To help me understand, I presume we are UMA 2013, including:ASO to RSO obligation:and perhaps add indemnification from ASO to RSO against any liability to RO.The question, if I understand it, is whether the RSO becomes legally protected from claims by RO that info was improperly sent to RqP.That sounds like a legal question, and the answer is probably "that depends." As a strict matter of contract law, it seems easy enough to make that happen. The RSO makes sure that the ASO has language in its contract with RO that releases RSO, and looks to ASO for indemnification. But depending on the nature of the information and the relationship of RSO to RO (outside the pure data administration) RSO, the law could impose a duty on RSO that cannot be waived and RSO might be worried that ASO is financially fragile.Have I understood the question?On Fri, Dec 11, 2015 at 8:49 PM, Adrian Gropper <agropper@healthurl.com> wrote:_______________________________________________For simplicity, presume:I'm trying to understand the essence of an UMA Legal framework by picking a very simple but real-life use case and premise.Premise: The resource server operator (RSO) installs UMA because it limits their liability due to clients interactions. In other words, they are transferring some risk to an authorization server operator (ASO), otherwise they would just implement OAuth.
- a single resource: https://uma.rso.com/adrian/weight/readonly
- terms of use: the data is only to be accessed by anyone, including rso, via the resource above
- clients will present a valid SSL certificate and a token verifiable at the authorization server
- this contract between RS and RO expires after one year or upon notice by either party
Under these circumstances, the RSO has transferred most of the liability for interacting with a particular client to the ASO. This, I believe is the UMA Legal MVP.
In a real-world use-case, the RSO may not be allowed to duck this much liability. For example, the RSO might be required by law to notify the RO that a particular Client / RqP is on an industry watchlist.
In this case, the Client / RqP is providing attributes to both the AS and the RS. The RSO bears somewhat greater liability unless it can warn the RO via UMA the same way it might warn the RO via OAuth.
Can the ASO bear the responsibility of warning the RO or must the RS warn the RO directly?
As far as I can tell, this is the essence of UMA legal. Everything else is just an elaboration on one of the four bullet points above. This, incidentally, is the use-case I'm discussing with the US Office for Civil Rights.
Adrian
--Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma