Reminder: UMA legal subgroup telecon 2015-08-21
Fri Aug 21 8-9am PT Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines <https://www.turbobridge.com/join.html>), room code 178-2540# Screen sharing: http://join.me/findthomas <http://join.me/findthomas> - NOTE: IGNORE the join.me <http://join.me/> dial-in line shown here in favor of the dial-in info above (Kantara "line C" and the Skype line) UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar <http://kantarainitiative.org/confluence/display/uma/Calendar> Analyze new (positive and negative) use cases sent to the list Is this list complete enough to be going on with, for our purposes? Do we need to capture use cases for different “topologies" (deployment ecosystems) too? What would “structuring the transaction” look like in terms of accomplishing our mission? How would consent receipts/logging/auditing come into play? (I apologize for getting this agenda out so late!) Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Attending: Eve, Andrew, Jon, Adrian, Randy, Dazza, Tom, Mark, Jeff
Analyze new (positive and negative) use cases sent to the list Is this list complete enough to be going on with, for our purposes? Do we need to capture use cases for different “topologies" (deployment ecosystems) too? What would “structuring the transaction” look like in terms of accomplishing our mission? How would consent receipts/logging/auditing come into play?
Dazza can sweep questions and answers into the wiki <https://github.com/KantaraInitiative/wg-uma/wiki>. The idea with the “roles” page is also to capture term definitions. “Principal” is often used in the law for a individual person. There’s also “Agent” and “Third Party”, to complete the triangle. So perhaps we can leverage “Principal” when we talk about any one use case — if we focus on Alice, is she the principal? or is, say, someone else the principal in this use case? Does UMA allow RqPs to connect to the data of ROs “by reference”? No; RqPs (and their client applications) really do “get” the data. Adrian wants to stress that UMA differs from traditional PHR models, however. In contrast to shinkwrapped licenses, consent directive models, and any static prior-consent model, UMA enables fine-grained revocation, adjustment, remediation, and transactional authorization of data access. The value proposition, as Adrian sees it, to putting this type of system in place, is that breaches would be detected instantly rather than in many months. (This is interesting but offtopic; can Adrian write this up for further consideration?) Consent vs. Authorization - should we see a distinction here? There are definitions of consent in various laws. User Control vs. User Management - let’s suss this out too. Does this come out of 29100? Let’s just collect use cases and note their potential applicability to the terms. Is the use case where Alice runs her own RS interesting to us? Adrian believes it’s not particularly interesting (personal clouds/data stores aside). His interest runs to a personally run AS. Let’s take a use case with that assumption and work it through. Eve believes we also need to run through an institutionally run AS. Where would the consent receipts get sent? They would kind of go to the same place that they’re generated. Is that a problem? This seems to be our first “minimal pair” of use cases. If we assume Alice is the principal, that’s our perspective. What vertical (if any) should we pick? Healthcare has the danger of being not very cross-jurisdictional. Could we pick something like students and schools, which has privacy concerns (in the US it would be FERPA), or merchant and consumer transactions (which have trade and sale-of-goods laws)? As an aside, Eve notes that the UMA authorization framework could actually be used as a payment framework. “Claims” demanded for access could be something like a receipt proving payment. Dazza mentions US’s FCRA coming into play in that case. And then the FIPPs come in. Adrian’s concern about schools is that they tend to use identity federations, which he doesn’t want to put into play. Could we avoid that element in putting together our use cases? Eve’s point about “topologies” above was about how many "access federation" parties are in the picture, and we have been talking about that so far — but can we just leave the equivalent identity federation topologies aside? AI: Dazza and Eve: Coordinate on producing 2 or 3 candidate distinctive use cases that flesh out the AS possibilities, non-vertical-specific and identity-federation-agnostic. Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Sorry — here’s a better subject line!
