Adrian;

I think it is the case that one of the comments in the document calls for a discussion/review of the viability of the BLT metaphor for UMA. When I wrote the first draft I used BLT, but on reflection the layers appear to me to be RLT not BLT:

Regulatory: Involuntary constraints of data flows imposed by law or regulation on personal information data flows and UMA endpoints. The actors at this level are variously data protection authorities, data subjects, data controllers, data processors, data custodians, third parties and so on depending on the particular regulation. The purpose of this layer is to identify accountabilities and responsibilities related to consent (or other authority), breach notification, cross border data flows and other non-technical issues.

Legal: Voluntary constraints of data flows set out between two or more parties that are participating in one or more of the UMA endpoints. That actors at this level generally the individual or corporate entities that are the operators of the UMA endpoints (RO, AS Operator, RS Operator, etc). The purpose of this layer is to establish the trust relationships between the endpoints of the data flows that are being technically authorized by UMA. It may be the case that this “L” subsumes the “BL” in the BLT model.

Technical: The UMA Specification.




Sincerely,
John Wunderlich
@PrivacyCDN

Call: +1 (647) 669-4749
eMail: john@wunderlich.ca

On 4 July 2016 at 14:55, Adrian Gropper <agropper@healthurl.com> wrote:
I'm sorry that I had to miss Friday's call. I just had a chance to read this UMA Legal Primer and I find it inscrutable even as I'm finding the discussions in HEART more confusing week by week. Here's an alternative suggestion:

Let's start with "UMA adds three dimensions of variability to OAuth:
- Multi-party (Are clients registered with the AS or the RS? does it need to be both?)
- Asynchronous (Alice can start by just delegating and add policies only after she gets some insight into what the Bobs want - forces us to focus on delegation)
- One delegation / location (Alice's authorization server is not domain-specific - neither should the legal agreements between RS and AS be domain specific.)

Let's focus on these three dimensions from a legal perspective. The BLT approach does not help. Neither does mentioning HEART help because HEART is even more confused than UMA. Once we get the Legal 3-D core down, a discussion of Business and Technical impacts on the Legal core might be unnecessary or just illustrative.

Adrian



On Fri, Jul 1, 2016 at 1:22 PM, Eve Maler <eve@xmlgrrl.com> wrote:
I vaguely thought there was a conflict on my calendar for next week, and just realized what it was. I'll be removing that meeting from the calendar. In the meantime, no reason not to go into the Primer to comment!... And if you have a burning desire to set up an alternate time to meet, let me know.

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.