Why is this distinction important in e context of UMA? The key point of UMA is to enable the AS as an agent. The choice of "build, run, or outsource" often remains with the Principal and the UMA protocol "must" accommodate this choice of "autonomy" at its core. 

Adrian

On Thursday, September 10, 2015, James Hazard <james.g.hazard@gmail.com> wrote:
I fear we are twining two uses of "agency," each correct, but different.  Agency means something like "act". 

The Doc meaning (as I understand it) refers to ability to act - autonomy.

In law we almost always use it in the context of someone (agent) acting for another (principal) - delegation.

http://projetbabel.org/mots/index.php?p=agir



On 9/10/15 1:04 PM, Adrian Gropper wrote:
(cc'ing Doc because we were talking about agency and UMA AS as the fourth party last night at the Berkman open house.)

The analogy between OpenID Connect and UMA can be misleading. Identity has deep roots in reputation and it's less than useful to expect relying parties to trust one's owned reputation service. Hence the need for federations in practical identity management systems.

Agency is not about the principal's reputation at all. Agency is not about federation. The choice of my agent is mine and mine alone and any restrictions on that choice by a service provider need to be scrutinized and justified if they are to be allowed at all. In what cases does the law prevent Alice from representing herself in a legal proceeding? In cases where an accountant, realtor, or lawyer is hired as Alice's agent, they are licensed but not really federated with the other party.

In my opinion, the ability for lice to specify her Authorization Sever technology without constraint on "build, run, or outsource" is fundamental to UMA and needs to be absolute.

Adrian

 

On Wed, Sep 9, 2015 at 9:11 PM, Neiditz, Jon <JNeiditz@kilpatricktownsend.com> wrote:
Thanks.  It may come down to the following question:  Once the picking of the AS is done, is the duty of the AS to the RO (Alice or AliceCorp) the same or different in the below scenarios?   (Unfortunately, I may need to drop out of sight until Friday morning.)

Jon Neiditz
Kilpatrick Townsend & Stockton LLP
Suite 2800 | 1100 Peachtree Street NE | Atlanta, GA 30309-4528
office 404 815 6004  | cell 678-427-7809 | fax 770 234 6341
jneiditz@kilpatricktownsend.com | www.kilpatricktownsend.com

-----Original Message-----
From: Eve Maler [mailto:eve@xmlgrrl.com]
Sent: Wednesday, September 09, 2015 8:50 PM
To: Neiditz, Jon
Cc: wg-uma@kantarainitiative.org UMA
Subject: Re: [WG-UMA] New [legal] wiki pages with mappings to Agency law etc.

I’ll explain by way of examples. ‘Course, I might still be wrong!

In federated single sign-on, we have a “user”, a “service provider”, and an “identity provider” to which the service provider is somehow willing to outsource authentication (becoming a “relying party”).

There is (or used to be) a totally-empowered-Alice use case of federated SSO, where Alice could build or run her own identity provider using the OpenID protocol, and some service providers out there would accept it.

There’s a social login use case, where a social Alice gets to pick her identity provider (say, Facebook, or Twitter) from a set pre-chosen by the service provider.

There’s a consumer-but-hidden (sometimes “internal federation”) use case, where Alice gets a login at a consumer-facing company like Amazon, and that company uses technology to enable Alice to use that login among all the web properties owned by that company.

There’s an enterprise use case, where Alice gets an employee login that comes with assurance that she’s still employed, and the "service providers” are actually all the on-premises and web applications she needs to use to do her job.

In these cases, I could imagine using an agency lens to pick various different parties as the primary mover, on a continuum from Alice to (probably) the identity provider.

Analogously, in federated access (I just made that up), we have all the UMA-ish parties.

We can anticipate a use case of federated access where a totally-empowered-Alice can build or run her own authorization server... and a use case where a social Alice gets to pick her authorization server from among popular social offerings... and a use case where a consumer-facing company manages a tighter circle of services and centralizes their management for Alice’s convenience only among those... and even a use case where a company-run authorization server represents not Alice but AliceCorp, and manages access on its behalf.

There’s still the same number of parties in UMA, but the use case can change up the power dynamic a lot.