On 21 Aug 2015, at 9:01 AM, Eve Maler <eve@xmlgrrl.com> wrote:
Attending: Eve, Andrew, Jon, Adrian, Randy, Dazza, Tom, Mark, Jeff
Analyze new (positive and negative) use cases sent to the list Is this list complete enough to be going on with, for our purposes? Do we need to capture use cases for different “topologies" (deployment ecosystems) too? What would “structuring the transaction” look like in terms of accomplishing our mission? How would consent receipts/logging/auditing come into play?
Dazza can sweep questions and answers into the wiki <https://github.com/KantaraInitiative/wg-uma/wiki>. The idea with the “roles” page is also to capture term definitions. “Principal” is often used in the law for a individual person. There’s also “Agent” and “Third Party”, to complete the triangle. So perhaps we can leverage “Principal” when we talk about any one use case — if we focus on Alice, is she the principal? or is, say, someone else the principal in this use case?
Does UMA allow RqPs to connect to the data of ROs “by reference”? No; RqPs (and their client applications) really do “get” the data. Adrian wants to stress that UMA differs from traditional PHR models, however. In contrast to shinkwrapped licenses, consent directive models, and any static prior-consent model, UMA enables fine-grained revocation, adjustment, remediation, and transactional authorization of data access.
The value proposition, as Adrian sees it, to putting this type of system in place, is that breaches would be detected instantly rather than in many months. (This is interesting but offtopic; can Adrian write this up for further consideration?)
Consent vs. Authorization - should we see a distinction here? There are definitions of consent in various laws.
User Control vs. User Management - let’s suss this out too. Does this come out of 29100? Let’s just collect use cases and note their potential applicability to the terms.
Is the use case where Alice runs her own RS interesting to us? Adrian believes it’s not particularly interesting (personal clouds/data stores aside). His interest runs to a personally run AS. Let’s take a use case with that assumption and work it through. Eve believes we also need to run through an institutionally run AS. Where would the consent receipts get sent? They would kind of go to the same place that they’re generated. Is that a problem?
This seems to be our first “minimal pair” of use cases. If we assume Alice is the principal, that’s our perspective. What vertical (if any) should we pick? Healthcare has the danger of being not very cross-jurisdictional. Could we pick something like students and schools, which has privacy concerns (in the US it would be FERPA), or merchant and consumer transactions (which have trade and sale-of-goods laws)?
As an aside, Eve notes that the UMA authorization framework could actually be used as a payment framework. “Claims” demanded for access could be something like a receipt proving payment. Dazza mentions US’s FCRA coming into play in that case. And then the FIPPs come in.
Adrian’s concern about schools is that they tend to use identity federations, which he doesn’t want to put into play. Could we avoid that element in putting together our use cases? Eve’s point about “topologies” above was about how many "access federation" parties are in the picture, and we have been talking about that so far — but can we just leave the equivalent identity federation topologies aside?
AI: Dazza and Eve: Coordinate on producing 2 or 3 candidate distinctive use cases that flesh out the AS possibilities, non-vertical-specific and identity-federation-agnostic.
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Sorry to be irregularly following - I'm not really connected until Sept 2. If I'm following correctly, Dazza's suggestion to state/restate permission/consent/authorization in agency terms is now an agenda item. That seems very useful - ready-made use cases and dovetailing to legal experience and vocabulary. Perhaps also a good base for mapping to a variety of uses, jurisdictions, languages, etc. I'd be delighted to participate, even in my disconnected state. On 8/21/15 8:22 PM, Eve Maler wrote:
Sorry — here’s a better subject line!
On 21 Aug 2015, at 9:01 AM, Eve Maler <eve@xmlgrrl.com <mailto:eve@xmlgrrl.com>> wrote:
Attending: Eve, Andrew, Jon, Adrian, Randy, Dazza, Tom, Mark, Jeff
*
Analyze new (positive and negative) use cases sent to the list o Is this list complete enough to be going on with, for our purposes? o Do we need to capture use cases for different “topologies" (deployment ecosystems) too? * What would “structuring the transaction” look like in terms of accomplishing our mission? * How would consent receipts/logging/auditing come into play?
