Draft minutes of UMA telecon 2020-07-23
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-23 MinutesRoll call Quorum was reached. Approve minutes - Approve minutes of UMA telecon 2020-07-09 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-09> , 2020-07-16 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-16> Deferred. New profiles - Resource definition profile status - Wallet profile We should be driving towards revised spec text, ideally putting it into GitHub. Last week, folks concentrated on the ASCII "spiral" diagram and draft spec text. Alec has a new draft diagram to try on us. In the original UMA diagram, "manage" and "control" are out of scope. Alec is proposing that we bring these functions in scope. He states this explicitly by saying that he's specifying the "management and control interfaces". In UMA1 we used to call this Phase 1 vs. Phase 2. Now we think of this as the grant mechanism and the federated authorization mechanism, which is modular and optional with respect to grant. Is the wallet extension/profile modular and optional with respect to federated authorization? Alec illustrated it with a concentric Venn. Since "wallet" is such a fraught term, calling it something else, ideally descriptive, could help us get beyond the challenge that it means something really specific elsewhere. What about "relationship manager"? That goes back to our roots. Eve asks everyone to think about what could be a good name that would serve us, for now, in a spec. Maybe something around the fact that we are finally standardizing the user side of the management and control interface (ironic that we are finally doing something about deeply standardizing "user management of access", eh?). The cascading authorization server <https://confluence.hl7.org/download/attachments/66931686/Cascaded_Authorization-2018-01-15.pdf?version=1&modificationDate=1578094706430&api=v2> notion, which Pauldron implemented, bears some similarity to this idea. It has a "principal AS" within a specific domain, and a secondary AS that is RO-controlled. However, that original notion was intended to explicitly empower (in a sense) the AS against the RO's wishes, rather than to privacy-enhance the AS to protect the RO. FHIR meetup For those interested in HealthCare, Nancy provides this three-hour video from the FHIR meetup: [see wiki] She suggests checking out at least the first half-hour. It is important to understand the perspective of the HL7 security group as they will be moving this along in Healthcare as the recognized experts. She also points to this FHIR chat <https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy> (anyone can get a login). Nancy recommends that UMA's perspective be represented here. HEART came up, a little bit. Justin presented. Our webinar content could usefully be presented here. Here is info on the video structure (original here <https://docs.google.com/spreadsheets/d/15za6DXk0Cnn97CYWrZRw-1l14Hw3juKmG8bkcm9Yxh8/edit#gid=0> ): Overview of fine-grained authorization approaches in FHIR Josh Mandel 15min Slides here <https://docs.google.com/presentation/d/1ZGh-ls0VpRBpT_-Ei7rCd4D0HQv4rc-5k_lR7HYtyrc/present?slide=id.g8a28f5f635_0_0> Access control in aidbox Nikolai Ryzhikov 15min Slides here <https://github.com/niquola/devdays-us-2020-slides/blob/gh-pages/README.md> XYZ Justin Richer 15min Slides here <https://www.dropbox.com/s/dr459qyy3t4l5yw/FHIR%20Days%20-%20XYZ.pdf?dl=0> An ABAC Architecture Approach Matthew Tyler 15min Yes, can't share yet Classification and Locality Chris Grenz 15min Slides here <https://docs.google.com/presentation/d/1dkznJa0KNPs299NDK73-QuuIIplqtzHJRJErt-reTA8/edit?usp=sharing> FHIR Data Segmentation for Privacy IG Kathleen Connor 15min http://hl7.org/fhir/uv/security-label-ds4p/2020May/ Parameterized compartments Michael Hansen 15min Slides here <https://1drv.ms/p/s!AuADpL-pKlsYoQjmFJx2h9fDGk06?e=dWM6pC> *AI:* Nancy: Find out how we get onto the agenda of the next HL7 meetup or the next appropriate gathering. Adrian also suggests reaching out to Josh. Nancy suggests also John Moehrke, Kathleen, and Graham. We will, in the meantime, figure out the right content to present. Webinar report Alec reports pretty good attendance and some really good questions afterwards. Colin thought the content flowed well and was pitched just right. It was at the right technical level and had a relaxed tone. Nancy attended and thought it was great too. People can find the recording <https://kantarainitiative.org/download/uma-21st-century-health-information-interoperability-user-control/> on the Kantara site's Resources area (Adrian says Safari is a better browser than Firefox due to a bug that's being worked on). The FHIR folks could handle more technical detail than was provided. Attendees As of July 8, 2020, quorum is 6 of 10. (Michael, Domenico, Peter, Sal, Gaurav, Thomas, Andi, Maciej, Eve, Mike) 1. Michael 2. Domenico 3. Sal 4. Thomas 5. Maciej 6. Eve Non-voting participants: - Colin - Alec - Nancy - George - Adrian - Anik - Lisa - Patrick - Bjorn *Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
Hello UMA Community, For those of you who are interested in the intersection of human rights and digital identity systems, there will be an American Bar Association webinar today at 1pm EST;https://www.americanbar.org/events-cle/mtg/web/401314443/. I am on the panel along with the General Counsel of AccessNow and an attorney/Project Director from the American Association for the Advancement of Science. I do plan to mention UMA as a positive example of human rights-centric design. Apologies for the late notice. Regards, Tim On Thu, Jul 23, 2020 at 10:37 AM Eve Maler <eve@xmlgrrl.com> wrote:
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-23 MinutesRoll call
Quorum was reached. Approve minutes
- Approve minutes of UMA telecon 2020-07-09 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-09> , 2020-07-16 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-16>
Deferred. New profiles
- Resource definition profile status - Wallet profile
We should be driving towards revised spec text, ideally putting it into GitHub.
