...
- Term definition work (see issue #240) – for reference, here are all the open #trust issues
Attending: Eve, Scott, Paul, Jim, John W, Adrian, Ann, Jon N, Mark, Kathleen
Regulation of consent
Should we be concerned about EU regulators "regulating away" the potential power of UMA around proactive enduring consents (e.g., policies that are indefinite until revoked) because on subsequent reference to them by an AS they're not "explicit"? Is there a way to influence the thinking of regulators and/or have two-way conversations with them so that implementations and deployments can give individuals the right buttons and knobs and UX's? It's certainly possible to make appointments with regulators. The US regime has a property basis, whereas the European basis is human rights. Revisiting one's consent in context (monitoring one's consent) would theoretically be a powerful way to exercise one's rights.
In the healthcare world, coming from paper vs. digital, notice was expensive. But in the digital world, notice is free at the margin.
Mark notes that: "We are working on a model practice papers to send to regulators wth the Kantara sponsored workshops." He will send a note to the list with more information as required. He thinks we don’t think we need to worry about regulators regulating away consent directives, as consent is regulated by purpose and notice.
AI: John W: Find ways to reach out to regulators to start conversations.
Digital Contracts, Identities, and Blockchain - new event at MIT
This event has very limited seating and is invitation-only. If you want to attend, let Jim H know soonest! The notion is secure, DRY, peer-to-peer text objects handled as if they were software objects.
Term definitions
Our term definitions of record are here.
We can define whatever terms we want, but we don't want to "chase our tails". Agency (here meaning legal agency, the ability to take responsibility) is different from being a hunk of, say, software; software isn't a thinking thing. We're in the business of helping services that want to be, say, IdPs and merchant services and healthcare services also be UMA services to create the legal agreements they need, and since they'll be UMA clause novices, we're providing starter UMA clauses for them.
Note that an UMA authorization server operator is different from talking about a data processor or data controller. The the former term is an "UMA legal" term of art, and the latter are regulatory terms of art. Wherever we use the latter, we would have to refer to our source of the definition – ISO 29100 is what CIS refers to for consent receipts.
The pairs we currently have are:
- resource owner:Authorizing Party
- requesting party:Requesting Party
- authorization server:Authorization Server Operator
- resource server:Resource Server Operator
Where things break down:
A use case: Alice (Individual) wants dentist's office (Legal Person) to get access to her calendar for the purpose of scheduling a root canal. The dentist's office receptionist (Individual acting on behalf of the Legal Person, as an employee or contractor) tries to access the resource, using a client (Client).
Questions: Let's not overcook this. Think in terms (ha) of the next strawman iteration. Since no one expressed strong feelings about making any changes, we will leave the terms as they are till changes are forced on us.
- Should we give a generic name to the clients, authorization servers, and such? Are they Non-Person Entities as a general category now? What would be the usefulness of this? Don't add.
- We've called the receptionist in this use case a Requesting Party Agent to date. Is that right? What benefit does it confer? There is actually an UMA flow (or possibly several flow options) to which it correlates. Eve suggests: Keep for now and try to use it in practice to see if it works.
- Does UMA want to trace duties to preserve the rights of the Individual? No further discussion.
- Does Individual want to be Natural Person? Don't change.
- Is the ability of the Individual to consent constrained in the circumstances of the transaction, e.g., by regulations? (Think in terms of term definitions for now. This is a much bigger question!) Don't change anything..
It seems we have nothing more to discuss on issue #240 unless problems arise.
2016-01-29
- Review the new UMA Roadmap for 2016 page and the "#trust"-related use cases
- Pick off some of the new "#trust" GitHub issues to work on
- Take a look at the documents Scott David shared in email on Jan 15
...