I told u that u could use bridgeidentity.com identities a long time ago as neutral user centric portals. Maybe a bit sooner than one could understand the importance.
From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Adrian Gropper
Sent: Friday, February 19, 2016 3:59 PM
To: Eve Maler
Cc: wg-uma@kantarainitiative.org WG
Subject: Re: [WG-UMA] Notes from UMA legal telecon 2016-02-19
"It's turtles all the way down, madam."
I'm not saying Eve is the madam. What I am saying is that the ISO concepts of Subject, Controller, and Processor are of limited utility to UMA technical or legal. As long as in real life the RS has a _direct_ relationship with the Subject (and the subject's custodian in Eve's five bullets above - whoever they are, they have credentials that the RS recognizes) the RS is both a Controller and a Processor. For example, a subject or custodian can present to the RS and nullify or amend the resource registration agreement representing UMA Phase 1. With the right credentials, the AS may not even be notified - as when the FBI presents a court order to Apple :-)The AS in real life is also both a Controller and Processor. As a policy driven authority in Phase 2 it's just a processor. In Phase 1, when the resource authority (subject, custodian, whatever) is signed-in to the AS, the AS is a controller. This is where the "turtles all the way down" comes in. As soon as UMA technical or legal chooses to put the AS policies or actions under the control of someone _in addition to_ the resource authority, the resource authority can turn the AS into an RS and set up an agreement that points to an AS (the next turtle) that really is owned and controlled by the resource authority.
To map this to current events, Apple's iPhone 7 can introduce an UMA AS with a secure policy store that self-destructs if the credentials are mismanaged. That would meet my definition of an owned UMA AS and it's what I'm building as HIE of One. Is it the first turtle, or the last?Adrian
On Fri, Feb 19, 2016 at 12:15 PM, Eve Maler <eve@xmlgrrl.com> wrote:
http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+notes
2016-02-19
· Distinguishing resource subjects from resource owners: Can we develop a cohesive system whereby "resource subjects" without legal capacity can have "authorized agents" acting on their behalf as "resource owners" as required in order to forge "resource registration agreements" for the purpose of UMA's phase 1 particulars? Do the use cases/design patterns provide any insights or challenges here?
· See email thread
Attending: Eve, Andrew Hughes, Paul L, John, Ann, Adrian, Jon, Kathleen, Sal
Is it valuable to solve for a model where an agent can be working on behalf of resource owner vs. a resource owner?
The protean nature of the word "agent/agency" is troubling. Is there a good substitute word? If not, do we have to define *Agent for all of our terms in an UMA context? We did already have Requesting Party Agent. Perhaps, at best, we should define it operationally but stay away from legal subtleties.
We've said that resource owner = Authorizing Party. Does that work, or is it not equivalent? There are terminology questions and there are UMA architecture questions. Should we just wave away problems by making them equivalent?
· 1yo case: What if the "resource owner" (let's say they're the "subject" of the data residing in the RS) is a one-year-old kid and their mom has to manage the resources by logging in to the RS? The child is not competent to contract, even if they're old enough to sign their name. Guardian is a good name for the latter.
· 12yo case: What if the "resource owner" (let's say they're the "subject" of the data residing in the RS) is a 12-year-old kid and they're old enough to manage the resources by logging in to the RS themselves? The child is not competent to contract, even if they're old enough to manage resources online. How to architect the system and name the parties?
· Intermittently competent adult case: This is another tough one.
· Competent adult case: What if the "resource owner" (let's say again that they're the "subject" of the data residing in the RS) is actually competent to contract, but wants to have someone else manage resources for them online? There's a paper resource owner, but an online "executor" of resource management. What's a good term?
· Digital death case: After the "resource owner"...
Adrian's concern is what happens in phase 1. These use cases have different properties in that phase. Eventually (soon), we will be in a position to work on what's supposed to happen when RS's want to take an action in response to an access request that is in contradiction to the permissions contained in an RPT (requesting party token). First, we need to understand exactly "who" configured the AS to
By the way, all the same patterns could apply whether or not the resources contain PII or not. What if the resource owner created digital media that they want to sell? Is there a reason to distinguish in our terminology at all? What if a resource contains PII "in bulk" for many individuals (in directories or databases or other repositories)? This was the point of Adrian's example. Eve's point was, rather, that individuals might want to be protecting resources that don't contain PII. Okay, now we're on the same page! There are use cases for UMA that span "Alice" and "enterprise".
Let's try to conclude this decision-making process by next week, and then move on to the decisions about RS actions in contradiction.
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma
--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/