Dazza can sweep questions and answers into the wiki <https://github.com/KantaraInitiative/wg-uma/wiki>. The idea with the “roles” page is also to capture term definitions. “Principal” is often used in the law for a individual person. There’s also “Agent” and “Third Party”, to complete the triangle. So perhaps we can leverage “Principal” when we talk about any one use case — if we focus on Alice, is she the principal? or is, say, someone else the principal in this use case?
Does UMA allow RqPs to connect to the data of ROs “by reference”? No; RqPs (and their client applications) really do “get” the data. Adrian wants to stress that UMA differs from traditional PHR models, however. In contrast to shinkwrapped licenses, consent directive models, and any static prior-consent model, UMA enables fine-grained revocation, adjustment, remediation, and *transactional authorization of data access*.
The value proposition, as Adrian sees it, to putting this type of system in place, is that breaches would be detected instantly rather than in many months. (This is interesting but offtopic; can Adrian write this up for further consideration?)
Consent vs. Authorization - should we see a distinction here? There are definitions of consent in various laws.
User Control vs. User Management - let’s suss this out too. Does this come out of 29100? Let’s just collect use cases and note their potential applicability to the terms.
Is the use case where Alice runs her own RS interesting to us? Adrian believes it’s not particularly interesting (personal clouds/data stores aside). His interest runs to a personally run AS. Let’s take a use case with that assumption and work it through. Eve believes we also need to run through an institutionally run AS. Where would the consent receipts get sent? They would kind of go to the same place that they’re generated. Is that a problem?
This seems to be our first “minimal pair” of use cases. If we assume Alice is the principal, that’s our perspective. What vertical (if any) should we pick? Healthcare has the danger of being not very cross-jurisdictional. Could we pick something like students and schools, which has privacy concerns (in the US it would be FERPA), or merchant and consumer transactions (which have trade and sale-of-goods laws)?
As an aside, Eve notes that the UMA authorization framework could actually be used as a payment framework. “Claims” demanded for access could be something like a receipt proving payment. Dazza mentions US’s FCRA coming into play in that case. And then the FIPPs come in.
Adrian’s concern about schools is that they tend to use identity federations, which he doesn’t want to put into play. Could we avoid that element in putting together our use cases? Eve’s point about “topologies” above was about how many "access federation" parties are in the picture, and we have been talking about that so far — but can we just leave the equivalent identity federation topologies aside?
AI: Dazza and Eve: Coordinate on producing 2 or 3 candidate distinctive use cases that flesh out the AS possibilities, non-vertical-specific and identity-federation-agnostic.
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
-- @commonaccord
Yes, absolutely. Principal/Agent/Third Party (from some UMA entity’s perspective, perhaps picking them off one at a time?) was the idea, I think, keeping in mind that ianal… It would be great to have your participation on this! Eve
On 21 Aug 2015, at 9:30 PM, James Hazard <james.g.hazard@gmail.com> wrote:
Sorry to be irregularly following - I'm not really connected until Sept 2.
If I'm following correctly, Dazza's suggestion to state/restate permission/consent/authorization in agency terms is now an agenda item. That seems very useful - ready-made use cases and dovetailing to legal experience and vocabulary. Perhaps also a good base for mapping to a variety of uses, jurisdictions, languages, etc. I'd be delighted to participate, even in my disconnected state.
On 8/21/15 8:22 PM, Eve Maler wrote:
Sorry — here’s a better subject line!
On 21 Aug 2015, at 9:01 AM, Eve Maler < <mailto:eve@xmlgrrl.com>eve@xmlgrrl.com <mailto:eve@xmlgrrl.com>> wrote:
Attending: Eve, Andrew, Jon, Adrian, Randy, Dazza, Tom, Mark, Jeff
Analyze new (positive and negative) use cases sent to the list Is this list complete enough to be going on with, for our purposes? Do we need to capture use cases for different “topologies" (deployment ecosystems) too? What would “structuring the transaction” look like in terms of accomplishing our mission? How would consent receipts/logging/auditing come into play?
