...
Updates on auxiliary material editing if any
No updates.
(after end of call) Joint consent receipt/UMA ad hoc notes
Attending: Andrew, Eve, Andi, Domenico, James, Justin, Sal, Tim, Colin
Our previous notes are here.
Andrew: A consent receipt fits in as an interoperable security audit log entry. It has richness of detail so that it can be processed as something that goes beyond security use cases. The goal is to fulfill the individual's objectives. Andi: If a company gets a subject access request, what happens next? If the audit trail includes a consent receipt, isn't it still very valuable to them? Okay, so maybe "security" isn't the best word.
The current design of Consent Receipts focuses on traditional opt-in consent. UMA is sort of more policy-driven.
Regarding dictating flows and formats: Interacting claims gathering is outside the view/scope of UMA; a profile could dictate a particular thing happening. There are several "consent receipt"-ish formats extant.
The Security Events WG formed a couple of years ago. We've identified more than just consents as artifacts deserving of "receipts". Would a security event token be appropriate, given this? Justin isn't sure that the SET is a good match at this point, actually.
Eve: Muses about the scope of the UMA WG regarding "receipt workflow" sorts of work. Should we be thinking bigger regarding things like the shoebox endpoint (while keeping it appropriately modularized)?
The regs that are dictating that a purpose statement be included (and have specific requirements) would seem to give problems to a RO-specified purpose (user-submitted terms). But why can't our license-based model carry a purpose?
What if we were to propose a POC that develops an end-to-end technical artifact/legal device connection? Tim: Go for the gold and make it GDPR-ready! What would such a POC entail? Does it depend on a running UMA instance, and/or CommonAccord, and/or template clauses, and/or what exactly? It would need to demonstrate:
- Some of the key mappings
- A realistic and evocative business use case – EU jurisdiction and (which?) sector
- A step-by-step end-user walkthrough with "receipts" that Alice (and Bob?) and Larry and Linda the Lawyers (for different parties – how many do we need?) find useful
Eve has an UMA health+IoT+IRM demo that we could perhaps "port" to smart home for this purpose. Let's figure out next steps in the Friday calls, e.g. timeline and answering all the questions posed above.
Attendees
As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)
...