Adrian;
I think it is the case that one of the comments in the document calls for a discussion/review of the viability of the BLT metaphor for UMA. When I wrote the first draft I used BLT, but on reflection the layers appear to me to be RLT not BLT:
Regulatory: Involuntary constraints of data flows imposed by law or regulation on personal information data flows and UMA endpoints. The actors at this level are variously data protection authorities, data subjects, data controllers, data processors, data custodians, third parties and so on depending on the particular regulation. The purpose of this layer is to identify accountabilities and responsibilities related to consent (or other authority), breach notification, cross border data flows and other non-technical issues.
Legal: Voluntary constraints of data flows set out between two or more parties that are participating in one or more of the UMA endpoints. That actors at this level generally the individual or corporate entities that are the operators of the UMA endpoints (RO, AS Operator, RS Operator, etc). The purpose of this layer is to establish the trust relationships between the endpoints of the data flows that are being technically authorized by UMA. It may be the case that this “L” subsumes the “BL” in the BLT model.
Technical: The UMA Specification.