Dazza can sweep questions and answers into the wiki <https://github.com/KantaraInitiative/wg-uma/wiki>. The idea with the “roles” page is also to capture term definitions. “Principal” is often used in the law for a individual person. There’s also “Agent” and “Third Party”, to complete the triangle. So perhaps we can leverage “Principal” when we talk about any one use case — if we focus on Alice, is she the principal? or is, say, someone else the principal in this use case?
Does UMA allow RqPs to connect to the data of ROs “by reference”? No; RqPs (and their client applications) really do “get” the data. Adrian wants to stress that UMA differs from traditional PHR models, however. In contrast to shinkwrapped licenses, consent directive models, and any static prior-consent model, UMA enables fine-grained revocation, adjustment, remediation, and transactional authorization of data access.
The value proposition, as Adrian sees it, to putting this type of system in place, is that breaches would be detected instantly rather than in many months. (This is interesting but offtopic; can Adrian write this up for further consideration?)
Consent vs. Authorization - should we see a distinction here? There are definitions of consent in various laws.
User Control vs. User Management - let’s suss this out too. Does this come out of 29100? Let’s just collect use cases and note their potential applicability to the terms.
Is the use case where Alice runs her own RS interesting to us? Adrian believes it’s not particularly interesting (personal clouds/data stores aside). His interest runs to a personally run AS. Let’s take a use case with that assumption and work it through. Eve believes we also need to run through an institutionally run AS. Where would the consent receipts get sent? They would kind of go to the same place that they’re generated. Is that a problem?
This seems to be our first “minimal pair” of use cases. If we assume Alice is the principal, that’s our perspective. What vertical (if any) should we pick? Healthcare has the danger of being not very cross-jurisdictional. Could we pick something like students and schools, which has privacy concerns (in the US it would be FERPA), or merchant and consumer transactions (which have trade and sale-of-goods laws)?
As an aside, Eve notes that the UMA authorization framework could actually be used as a payment framework. “Claims” demanded for access could be something like a receipt proving payment. Dazza mentions US’s FCRA coming into play in that case. And then the FIPPs come in.
Adrian’s concern about schools is that they tend to use identity federations, which he doesn’t want to put into play. Could we avoid that element in putting together our use cases? Eve’s point about “topologies” above was about how many "access federation" parties are in the picture, and we have been talking about that so far — but can we just leave the equivalent identity federation topologies aside?
AI: Dazza and Eve: Coordinate on producing 2 or 3 candidate distinctive use cases that flesh out the AS possibilities, non-vertical-specific and identity-federation-agnostic.
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: <mailto:xmlgrrl@gmail.com>xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
-- @commonaccord _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Jim: Yes, that is what was intended. Glad you like it! Will would be fun to hack the default rules of agency law via CommonAccord as though each UMA entity had agreed in writing! Agency is not the only source of default underlying law that applies (there is also basic property law, torts, etc) but I think it's a really good start. Eve: +1 on picking them off from each UMA entity’s perspective, one at a time. All: This body of law is codified by the American Law Institute (wise elders of American law) under the title "Restatement" of the Law of Agency https://www.ali.org/publications/show/agency/ which unfortunately is proprietary IP but we can use open license articulations of each relevant rule for the use cases. | Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com | Biz: http://CIVICS.com | MIT: https://law.MIT.edu | Me: DazzaGreenwood.com | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface
On Aug 22, 2015, at 2:01 PM, Eve Maler <eve@xmlgrrl.com> wrote:
Yes, absolutely. Principal/Agent/Third Party (from some UMA entity’s perspective, perhaps picking them off one at a time?) was the idea, I think, keeping in mind that ianal… It would be great to have your participation on this!
Eve
On 21 Aug 2015, at 9:30 PM, James Hazard <james.g.hazard@gmail.com> wrote:
Sorry to be irregularly following - I'm not really connected until Sept 2.