Last week, folks concentrated on the ASCII "spiral" diagram and draft spec text. Alec has a new draft diagram to try on us.
In the original UMA diagram, "manage" and "control" are out of scope. Alec is proposing that we bring these functions in scope. He states this explicitly by saying that he's specifying the "management and control interfaces". In UMA1 we used to call this Phase 1 vs. Phase 2. Now we think of this as the grant mechanism and the federated authorization mechanism, which is modular and optional with respect to grant. Is the wallet extension/profile modular and optional with respect to federated authorization? Alec illustrated it with a concentric Venn.
Since "wallet" is such a fraught term, calling it something else, ideally descriptive, could help us get beyond the challenge that it means something really specific elsewhere. What about "relationship manager"? That goes back to our roots. Eve asks everyone to think about what could be a good name that would serve us, for now, in a spec. Maybe something around the fact that we are finally standardizing the user side of the management and control interface (ironic that we are finally doing something about deeply standardizing "user management of access", eh?).
The cascading authorization server <https://confluence.hl7.org/download/attachments/66931686/Cascaded_Authorization-2018-01-15.pdf?version=1&modificationDate=1578094706430&api=v2> notion, which Pauldron implemented, bears some similarity to this idea. It has a "principal AS" within a specific domain, and a secondary AS that is RO-controlled. However, that original notion was intended to explicitly empower (in a sense) the AS against the RO's wishes, rather than to privacy-enhance the AS to protect the RO. FHIR meetup
For those interested in HealthCare, Nancy provides this three-hour video from the FHIR meetup: [see wiki]
She suggests checking out at least the first half-hour. It is important to understand the perspective of the HL7 security group as they will be moving this along in Healthcare as the recognized experts. She also points to this FHIR chat <https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy> (anyone can get a login). Nancy recommends that UMA's perspective be represented here. HEART came up, a little bit. Justin presented. Our webinar content could usefully be presented here.
Here is info on the video structure (original here <https://docs.google.com/spreadsheets/d/15za6DXk0Cnn97CYWrZRw-1l14Hw3juKmG8bkcm9Yxh8/edit#gid=0> ): Overview of fine-grained authorization approaches in FHIR Josh Mandel 15min Slides here <https://docs.google.com/presentation/d/1ZGh-ls0VpRBpT_-Ei7rCd4D0HQv4rc-5k_lR7HYtyrc/present?slide=id.g8a28f5f635_0_0> Access control in aidbox Nikolai Ryzhikov 15min Slides here <https://github.com/niquola/devdays-us-2020-slides/blob/gh-pages/README.md> XYZ Justin Richer 15min Slides here <https://www.dropbox.com/s/dr459qyy3t4l5yw/FHIR%20Days%20-%20XYZ.pdf?dl=0> An ABAC Architecture Approach Matthew Tyler 15min Yes, can't share yet Classification and Locality Chris Grenz 15min Slides here <https://docs.google.com/presentation/d/1dkznJa0KNPs299NDK73-QuuIIplqtzHJRJErt-reTA8/edit?usp=sharing> FHIR Data Segmentation for Privacy IG Kathleen Connor 15min http://hl7.org/fhir/uv/security-label-ds4p/2020May/ Parameterized compartments Michael Hansen 15min Slides here <https://1drv.ms/p/s!AuADpL-pKlsYoQjmFJx2h9fDGk06?e=dWM6pC>
*AI:* Nancy: Find out how we get onto the agenda of the next HL7 meetup or the next appropriate gathering. Adrian also suggests reaching out to Josh. Nancy suggests also John Moehrke, Kathleen, and Graham.
