A few more notes and requests: - There is *no Legal call next Friday*, as I've got a conflict. - Everyone please comment on the definitions https://groups.google.com/forum/#!topic/kantara-initiative-uma-wg/553hZKy8hD... *Tuesday, July 18*. Please send to the whole list. Ideally, don't just reply to this note; start a new thread with "Legal" in the subject. - *Tim,* if you're okay with it, let's please meet soon after that date to ensure you have what you need for deliverable #3. (I can also meet Mon-Thu next week.) - If anyone has any questions or thoughts, as always, please let me know. Thank you! http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+notes... 2017-07-07 Attending: Eve, Kathleen, John, Ann, Mark, Tim Tim sent definitions according to the "exercise" Eve set. He derived many of them from UCITA, and some from prior UMA materials, including the draft model clauses, and then "protected resource" is new and may need more work. Let's treat these definitions, not as final model definitions, but our working draft that could be published in deliverable #3 (potentially accompanied by some diagrams showing mapping relationships) to show where the framework is headed. We can all review the document prior to the next call and send comments. *Access Contract:* *A contract or agreement to obtain by electronic means access to, or information from, an information processing system of another Person, or the equivalent of such access.* What is the difference between an access contract and an information sharing agreement? The former is a term out of UCITA law, so that's why he grabbed it. *Resource Owner:* *A Person with legal authority to grant access rights to Protected Resources; authorized to delegate access control functions to an ASO and to license access and use rights (permissions) relating to Protected Resources; acts as licensor to the Resource Server Operator.* Do both parts of the second clause relate to the ASO, or does licensing access and use rights pertain to the RO alone and not something the ASO mediates? The theory was that the ASO mediates this because it manages and executes/makes decisions on the RO's policies (which it does). Does taking out "*and*" in "*and to license access*" fix this, roughly? It seems so. Note: In UMA, the policy does not inherently travel with the resource, without some other layer of technology ("sticky policy" technology or similar). Do we need to define *Policy* (or *Authorization Policy*) vs *Business Policy* somehow? Does that add value to what we're doing? *Person:* *An Individual or Legal Person.* Great, same as before. *Legal Person:* *A legal entity means a corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, governmental subdivision, instrumentality, or agency, public corporation, or any other legal or commercial entity.* This seems to need just a touch of wordsmithing, e.g., "*A legal entity; a corporation...*". *Protected Resources:* *All data, applications, or software in which a Person either has Informational Rights or gives the Person the ability to exercise Informational Rights.* First, should this be singular? Second, regardless of singular or plural, the RSO has inherent authority in various aspects of "what counts as a resource" and "what types of access are possible to perform on a resource", as described here https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.h... (so possibly it's worth breaking down into *Resource* and then *Protected Resource*, as the former is RS-related and the latter is AS-related?). Is it interesting to consider mentioning "URI" as the location of the resource somehow, or no? *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl