...
Andrew's insight about #296 was that this "profile" was essentially "OAuth". :-) In other words, that's the typical way people use OAuth grants. So would having an inner and outer spec help? The inner would be just the UMA grant, or maybe the grant++: adding the set math, say, and whatever other logic is needed given that this grant includes a requesting party and so on. But it doesn't seem to need the addition of the resource ID concept, for example, because that's "private" between the AS and RS. The outer would include all the protection API elements.
Ishan notes Ping (now 
) has has struggled with finding the fit with the whole UMA proposition, so putting RS constraints on what the RO can share would help. Eve notes that, AS-RS tight or loose, the RS's dedicated client (in the realm of enterprise authorization rules -- whether that uses UMA or no) would be able to apply constraints before Alice can "share" some resource. Would consent receipts be the right place to capture Alice's intent in sharing a particular resource, e.g. payment amount, with Bob?
...