Fri Sep 11 8-9am PT Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines <https://www.turbobridge.com/join.html>), room code 178-2540# Screen sharing: http://join.me/findthomas <http://join.me/findthomas> - NOTE: IGNORE the join.me <http://join.me/> dial-in line shown here in favor of the dial-in info above (Kantara "line C" and the Skype line) UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar <http://kantarainitiative.org/confluence/display/uma/Calendar> For this call, let us take the following “negative use case”, growing out of the agency and “RS risk” discussion we’ve been having: “I, a US hospital, have an online service that exposed a FHIR API for electronic medical records. Alice set up policies at her consumer-grade AS, and I accepted outsourcing authorization there. The token from the AS told me that it was okay to give client MobileApp and requesting party Bob access, so I did. But then Alice sued me/complained/reported me/(something else bad)”. (Adrian can comment on real-life examples somewhat analogous to this, with breaches and such.) Dazza has offered to facilitate a discussion of the following points: What are the key legal issues presented by this scenario? What legal role(s) and corresponding rules apply to the actions and data of the parties in this scenario? What are the potential or probable outcomes if things go wrong (eg: result of enforcement actions, allocation of loss or other dispute resolutions)? What advice or other resources for parties seeking to adopt UMA could help them manage legal risks and/or structure legal affairs to expand or create new value? And I will scribe. :-) Talk to you soon! Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com