We will, in the meantime, figure out the right content to present. Webinar report
Alec reports pretty good attendance and some really good questions afterwards. Colin thought the content flowed well and was pitched just right. It was at the right technical level and had a relaxed tone. Nancy attended and thought it was great too. People can find the recording <https://kantarainitiative.org/download/uma-21st-century-health-information-interoperability-user-control/> on the Kantara site's Resources area (Adrian says Safari is a better browser than Firefox due to a bug that's being worked on). The FHIR folks could handle more technical detail than was provided. Attendees
As of July 8, 2020, quorum is 6 of 10. (Michael, Domenico, Peter, Sal, Gaurav, Thomas, Andi, Maciej, Eve, Mike)
1. Michael 2. Domenico 3. Sal 4. Thomas 5. Maciej 6. Eve
Non-voting participants:
- Colin - Alec - Nancy - George - Adrian - Anik - Lisa - Patrick - Bjorn
*Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org https://kantarainitiative.org/mailman/listinfo/wg-uma
Funny you should mention that, Tim. Here's slide 21 from the Webinar <https://kantarainitiative.org/download/uma-21st-century-health-information-interoperability-user-control/> : [image: Screen Shot 2020-07-23 at 10.56.33 AM.png] On Thu, Jul 23, 2020 at 10:45 AM Tim Reiniger <tsreiniger@gmail.com> wrote:
Hello UMA Community,
For those of you who are interested in the intersection of human rights and digital identity systems, there will be an American Bar Association webinar today at 1pm EST; https://www.americanbar.org/events-cle/mtg/web/401314443/. I am on the panel along with the General Counsel of AccessNow and an attorney/Project Director from the American Association for the Advancement of Science. I do plan to mention UMA as a positive example of human rights-centric design. Apologies for the late notice.
Regards,
Tim
On Thu, Jul 23, 2020 at 10:37 AM Eve Maler <eve@xmlgrrl.com> wrote:
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-23 MinutesRoll call
Quorum was reached. Approve minutes
- Approve minutes of UMA telecon 2020-07-09 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-09> , 2020-07-16 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-16>
Deferred. New profiles
- Resource definition profile status - Wallet profile
We should be driving towards revised spec text, ideally putting it into GitHub.
Last week, folks concentrated on the ASCII "spiral" diagram and draft spec text. Alec has a new draft diagram to try on us.
In the original UMA diagram, "manage" and "control" are out of scope. Alec is proposing that we bring these functions in scope. He states this explicitly by saying that he's specifying the "management and control interfaces". In UMA1 we used to call this Phase 1 vs. Phase 2. Now we think of this as the grant mechanism and the federated authorization mechanism, which is modular and optional with respect to grant. Is the wallet extension/profile modular and optional with respect to federated authorization? Alec illustrated it with a concentric Venn.
Since "wallet" is such a fraught term, calling it something else, ideally descriptive, could help us get beyond the challenge that it means something really specific elsewhere. What about "relationship manager"? That goes back to our roots. Eve asks everyone to think about what could be a good name that would serve us, for now, in a spec. Maybe something around the fact that we are finally standardizing the user side of the management and control interface (ironic that we are finally doing something about deeply standardizing "user management of access", eh?).
The cascading authorization server <https://confluence.hl7.org/download/attachments/66931686/Cascaded_Authorization-2018-01-15.pdf?version=1&modificationDate=1578094706430&api=v2> notion, which Pauldron implemented, bears some similarity to this idea. It has a "principal AS" within a specific domain, and a secondary AS that is RO-controlled. However, that original notion was intended to explicitly empower (in a sense) the AS against the RO's wishes, rather than to privacy-enhance the AS to protect the RO. FHIR meetup
For those interested in HealthCare, Nancy provides this three-hour video from the FHIR meetup: [see wiki]
She suggests checking out at least the first half-hour. It is important to understand the perspective of the HL7 security group as they will be moving this along in Healthcare as the recognized experts. She also points to this FHIR chat <https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy> (anyone can get a login). Nancy recommends that UMA's perspective be represented here. HEART came up, a little bit. Justin presented. Our webinar content could usefully be presented here.
