Versions Compared

Old Version 1

changes.mady.by.user Eve Maler

Saved on

compared with

New Version Current

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

UMA telecon 2018-03-29

Date and Time

Agenda

  • Roll call
  • Approve minutes
  • Legal formal model
  • IIW session ideas
  • AOB

Minutes

Roll call

Quorum was reached.

Approve minutes

Approve minutes of UMA telecon 2018-03-01: Deferred.

Legal formal model

The "UMA Legal role definitions" slide deck is here. Eve will give access to any UMA WG participant.

Discussion about the parties, especially the agents: Are we factoring in the question of the sources of identity? UMA at the technical layer is agnostic as to the source: local, federated, whatever. It could be self-sovereign, as HIE of One does. But what about the quality of the identity? Shouldn't that be a matter for the business layer? Yes; each deployment should be able to build on our "meta-layer" to specify its requirements in order to manage liability. The Origo implementation uses identity assurance in exactly this manner.

So could an organization be the Data Subject Agent for an individual Data Subject? In the NZ case, that's how the "headless user" worked. In fact, if a human administrator for the government agency creates the account and policy for elderly citizen Aroha, then they could be an Agent for the Data Subject Agent, but presumably at some point that's out of the view of the original Data Subject. Can the government be an RSO? In the Origo case, they are one of them.

Additional scenarios:

1. ASO acts as an RSO and runs all rs == OAuth-ish
2. ASO acts as a CO and runs all c == no 3rd party client ecosystem
3. DS/DSA is an I, AAA ASO, and as dedicated to that single ro (“personal as”)
4. (Could add many others here to account for federated identity)

In the chat:

  • in the real world today, at which point does Mom/Dad become a Data Subject Agent to child? Is it at the point where they exit the hospital or registers the baby?
  • Is EquiFax my Data-Subject-Agent?
  • So the NZ Gov becomes the RO, ASO, Data-Subject0-Agent
  • This almost means that there will never be Data-Subject-Agent because all the current holders of my data will say they are the RO.
  • @Tim: would it be useful to try map the UMA Legal entities with the Uniform Fiduciary Access entities? They call RO as "Person". Person" means an individual, estate, business or nonprofit entity, public corporation, government or governmental subdivision, agency, instrumentality, or other legal entity...
  • @Adrian: you can always extract potions of the UMA legal whitepaper for your use-case.
  • What law have some states passed? States as in EU, UK or as in U.S. States?
  • The RUFADA law

IIW session ideas

Thomas plans to convene a session on his decentralized OAuth I-D. This also relates to the topic above, which perhaps deserves a dedicated session.


Upcoming schedule

The Friday legal meeting schedule is on hold for now.

We won't meet on Thu Apr 5 because of IIW, nor Thu Apr 19 because of RSA.

Attendees

As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)

  1. Domenico
  2. Sal
  3. Eve
  4. Mike

Non-voting participants:

  • Thomas
  • Justin
  • Tim
  • Adrian

Regrets:

  • Maciej

Guests:

  • Brad Arlen (CEO of OneMe, privacy-as-a-service startup)
  • James Willett (of OneMe)