??

        Eve

> On 9 Sep 2015, at 5:25 PM, Neiditz, Jon <JNeiditz@kilpatricktownsend.com> wrote:
>
> Quick response thought:  Why wouldn't/couldn't the same distinction apply with regard to types of fourth parties?
>
> Jon Neiditz
> Kilpatrick Townsend & Stockton LLP
> Suite 2800 | 1100 Peachtree Street NE | Atlanta, GA 30309-4528 office
> 404 815 6004  | cell 678-427-7809 | fax 770 234 6341
> jneiditz@kilpatricktownsend.com | www.kilpatricktownsend.com
>
> -----Original Message-----
> From: Eve Maler [mailto:eve@xmlgrrl.com]
> Sent: Wednesday, September 09, 2015 8:20 PM
> To: Neiditz, Jon
> Cc: wg-uma@kantarainitiative.org UMA
> Subject: Re: [WG-UMA] New [legal] wiki pages with mappings to Agency law etc.
>
> (I will help you change your participation status, no worries!)
>
> I will let others wiser than I opine on your points. Only one thought from me: Some use cases involve an “Alice-chosen/empowered” AS, and others involve a “autonomous/other-chosen” AS… So being specific about use cases will matter.
>
>       Eve
>
>> On 9 Sep 2015, at 3:48 PM, Neiditz, Jon <JNeiditz@kilpatricktownsend.com> wrote:
>>
>> Thanks so much.  Here's what I really think:
>>
>> 1.  Decisions about legal roles, responsibilities and liabilities for a new program should be based on principles.
>>
>> 2.  The principle that I glimpsed as animating UMA's authorization
>> server, a new relationship of agency to an autonomous Alice, is
>> precisely the same principle that animates Searls' fourth party as
>> agent of an autonomous customer.  (Is that wrong?)
>>
>> 3.  Of course fourth party can have a real legal meaning based on that principle -- even if Searls' use of "agency" in his book might be different from the legal meaning --  and in broad terms (if 2 is correct) that should be the same meaning as the authorization server's.
>>
>> I hope that helps clarify and simplify a bit.
>>
>> One apology and withdrawal.  I somehow got myself on as one of the few voting members of UMA, when I was just trying to get myself onto the legal subgroup.  I am COMPLETELY undeserving of being one of the few voting members of UMA and would love it if someone could please help me withdraw from that role.   I also apologize for not being able to be on the call tomorrow, although I can be on the legal subgroup call on Friday.
>>
>> Many thanks again.
>>
>>
>> Jon Neiditz
>> Kilpatrick Townsend & Stockton LLP
>> Suite 2800 | 1100 Peachtree Street NE | Atlanta, GA 30309-4528 office
>> 404 815 6004  | cell 678-427-7809 | fax 770 234 6341
>> jneiditz@kilpatricktownsend.com | www.kilpatricktownsend.com
>> -----Original Message-----
>> From: Eve Maler [mailto:eve@xmlgrrl.com]
>> Sent: Tuesday, September 08, 2015 2:58 PM
>> To: Neiditz, Jon
>> Cc: wg-uma@kantarainitiative.org UMA
>> Subject: Re: [WG-UMA] New [legal] wiki pages with mappings to Agency law etc.
>>
>> Laughing on the outside... :-)
>>
>> I love the post. We haven’t discussed the “fourth party” concept at the UMA table, at least formally. Here’s a very — strike that, extremely — old blog post from me about the relationship between VRM and my work on UMA’s predecessor, fwiw.
>>
>> http://www.xmlgrrl.com/blog/2008/09/04/venn-and-the-art-of-data-shari
>> n
>> g/
>>
>> Its predecessor didn’t even get a name until a few months later, btw!
>>
>> http://www.xmlgrrl.com/blog/2009/03/23/to-protect-and-to-serve/
>>
>> I do think there’s value in both the nitsy work of mapping the technical flows to parties’ perceptions and realities of liability, and the outreach/“marketing" work of stating big truths about how things need to change. Adrian is also awesome at shaking that tree (and apparently he spends a lot of time lately giving expert testimony in trials related to healthcare data breaches, so that’s pretty concrete).
>>
>> What do you think would be the right next step for our deliverables? Does/can “fourth party" have real legal meaning as we build safeguards (for everyone) into the proposition of authorization-as-a-service that operates on Alice’s behalf?