Here is info on the video structure (original here <https://docs.google.com/spreadsheets/d/15za6DXk0Cnn97CYWrZRw-1l14Hw3juKmG8bkcm9Yxh8/edit#gid=0> ): Overview of fine-grained authorization approaches in FHIR Josh Mandel 15min Slides here <https://docs.google.com/presentation/d/1ZGh-ls0VpRBpT_-Ei7rCd4D0HQv4rc-5k_lR7HYtyrc/present?slide=id.g8a28f5f635_0_0> Access control in aidbox Nikolai Ryzhikov 15min Slides here <https://github.com/niquola/devdays-us-2020-slides/blob/gh-pages/README.md> XYZ Justin Richer 15min Slides here <https://www.dropbox.com/s/dr459qyy3t4l5yw/FHIR%20Days%20-%20XYZ.pdf?dl=0> An ABAC Architecture Approach Matthew Tyler 15min Yes, can't share yet Classification and Locality Chris Grenz 15min Slides here <https://docs.google.com/presentation/d/1dkznJa0KNPs299NDK73-QuuIIplqtzHJRJErt-reTA8/edit?usp=sharing> FHIR Data Segmentation for Privacy IG Kathleen Connor 15min http://hl7.org/fhir/uv/security-label-ds4p/2020May/ Parameterized compartments Michael Hansen 15min Slides here <https://1drv.ms/p/s!AuADpL-pKlsYoQjmFJx2h9fDGk06?e=dWM6pC>
*AI:* Nancy: Find out how we get onto the agenda of the next HL7 meetup or the next appropriate gathering. Adrian also suggests reaching out to Josh. Nancy suggests also John Moehrke, Kathleen, and Graham.
We will, in the meantime, figure out the right content to present. Webinar report
Alec reports pretty good attendance and some really good questions afterwards. Colin thought the content flowed well and was pitched just right. It was at the right technical level and had a relaxed tone. Nancy attended and thought it was great too. People can find the recording <https://kantarainitiative.org/download/uma-21st-century-health-information-interoperability-user-control/> on the Kantara site's Resources area (Adrian says Safari is a better browser than Firefox due to a bug that's being worked on). The FHIR folks could handle more technical detail than was provided. Attendees
As of July 8, 2020, quorum is 6 of 10. (Michael, Domenico, Peter, Sal, Gaurav, Thomas, Andi, Maciej, Eve, Mike)
1. Michael 2. Domenico 3. Sal 4. Thomas 5. Maciej 6. Eve
Non-voting participants:
- Colin - Alec - Nancy - George - Adrian - Anik - Lisa - Patrick - Bjorn
*Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org https://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org https://kantarainitiative.org/mailman/listinfo/wg-uma
Thank you, Adrian. Perfect timing for this slide! I am going to reference this today as a specific example! Also, I didn't know about the webinar you and Alec gave on July 21. It looks like it was really fantastic! Tim On Thu, Jul 23, 2020 at 10:58 AM Adrian Gropper <agropper@healthurl.com> wrote:
Funny you should mention that, Tim. Here's slide 21 from the Webinar <https://kantarainitiative.org/download/uma-21st-century-health-information-interoperability-user-control/> : [image: Screen Shot 2020-07-23 at 10.56.33 AM.png]
On Thu, Jul 23, 2020 at 10:45 AM Tim Reiniger <tsreiniger@gmail.com> wrote:
Hello UMA Community,
For those of you who are interested in the intersection of human rights and digital identity systems, there will be an American Bar Association webinar today at 1pm EST; https://www.americanbar.org/events-cle/mtg/web/401314443/. I am on the panel along with the General Counsel of AccessNow and an attorney/Project Director from the American Association for the Advancement of Science. I do plan to mention UMA as a positive example of human rights-centric design. Apologies for the late notice.
Regards,
Tim
On Thu, Jul 23, 2020 at 10:37 AM Eve Maler <eve@xmlgrrl.com> wrote:
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-23 MinutesRoll call
Quorum was reached. Approve minutes
- Approve minutes of UMA telecon 2020-07-09 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-09> , 2020-07-16 <https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-07-16>
Deferred. New profiles
- Resource definition profile status - Wallet profile
We should be driving towards revised spec text, ideally putting it into GitHub.
Last week, folks concentrated on the ASCII "spiral" diagram and draft spec text. Alec has a new draft diagram to try on us.
