This is why UMA is incomplete without the ability for the RO to register a transaction receipt endpoint. When all is said and done, as Eve describes, the only thing that keeps the system accountable and that provides the &#39;good fath&#39; notice capability that makes agency law practical is the registration of a notification endpoint at UMA resource registration time. <div><br></div><div>It seems foolish to me to leave this notification out of the spec. The question then becomes: Should the notification endpoint be at the AS or independent? </div><div><br></div><div>In my world, where the AS is specified by the RO, the answer is obvious and it brings the benefit that a &#39;good faith&#39; override by the RS might trigger a change in AS policy for the next transaction.</div><div><br></div><div>In a case where the AS is not legally and effectively specified by the RO, there&#39;s good reason for the RO to want to specify a notification endpoint that they do control. This then means the RO needs to interact with the AS out-of-band in reaction to whatever the RS just did to them.</div><div><br></div><div>Adrian</div><div><br>On Thursday, June 2, 2016, Eve Maler &lt;<a href="mailto:eve@xmlgrrl.com">eve@xmlgrrl.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">John W asked in Skype whether deterministic sets, as we were just talking about in the call today, would allow for overrides of a policy for purposes of data localization or regulation etc. My response was that it&#39;s an AS that represents the results of the RO&#39;s policy in a token, and it&#39;s an RS that might override those results once the client brings that token over to the RS (the &quot;Adrian clause&quot;).<div><br></div><div>Thus, I wondered if the RS&#39;s actual granted access should be considered a sixth set of a scopes that we should track, describe, etc. in the spec. It would probably be useful in the UMA Legal work, at a minimum!</div><div><br></div><div>I also noted that the RS might need to do overrides in an out-of-band-of-UMA situation. As we&#39;ve discussed in the past, such a situation might include court order or a &quot;break glass&quot; situation. This would mean that this set of scopes could be interestingly disjoint from the original five sets.</div><div><br></div><div>Thoughts?<br><div><div><br></div><div>(BTW, I&#39;ve sent out Slack invitations, as we&#39;d promised, to everyone who currently gets Google Calendar invitations to our WG meetings, plus whoever else asked for an invitation. If you&#39;d like to get an invitation in addition, drop me a private note.)<br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span style="font-size:12.8px;line-height:normal"><br></span></div><div dir="ltr"><b style="font-size:12.8px;line-height:normal">Eve Maler<br></b><span style="font-size:12.8px;line-height:normal">Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl</span><br></div><div dir="ltr"><span style="font-size:12.8px;line-height:normal"><br></span></div></div></div></div></div>
</div></div></div></div>
</blockquote></div><br><br>-- <br><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:&quot;Arial&quot;,sans-serif;color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:&quot;Arial&quot;,sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span><span style="font-family:&quot;Arial&quot;,sans-serif;color:#1f497d"></span><span style="font-family:&quot;Arial&quot;,sans-serif;color:#1f497d"><br>DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d"></span>
</div></div></div></div></div></div></div><br>