>>
>>      Eve
>>
>>> On 8 Sep 2015, at 10:50 AM, Neiditz, Jon <JNeiditz@kilpatricktownsend.com> wrote:
>>>
>>> I've been reading away at it all and thinking around it.  It's all such a great mission, and you're all so terrific; I'm really not sure how a newcomer like me can best help.  One thought: I think we're approaching agency law like IT gurus and law professors, which is great, but in a world in which Donald Trump is the leading presidential candidate, maybe you need an intellectual blunt instrument to help celebrate what you're doing.  So I tried to be that instrument in this blog post:
>>>
>>> http://datalaw.net/how-to-do-vendor-contracts-when-the-intent-of-ind
>>> i
>>> v
>>> idual-customers-matters/
>>>
>>> Glad to change anything, add or subtract anything, or retract and destroy the whole thing; I'm sure it's all wrong.
>>>
>>> Thanks and best,
>>>
>>> Jon
>>>
>>> Jon Neiditz
>>> Kilpatrick Townsend & Stockton LLP
>>> Suite 2800 | 1100 Peachtree Street NE | Atlanta, GA 30309-4528
>>> office
>>> 404 815 6004  | cell 678-427-7809 | fax 770 234 6341
>>> jneiditz@kilpatricktownsend.com | www.kilpatricktownsend.com
>>>
>>> -----Original Message-----
>>> From: wg-uma-bounces@kantarainitiative.org
>>> [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Eve Maler
>>> Sent: Sunday, September 06, 2015 4:26 PM
>>> To: wg-uma@kantarainitiative.org UMA
>>> Subject: [WG-UMA] New [legal] wiki pages with mappings to Agency law etc.
>>>
>>> I know there are several legal subgroup folks intending to catch up after the long weekend, and jump in next Friday. Here are some resources that should help you:
>>>
>>> - GitHub wiki home page (see links off to the right for all the “UMA-Legal” pages):
>>> https://github.com/KantaraInitiative/wg-uma/wiki
>>>
>>> - Summary of special UMA terminology:
>>>
>>> https://github.com/KantaraInitiative/wg-uma/wiki/UMA-Legal:-Terminol
>>> o
>>> g
>>> y
>>>
>>> - Proposals for mapping UMA (and OAuth) to Agency law (needs much review and vetting!):
>>>
>>> https://github.com/KantaraInitiative/wg-uma/wiki/UMA-Legal:-Mapping-
>>> B
>>> e
>>> tween-UMA-and-Agency-Law
>>>
>>> Please feel free to float any questions here. Happy Labor Day to those who are celebrating it!
>>>
>>>      Eve
>>>
>>> Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter:
>>> @xmlgrrl
>>> | Calendar: xmlgrrl@gmail.com
>>>
>>> _______________________________________________
>>> WG-UMA mailing list
>>> WG-UMA@kantarainitiative.org
>>> http://kantarainitiative.org/mailman/listinfo/wg-uma
>>>
>>> ________________________________
>>>
>>> Confidentiality Notice:
>>> This communication constitutes an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. Section 2510, and its disclosure is strictly limited to the recipient intended by the sender of this message. This transmission, and any attachments, may contain confidential attorney-client privileged information and attorney work product. If you are not the intended recipient, any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. Please contact us immediately by return e-mail or at 404 815 6500, and destroy the original transmission and its attachments without reading or saving in any manner.
>>>
>>> ________________________________
>>>
>>> ***DISCLAIMER*** Per Treasury Department Circular 230: Any U.S. federal tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
>>
>>
>> Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
>> | Calendar: xmlgrrl@gmail.com
>>
>
>
> Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
> | Calendar: xmlgrrl@gmail.com
>


Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma



--

Adrian Gropper MD

RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/ 


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma


-- 
@commonaccord


--

Adrian Gropper MD

RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/