In the original UMA diagram, "manage" and "control" are out of scope. Alec is proposing that we bring these functions in scope. He states this explicitly by saying that he's specifying the "management and control interfaces". In UMA1 we used to call this Phase 1 vs. Phase 2. Now we think of this as the grant mechanism and the federated authorization mechanism, which is modular and optional with respect to grant. Is the wallet extension/profile modular and optional with respect to federated authorization? Alec illustrated it with a concentric Venn.
Since "wallet" is such a fraught term, calling it something else, ideally descriptive, could help us get beyond the challenge that it means something really specific elsewhere. What about "relationship manager"? That goes back to our roots. Eve asks everyone to think about what could be a good name that would serve us, for now, in a spec. Maybe something around the fact that we are finally standardizing the user side of the management and control interface (ironic that we are finally doing something about deeply standardizing "user management of access", eh?).
The cascading authorization server <https://confluence.hl7.org/download/attachments/66931686/Cascaded_Authorization-2018-01-15.pdf?version=1&modificationDate=1578094706430&api=v2> notion, which Pauldron implemented, bears some similarity to this idea. It has a "principal AS" within a specific domain, and a secondary AS that is RO-controlled. However, that original notion was intended to explicitly empower (in a sense) the AS against the RO's wishes, rather than to privacy-enhance the AS to protect the RO. FHIR meetup
For those interested in HealthCare, Nancy provides this three-hour video from the FHIR meetup: [see wiki]
She suggests checking out at least the first half-hour. It is important to understand the perspective of the HL7 security group as they will be moving this along in Healthcare as the recognized experts. She also points to this FHIR chat <https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy> (anyone can get a login). Nancy recommends that UMA's perspective be represented here. HEART came up, a little bit. Justin presented. Our webinar content could usefully be presented here.
Here is info on the video structure (original here <https://docs.google.com/spreadsheets/d/15za6DXk0Cnn97CYWrZRw-1l14Hw3juKmG8bkcm9Yxh8/edit#gid=0> ): Overview of fine-grained authorization approaches in FHIR Josh Mandel 15min Slides here <https://docs.google.com/presentation/d/1ZGh-ls0VpRBpT_-Ei7rCd4D0HQv4rc-5k_lR7HYtyrc/present?slide=id.g8a28f5f635_0_0> Access control in aidbox Nikolai Ryzhikov 15min Slides here <https://github.com/niquola/devdays-us-2020-slides/blob/gh-pages/README.md> XYZ Justin Richer 15min Slides here <https://www.dropbox.com/s/dr459qyy3t4l5yw/FHIR%20Days%20-%20XYZ.pdf?dl=0> An ABAC Architecture Approach Matthew Tyler 15min Yes, can't share yet Classification and Locality Chris Grenz 15min Slides here <https://docs.google.com/presentation/d/1dkznJa0KNPs299NDK73-QuuIIplqtzHJRJErt-reTA8/edit?usp=sharing> FHIR Data Segmentation for Privacy IG Kathleen Connor 15min http://hl7.org/fhir/uv/security-label-ds4p/2020May/ Parameterized compartments Michael Hansen 15min Slides here <https://1drv.ms/p/s!AuADpL-pKlsYoQjmFJx2h9fDGk06?e=dWM6pC>
*AI:* Nancy: Find out how we get onto the agenda of the next HL7 meetup or the next appropriate gathering. Adrian also suggests reaching out to Josh. Nancy suggests also John Moehrke, Kathleen, and Graham.
We will, in the meantime, figure out the right content to present. Webinar report
Alec reports pretty good attendance and some really good questions afterwards. Colin thought the content flowed well and was pitched just right. It was at the right technical level and had a relaxed tone. Nancy attended and thought it was great too. People can find the recording <https://kantarainitiative.org/download/uma-21st-century-health-information-interoperability-user-control/> on the Kantara site's Resources area (Adrian says Safari is a better browser than Firefox due to a bug that's being worked on). The FHIR folks could handle more technical detail than was provided. Attendees
As of July 8, 2020, quorum is 6 of 10. (Michael, Domenico, Peter, Sal, Gaurav, Thomas, Andi, Maciej, Eve, Mike)
1. Michael 2. Domenico 3. Sal 4. Thomas 5. Maciej 6. Eve
Non-voting participants:
- Colin - Alec - Nancy - George - Adrian - Anik - Lisa - Patrick - Bjorn
*Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org https://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org https://kantarainitiative.org/mailman/listinfo/wg-uma
participants (3)
-
Adrian Gropper -
Eve Maler -
Tim Reiniger