If I'm following correctly, Dazza's suggestion to state/restate permission/consent/authorization in agency terms is now an agenda item. That seems very useful - ready-made use cases and dovetailing to legal experience and vocabulary. Perhaps also a good base for mapping to a variety of uses, jurisdictions, languages, etc. I'd be delighted to participate, even in my disconnected state.
On 8/21/15 8:22 PM, Eve Maler wrote: Sorry — here’s a better subject line!
On 21 Aug 2015, at 9:01 AM, Eve Maler <eve@xmlgrrl.com> wrote:
Attending: Eve, Andrew, Jon, Adrian, Randy, Dazza, Tom, Mark, Jeff
Analyze new (positive and negative) use cases sent to the list Is this list complete enough to be going on with, for our purposes? Do we need to capture use cases for different “topologies" (deployment ecosystems) too? What would “structuring the transaction” look like in terms of accomplishing our mission? How would consent receipts/logging/auditing come into play?
Dazza can sweep questions and answers into the wiki. The idea with the “roles” page is also to capture term definitions. “Principal” is often used in the law for a individual person. There’s also “Agent” and “Third Party”, to complete the triangle. So perhaps we can leverage “Principal” when we talk about any one use case — if we focus on Alice, is she the principal? or is, say, someone else the principal in this use case?
Does UMA allow RqPs to connect to the data of ROs “by reference”? No; RqPs (and their client applications) really do “get” the data. Adrian wants to stress that UMA differs from traditional PHR models, however. In contrast to shinkwrapped licenses, consent directive models, and any static prior-consent model, UMA enables fine-grained revocation, adjustment, remediation, and transactional authorization of data access.
The value proposition, as Adrian sees it, to putting this type of system in place, is that breaches would be detected instantly rather than in many months. (This is interesting but offtopic; can Adrian write this up for further consideration?)
Consent vs. Authorization - should we see a distinction here? There are definitions of consent in various laws.
User Control vs. User Management - let’s suss this out too. Does this come out of 29100? Let’s just collect use cases and note their potential applicability to the terms.
Is the use case where Alice runs her own RS interesting to us? Adrian believes it’s not particularly interesting (personal clouds/data stores aside). His interest runs to a personally run AS. Let’s take a use case with that assumption and work it through. Eve believes we also need to run through an institutionally run AS. Where would the consent receipts get sent? They would kind of go to the same place that they’re generated. Is that a problem?
This seems to be our first “minimal pair” of use cases. If we assume Alice is the principal, that’s our perspective. What vertical (if any) should we pick? Healthcare has the danger of being not very cross-jurisdictional. Could we pick something like students and schools, which has privacy concerns (in the US it would be FERPA), or merchant and consumer transactions (which have trade and sale-of-goods laws)?
As an aside, Eve notes that the UMA authorization framework could actually be used as a payment framework. “Claims” demanded for access could be something like a receipt proving payment. Dazza mentions US’s FCRA coming into play in that case. And then the FIPPs come in.
Adrian’s concern about schools is that they tend to use identity federations, which he doesn’t want to put into play. Could we avoid that element in putting together our use cases? Eve’s point about “topologies” above was about how many "access federation" parties are in the picture, and we have been talking about that so far — but can we just leave the equivalent identity federation topologies aside?
AI: Dazza and Eve: Coordinate on producing 2 or 3 candidate distinctive use cases that flesh out the AS possibilities, non-vertical-specific and identity-federation-agnostic.
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
-- @commonaccord _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Here is a very rudimentary example of provisions to adopt the Restatement of Agency as legal framing for an agreement. It is just a stub. The stub is here (click on "Document" to see a use of the text). http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Agency/Restatement_Clauses_01.md The source is on GitHub (click on "GitHub"): https://github.com/CommonAccord/Cmacc-UMA/blob/master/Doc/Agency/Restatement... I plopped this into a little demo for UMA terms that I did earlier and made a few adaptations. It is obviously incomplete, among other reasons because the Requesting Party (whom I take to be an agent of the Authorizing Party) has an agent (the Requesting Party Agent). This would need to be addressed and "Parties" would need to include all three. The goal of this little demo is to give a sense of how CommonAccord can integrate legal text. http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Demo/AP-RP-RPA_Robinson-Acme-Altima.md (click on "Document") On 8/22/15 9:54 PM, Dazza Greenwood wrote:
Jim: Yes, that is what was intended. Glad you like it! Will would be fun to hack the default rules of agency law via CommonAccord as though each UMA entity had agreed in writing! Agency is not the only source of default underlying law that applies (there is also basic property law, torts, etc) but I think it's a really good start.
