I'm jumping in having not read all of the thread (too busy) but I have a query that I myself have been thinking about for agesHow do you prevent delegation created using coercion or force? Might not have an answer really, or at least only a part answer (I have my own views of course)On Fri, Dec 20, 2019 at 1:29 PM SmartMail <mark@smartspecies.com> wrote:Yeah.._______________________________________________So for delegation, in a Guardian use case - the 'Master Controller’ provides explicit consent - using a mobile application . AKA - a parents health care application to on-board the application - which has the technical role of authorising the function that provides and withdraws consent. They have that fiduciary obligation, and in this role, has the authority to use this application (verified by the school and perhaps the child). So the Parent - with the real world fiduciary authority of a legal guardian uses this -application (aka client) that authorises the parent as the master controller and acts technically on behalf of the parent, to consent to share a medical condition with a teacher.The number one rule is that all of this information is not shared with any third parties - including insurer’s - and any breach of this - the Fiduciary(aka the parent - via the app) must be notified with in 1 hour.Is this sort of what you mean by the delegation (aka authorisation) chaining ?On 20 Dec 2019, at 13:10, Adrian Gropper <agropper@healthurl.com> wrote:I don’t think the name: controller (GDPR uses), agent (implies delegation), or authorization server (technical) matters that much. All three aspects mix and match in real life. Adding Master to any of them can help in the sense of being the top of the delegation chain (closest to the human / biometric) or the root private key in a hierarchy).Adrian--Thanks for the explanation Adrian..I see what you mean - this issue comes up a lot now days in different communities. What if ….For Fiduciary Role - this Master Controller works very well IMO - using the word agent (which is the word of the broker) I think doesn’t help - but - indicting that the liability and responsibility for controlling personal data on a data subjects behalf, is placed with a controller (on top of their existing legal obligations) I think makes a lot of sense - and it basically uses a legal term that is recognised internationally for privacy. Controller ..In application, it seems that with this fiduciary legal distinction then the Master Controller’s - Agent or Operator, (would have that fiduciary role) .How would define this enhanced obligation or role for a personal data controller?Master Controller : Has the additional fiduciary role of controller personal data, making personal data decisions on behalf of a data subject or group of data subjects, and is designated a Master (Data or PII) Controller designating this fiduciary role, which should be linked to the fiduciary governance framework/agreement/code of conduct etc.- MarkOn 20 Dec 2019, at 03:19, Adrian Gropper <agropper@healthurl.com> wrote:Hi Mark,There are many names for an authorization server with a fiduciary relationship to one individual. The hard thing is bringing standards to market that will be adopted.Much of the energy is still focused on the false hope of data brokerage. Brokers have split responsibility to multiple parties. Brokers see themselves as “making” a market. There’s nothing wrong with that but, in practice, the brokers want to grab the role of authorization server and undermine the fiduciary principle and the standards that enable that.Adrian--On Tue, Dec 17, 2019 at 4:12 AM SmartMail <mark@smartspecies.com> wrote:Hi Adrian,In 2005 I wrote a paper called the Master Controller Access Framework for people to have an operator that operated on their behalf.It seems to me, all these years later that this might be a missing element in the agent discourse - as an agent, operator, and wallet are all missing that power dynamic that you are getting at (IMO)What’d ya think? Master Controller Agent or Operator, Controlling Agent, etc. Puts people at the top of the hierarchy and clearly identifies liability ? .- MarkOn 17 Dec 2019, at 01:15, Adrian Gropper <agropper@healthurl.com> wrote:This survey is intended to help the Glossary Group identify the diversity of uses of key terms in the decentralized identity ecosystem. These terms and questions came out of an initial survey of the broader DIF community. The group will explore more terms in the future.This invite is being cross-posted to other lists. Feel free to share with folks that might be specifically interested or email me with suggested others as we want to avoid spamming the same lists.Thanks,--AdrianAdrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data._______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-umaAdrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma
--Susan MorrowHead of R&D Avoco Identity@avocoidentityT: 07917507826Avoco Secure are providers of Cloud Identity, Security and Privacy solutions.
Registered Office: Avoco Secure Ltd., 16 St. Martin's-le-Grand, London EC1A 4EE. Company number : 04778206 - Registered in England and Wales.