Eve,
You may be right that UMA does not inject a new "data by reference" solution but your use-cases are completely different from mine and I reach a very different conclusion.
In my use-cases, Alice owns her AS vs. all of yours where she owns the RS.
The situation in healthcare has shown little value for Alice owning her RS or outsourcing it. We call Alice's RS a Personal Health Record (PHR). PHRs have failed spectacularly in the marketplace (I'm responsible for $4.2 M and 7 years of that failed market myself) because processing data from the PHR is very expensive for the recipient client. The data has lost provenance (because digital signatures are still uncommon) and it's always stale. Worst of all, the "scope" problem is practically insoluble. The vast majority of data has been munged through two scope filters: first when it fas grabbed from the source RS to the PHR and second when it goes from the PHR to the client. The lack of a consistent data model for the PHR as intermediary RS doesn't help either. The result of this scope problem is twofold. First, because the in and out scopes don't match in the temporal sense, the PHR has a lot of redundancy and lacks the authority (such as a professional license) to eliminate the redundancy. Second, and much more expensive, the client that gets data from the PHR receives a lot of abnormal results that it did not order and now has the liability of dealing or not dealing with these abnormalities. No doctor is paid to deal with this kind of thing and no patient or payer wants to have repeat follow-up for things that have already been addressed in a prior context.
The reason UMA is going to take over healthcare is because it solves all of the problems of PHRs as intermediaries.
Why UMA and not health information exchanges (HIE)? States and the feds have spent more than a decade and many $Billions trying to map the interoperability problem onto a "trusted" intermediary called a HIE. Some of these HIEs act as an RS, transacting the data by value and have most of the same issues as the PHR above. Many HIEs however have adopted the "by reference" model and only manage consent to participate, discovery, and authorization for access. This maps into the AS role in UMA with the AS is operated by a "trusted" institution, the HIE, as part of a federation with RSs and clients.
The problem with the institutional HIE as AS is different from the PHR or HIE "by value" approach and it's _governance_. When it comes to data about human beings, the governance of the AS intermediary may be impossible. The reason is that society is not well equipped to govern activities related to unlicensed actors. Patients are unlicensed actors. This governance problem first shows up as difficulty deciding whether to use an "opt-in" or an "opt-out" consent model for participation in the HIE. Then it shows up in trying to federate access to the HIE over broad ranges of clients ranging form federal facilities (the VA, Medicare), state facilities, multi-$Billion hospitals, solo MDs in another state, nursing homes, pharmacies, home health aides, .... All of these are potential clients of the HIE and federations of such strange bedfellows are difficult to govern. It gets worse when you add IoT.
My thesis is that the only solution is to enable Alice to build, run, or outsource her AS. This avoids the PHR scopes problem and much of the HIE governance problem. The federations, be they authentication or authorization federations, still add significant value, but they have to compete with Alice building or running her own AS and that keeps the federated system honest, market-based, and potentially governable.
As I see it, the problem for UMA and HEART is relatively obvious: ensure that the RS is implemented in a way that makes the AS substitutable. This is what I'm hoping HEART will figure out and it's something a couple of us are building around the MITREid Connect implementation - with very limited resources.
It's not clear to us that are working on this whether this prospect of millions of potential ASs is compatible with UMA 1.0. Apparently this is related to the #154 issue which I'm still trying to understand.
Adrian