Eve: +1 on picking them off from each UMA entity’s perspective, one at a time.
All: This body of law is codified by the American Law Institute (wise elders of American law) under the title "Restatement" of the Law of Agency https://www.ali.org/publications/show/agency/ which unfortunately is proprietary IP but we can use open license articulations of each relevant rule for the use cases.
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com <http://civics.com/>, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 <tel:617.500.3644> | Email: dazza@CIVICS.com <mailto:dazza@CIVICS.com> | Biz: http://CIVICS.com | MIT: https://law.MIT.edu <https://law.mit.edu/> | Me: DazzaGreenwood.com <http://dazzagreenwood.com/> | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood <http://google.com/+DazzaGreenwood> | LinkedIn: linkedin.com/in/DazzaGreenwood <http://linkedin.com/in/DazzaGreenwood> | GitHub: github.com/DazzaGreenwood/Interface <http://github.com/DazzaGreenwood/Interface>
On Aug 22, 2015, at 2:01 PM, Eve Maler <eve@xmlgrrl.com <mailto:eve@xmlgrrl.com>> wrote:
Yes, absolutely. Principal/Agent/Third Party (from some UMA entity’s perspective, perhaps picking them off one at a time?) was the idea, I think, keeping in mind that ianal… It would be great to have your participation on this!
Eve
On 21 Aug 2015, at 9:30 PM, James Hazard <james.g.hazard@gmail.com <mailto:james.g.hazard@gmail.com>> wrote:
Sorry to be irregularly following - I'm not really connected until Sept 2.
If I'm following correctly, Dazza's suggestion to state/restate permission/consent/authorization in agency terms is now an agenda item. That seems very useful - ready-made use cases and dovetailing to legal experience and vocabulary. Perhaps also a good base for mapping to a variety of uses, jurisdictions, languages, etc. I'd be delighted to participate, even in my disconnected state.
On 8/21/15 8:22 PM, Eve Maler wrote:
Sorry — here’s a better subject line!
On 21 Aug 2015, at 9:01 AM, Eve Maler <eve@xmlgrrl.com> wrote:
Attending: Eve, Andrew, Jon, Adrian, Randy, Dazza, Tom, Mark, Jeff
*
Analyze new (positive and negative) use cases sent to the list o Is this list complete enough to be going on with, for our purposes? o Do we need to capture use cases for different “topologies" (deployment ecosystems) too? * What would “structuring the transaction” look like in terms of accomplishing our mission? * How would consent receipts/logging/auditing come into play?
Dazza can sweep questions and answers into the wiki <https://github.com/KantaraInitiative/wg-uma/wiki>. The idea with the “roles” page is also to capture term definitions. “Principal” is often used in the law for a individual person. There’s also “Agent” and “Third Party”, to complete the triangle. So perhaps we can leverage “Principal” when we talk about any one use case — if we focus on Alice, is she the principal? or is, say, someone else the principal in this use case?
Does UMA allow RqPs to connect to the data of ROs “by reference”? No; RqPs (and their client applications) really do “get” the data. Adrian wants to stress that UMA differs from traditional PHR models, however. In contrast to shinkwrapped licenses, consent directive models, and any static prior-consent model, UMA enables fine-grained revocation, adjustment, remediation, and *transactional authorization of data access*.
The value proposition, as Adrian sees it, to putting this type of system in place, is that breaches would be detected instantly rather than in many months. (This is interesting but offtopic; can Adrian write this up for further consideration?)
Consent vs. Authorization - should we see a distinction here? There are definitions of consent in various laws.
