UMA legal is first and foremost about agency. UMA's fundamental "contract" is between a resource server and a resource owner establishing an agent for the resource owner's authorizations. Let's give
Sorry, but I find this document totally confusing. The first page or so starts with a bang promising something important for GDPR and IoT. It then introduces the concept of "access federations" that explains nothing but simply makes me wonder what happened to identity federations that presumably were intended to control access. After that, the document jumps to a use-case that explodes into a kaleidoscope of actors and possible contracts between them. this contract a nice name like "Resource Protection Agreement" that relates to the typical privacy policy and terms of use notices we see today. Let's explain if a Resource Protection Agreement is a notice or a contract and how it relates to privacy policies and terms of use under the GDPR and the ability to control thousands of services associated with hundreds of Things for each of us. If we can explain the role of the basic Resource Protection Agreement in establishing the resource owner's agent, then the rest of the contracts involved in UMA between ASO and RO, RqP and Clients, IDPs, etc... will be easy to understand and the meaning of "access federation" may become clear. As it stands, the paper seems to treat all the possible contracts as equally important and that just confuses the issue. Adrian On Fri, Sep 9, 2016 at 9:54 PM, Eve Maler <eve@xmlgrrl.com> wrote:
http://kantarainitiative.org/confluence/display/uma/UMA+ legal+subgroup+notes#UMAlegalsubgroupnotes-2016-09-09 2016-09-09
- Working session on User-Managed Access (UMA) in Contractual and Regulatory Contexts <https://docs.google.com/a/wunderlich.ca/document/d/1HGM5-PoJFMnepyrTX91hqHKQ-qNgNxgQjkzqod7Otto/edit?usp=sharing>
Attending: Eve, Ann, Kathleen, John W, Adrian, Scott D
We discussed Eve's new slide describing "key benefits to users" at a high level as a potential way of fleshing out the next subsection of the primer.
- Not just opt-in or opt-out when asked - Sharing, unsharing, and editing of sharing preferences allowed at any time, without external influence - Possible to offer a service that centralizes sharing preference management across data services for user convenience - The central service doesn’t see any of the data - It acts on the user’s policy instructions when others attempt access to data services - The user can choose to share whatever “grain” of access each data service offers - Such as read vs. write, or weight vs. fat mass
We've now added and wordsmithed this.
Instead of the spiral or the simplified spiral in the primer, John suggests a very friendly version of the "three phases" paradigm (as suggested by Adrian) that's already explained in the spec <https://docs.kantarainitiative.org/uma/rec-uma-core-v1_0_1.html#introduction>. He will sketch what's he's thinking of, and we'll ask Domenico to turn it into something beautiful!
*Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/