As prep for reviewing the legal spaghetti, I propose we differentiate between an agent and a broker.
For our purposes, an agent has a fiduciary relationship with only one entity (the RO or the RqP) and is chosen by that entity. A doctor or defense lawyer are examples. A broker, on the other hand has responsibilities to both RO and RqP and may not be chosen by either. A court or hospital are examples.
When it comes to protocols implemented by an AS, the AS might be acting as either an agent or a broker. When it's an agent, it was chosen by the RO or the RqP. We probably need to deal with both options separately.
When the AS is chosen by the RO from a restricted list or a federation (not self sovereign) it could still be considered a fiduciary if it has no particular responsibility to the RqP. For example, a physician could operate an AS as an agent on behalf of her patients. The physician operated AS is chosen by the patient but it has no particular responsibilities to any requesting parties other than the public health authorities (for STDs) and law enforcement (for abuse).
When the AS is chosen from the RO as linked to hospital institutions (the use-case Alec used in the recent webinar) the hospital is typically acting as a broker and balances the privacy needs of the RO and the RqP.
Simply put, I think we have four kinds of AS:
- Self Sovereign AS (a user agent for the RO or RqP and able to issue a non-repudiable signature)
- Fiduciary AS (an agent, chosen by the RO or RqP, from a limited federation)
- Broker AS (a mediator acceptable to both the RO and the RqP)
- Imposed AS (OAuth or other situations where the RO or RqP have no choice of AS other than to "walk")
If this covers the field, then maybe someone wants to try to explain the "cascading" protocol relationship among multiple ASs.
- Adrian