User Control vs. User Management - let’s suss this out too. Does this come out of 29100? Let’s just collect use cases and note their potential applicability to the terms.
Is the use case where Alice runs her own RS interesting to us? Adrian believes it’s not particularly interesting (personal clouds/data stores aside). His interest runs to a personally run AS. Let’s take a use case with that assumption and work it through. Eve believes we also need to run through an institutionally run AS. Where would the consent receipts get sent? They would kind of go to the same place that they’re generated. Is that a problem?
This seems to be our first “minimal pair” of use cases. If we assume Alice is the principal, that’s our perspective. What vertical (if any) should we pick? Healthcare has the danger of being not very cross-jurisdictional. Could we pick something like students and schools, which has privacy concerns (in the US it would be FERPA), or merchant and consumer transactions (which have trade and sale-of-goods laws)?
As an aside, Eve notes that the UMA authorization framework could actually be used as a payment framework. “Claims” demanded for access could be something like a receipt proving payment. Dazza mentions US’s FCRA coming into play in that case. And then the FIPPs come in.
Adrian’s concern about schools is that they tend to use identity federations, which he doesn’t want to put into play. Could we avoid that element in putting together our use cases? Eve’s point about “topologies” above was about how many "access federation" parties are in the picture, and we have been talking about that so far — but can we just leave the equivalent identity federation topologies aside?
AI: Dazza and Eve: Coordinate on producing 2 or 3 candidate distinctive use cases that flesh out the AS possibilities, non-vertical-specific and identity-federation-agnostic.
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
-- @commonaccord _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma
-- @commonaccord
Coolness — now I see how this thingie works. I’m not sure (using the original binding obligations terms) that the Requesting Party is always an agent of the Authorizing Party, if that means there’s an “on behalf of” relationship. In fact, I’m sure they’re not always (though sometimes they might be). What if research firm BobCo wants to use Alice’s health or demographic data in a study, and she agrees? Eve
On 24 Aug 2015, at 12:02 PM, James Hazard <james.g.hazard@gmail.com> wrote:
Here is a very rudimentary example of provisions to adopt the Restatement of Agency as legal framing for an agreement. It is just a stub.
The stub is here (click on "Document" to see a use of the text). http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Agency/Restatement_Clauses_01.md <http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Agency/Restatement_Clauses_01.md>
The source is on GitHub (click on "GitHub"): https://github.com/CommonAccord/Cmacc-UMA/blob/master/Doc/Agency/Restatement... <https://github.com/CommonAccord/Cmacc-UMA/blob/master/Doc/Agency/Restatement_Clauses_01.md>
I plopped this into a little demo for UMA terms that I did earlier and made a few adaptations. It is obviously incomplete, among other reasons because the Requesting Party (whom I take to be an agent of the Authorizing Party) has an agent (the Requesting Party Agent). This would need to be addressed and "Parties" would need to include all three. The goal of this little demo is to give a sense of how CommonAccord can integrate legal text.
http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Demo/AP-RP-RPA_Robinson-Acme-Altima.md <http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Demo/AP-RP-RPA_Robinson-Acme-Altima.md> (click on "Document")
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Agreed that Requesting Party is not always an agent of Authorizing Party, and indeed sometimes Requesting Party will want to disclaim a fiduciary relationship. BobCo example likely would not be an agent if for medical research, though my understanding is that there are often express or implied duties to the patient and the patient is increasingly viewed as a participant. If BobCo was to recommend a therapy or find life insurance, then might well be an agent. A way of working through these issues is to start with examples of existing documents used in similar circumstances - like the patient consents - and see what can be systematized. On 8/24/15 10:12 PM, Eve Maler wrote:
Coolness — now I see how this thingie works.
I’m not sure (using the original binding obligations terms) that the Requesting Party is always an agent of the Authorizing Party, if that means there’s an “on behalf of” relationship. In fact, I’m sure they’re /not/ always (though sometimes they might be). What if research firm BobCo wants to use Alice’s health or demographic data in a study, and she agrees?
