I’ll explain by way of examples. ‘Course, I might still be wrong! In federated single sign-on, we have a “user”, a “service provider”, and an “identity provider” to which the service provider is somehow willing to outsource authentication (becoming a “relying party”). There is (or used to be) a totally-empowered-Alice use case of federated SSO, where Alice could build or run her own identity provider using the OpenID protocol, and some service providers out there would accept it. There’s a social login use case, where a social Alice gets to pick her identity provider (say, Facebook, or Twitter) from a set pre-chosen by the service provider. There’s a consumer-but-hidden (sometimes “internal federation”) use case, where Alice gets a login at a consumer-facing company like Amazon, and that company uses technology to enable Alice to use that login among all the web properties owned by that company. There’s an enterprise use case, where Alice gets an employee login that comes with assurance that she’s still employed, and the "service providers” are actually all the on-premises and web applications she needs to use to do her job. In these cases, I could imagine using an agency lens to pick various different parties as the primary mover, on a continuum from Alice to (probably) the identity provider. Analogously, in federated access (I just made that up), we have all the UMA-ish parties. We can anticipate a use case of federated access where a totally-empowered-Alice can build or run her own authorization server... and a use case where a social Alice gets to pick her authorization server from among popular social offerings... and a use case where a consumer-facing company manages a tighter circle of services and centralizes their management for Alice’s convenience only among those... and even a use case where a company-run authorization server represents not Alice but AliceCorp, and manages access on its behalf. There’s still the same number of parties in UMA, but the use case can change up the power dynamic a lot. ?? Eve
Quick response thought: Why wouldn't/couldn't the same distinction apply with regard to types of fourth parties?
I will let others wiser than I opine on your points. Only one thought from me: Some use cases involve an “Alice-chosen/empowered” AS, and others involve a “autonomous/other-chosen” AS… So being specific about use cases will matter.
1. Decisions about legal roles, responsibilities and liabilities for a new program should be based on principles.
2. The principle that I glimpsed as animating UMA's authorization server, a new relationship of agency to an autonomous Alice, is precisely the same principle that animates Searls' fourth party as agent of an autonomous customer. (Is that wrong?)
3. Of course fourth party can have a real legal meaning based on that principle -- even if Searls' use of "agency" in his book might be different from the legal meaning -- and in broad terms (if 2 is correct) that should be the same meaning as the authorization server's.
I hope that helps clarify and simplify a bit.
I love the post. We haven’t discussed the “fourth party” concept at the UMA table, at least formally. Here’s a very — strike that, extremely — old blog post from me about the relationship between VRM and my work on UMA’s predecessor, fwiw.
http://www.xmlgrrl.com/blog/2008/09/04/venn-and-the-art-of-data-sharin g/
I do think there’s value in both the nitsy work of mapping the technical flows to parties’ perceptions and realities of liability, and the outreach/“marketing" work of stating big truths about how things need to change. Adrian is also awesome at shaking that tree (and apparently he spends a lot of time lately giving expert testimony in trials related to healthcare data breaches, so that’s pretty concrete).
What do you think would be the right next step for our deliverables? Does/can “fourth party" have real legal meaning as we build safeguards (for everyone) into the proposition of authorization-as-a-service that operates on Alice’s behalf?
I've been reading away at it all and thinking around it. It's all such a great mission, and you're all so terrific; I'm really not sure how a newcomer like me can best help. One thought: I think we're approaching agency law like IT gurus and law professors, which is great, but in a world in which Donald Trump is the leading presidential candidate, maybe you need an intellectual blunt instrument to help celebrate what you're doing. So I tried to be that instrument in this blog post:
http://datalaw.net/how-to-do-vendor-contracts-when-the-intent-of-indi v idual-customers-matters/
I know there are several legal subgroup folks intending to catch up after the long weekend, and jump in next Friday. Here are some resources that should help you:
- GitHub wiki home page (see links off to the right for all the “UMA-Legal” pages): https://github.com/KantaraInitiative/wg-uma/wiki
- Summary of special UMA terminology:
https://github.com/KantaraInitiative/wg-uma/wiki/UMA-Legal:-Terminolo g y
- Proposals for mapping UMA (and OAuth) to Agency law (needs much review and vetting!):
https://github.com/KantaraInitiative/wg-uma/wiki/UMA-Legal:-Mapping-B e tween-UMA-and-Agency-Law
Please feel free to float any questions here. Happy Labor Day to those who are celebrating it!