Eve
On 24 Aug 2015, at 12:02 PM, James Hazard <james.g.hazard@gmail.com <mailto:james.g.hazard@gmail.com>> wrote:
Here is a very rudimentary example of provisions to adopt the Restatement of Agency as legal framing for an agreement. It is just a stub.
The stub is here (click on "Document" to see a use of the text). http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Agency/Restatement_Clauses_01.md
The source is on GitHub (click on "GitHub"): https://github.com/CommonAccord/Cmacc-UMA/blob/master/Doc/Agency/Restatement...
I plopped this into a little demo for UMA terms that I did earlier and made a few adaptations. It is obviously incomplete, among other reasons because the Requesting Party (whom I take to be an agent of the Authorizing Party) has an agent (the Requesting Party Agent). This would need to be addressed and "Parties" would need to include all three. The goal of this little demo is to give a sense of how CommonAccord can integrate legal text.
http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Demo/AP-RP-RPA_Robinson-Acme-Altima.md (click on "Document")
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
-- @commonaccord
A follow up thought. Overall, the "legal" part of transacting can be seen as a grid with each transaction being a new set of connections in the grid (technically, this is a "graph" but that word is unusable because it has such a strong, different meaning for most of us). Things (objects) to connect include persons and forms, as well as properties, data, times, etc. "Forms" are themselves collections of clauses which can also be treated as objects. Since legal "reality" is mostly text and bounded, if we handle text decently, we can address many problems of law. Two brief examples - Sequence of steps: The original escrow example that Primavera and I did almost a year ago - somewhat updated - shows a succession of events - offer, order, signature, complaint, response: http://www.commonaccord.org/index.php?action=list&file=doc/escrow/ A "form" can be (is always?) a product of legislative and community exigencies - and we can treat those as sources in a chain of supply. http://privacy.commonaccord.org/index.php?action=list&file=CPBR/ On 8/24/15 10:24 PM, James Hazard wrote:
Agreed that Requesting Party is not always an agent of Authorizing Party, and indeed sometimes Requesting Party will want to disclaim a fiduciary relationship. BobCo example likely would not be an agent if for medical research, though my understanding is that there are often express or implied duties to the patient and the patient is increasingly viewed as a participant. If BobCo was to recommend a therapy or find life insurance, then might well be an agent.
A way of working through these issues is to start with examples of existing documents used in similar circumstances - like the patient consents - and see what can be systematized.
On 8/24/15 10:12 PM, Eve Maler wrote:
Coolness — now I see how this thingie works.
I’m not sure (using the original binding obligations terms) that the Requesting Party is always an agent of the Authorizing Party, if that means there’s an “on behalf of” relationship. In fact, I’m sure they’re /not/ always (though sometimes they might be). What if research firm BobCo wants to use Alice’s health or demographic data in a study, and she agrees?
Eve
On 24 Aug 2015, at 12:02 PM, James Hazard <james.g.hazard@gmail.com> wrote:
Here is a very rudimentary example of provisions to adopt the Restatement of Agency as legal framing for an agreement. It is just a stub.
The stub is here (click on "Document" to see a use of the text). http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Agency/Restatement_Clauses_01.md
The source is on GitHub (click on "GitHub"): https://github.com/CommonAccord/Cmacc-UMA/blob/master/Doc/Agency/Restatement...
I plopped this into a little demo for UMA terms that I did earlier and made a few adaptations. It is obviously incomplete, among other reasons because the Requesting Party (whom I take to be an agent of the Authorizing Party) has an agent (the Requesting Party Agent). This would need to be addressed and "Parties" would need to include all three. The goal of this little demo is to give a sense of how CommonAccord can integrate legal text.
http://cmacc-uma.herokuapp.com/index.php?action=source&file=/Demo/AP-RP-RPA_Robinson-Acme-Altima.md (click on "Document")
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
-- @commonaccord
-- @commonaccord
participants (3)
-
Dazza Greenwood -
Eve Maler -
James Hazard