...
Have resolved current comments, link to V0.3 Working Group Draft: Julie Use-case Report Notes, drafts, and WIP
Do we have a goal to finalize the publication? Now that we have a WG draft, we've shared the
Comments from Tom
| Code Block |
|---|
In general there is no accepted vocabulary for several assertions that were made in the doc' for example:
scope - new ones are alluded to but not named.
claims request - only the vaguest sort of example where given - missing real meat on the bones.
AuthZ server - no real definitions at all.
My solution would be to focus on the purpose of the data exchange and then the content would be predetermined. based on FHIR categorizations.
for example
data request by optometrist
data required by ophthalmologist
data required by physical therapist
data required by pharmacist |
We will add some more explicit commentary up front about what we have in/out of scope for this report, eg the assumption that high assurance identities are available and used in any healthcare exchange solution. Most of these terms are already well defined, so we have tried to refer the reader to more authoritative sources instead of redefining ourselves (eg the actual OAuth, HEART and UMA specs)
scope: not intending to speak about specific scopes. Have mentioned scopes as that is the OAuth mechanism to restrict data. Is the suggestion for more explicit discussion of specific scopes?
claims request: not our intention to discuss specifics of identity, policy or claims gathering
authZ server: there is a short definition in section 4, and say we inherit the definition from OAuth. Are there key items missing?
UMA and Other Standards (UDAP, etc)
...
https://docs.google.com/spreadsheets/d/1UWxhLoLFsVNmHulGvyS_3vx5hF9u2reFXT3gxc3bRnY/edit#gid=0
Where do we want to take this report? We showed it to the HEART group which has started a similar initiation to compare all the health care specs and show how they work together
Correlated Authorization Updates
https://github.com/umalabs/correlated-authorization
Please check it out if you have some time
European Identity Conference May 10-13, 2022 | Berlin
At minimum we've been asked for 5-10mins of an UMA WG update. Requires people who are in-person since there's no virtual presentation options (At least for the Kantara workshop)
We can take more time to discuss other topics.
AOB
Carin is running a health identity poc: https://www.carinalliance.com/our-work/digitalidentity/
UMA as a trust framework: UMA compliance implies a more dynamic wide ecosystem, even though it's not required.
There is a move to more dynamic trust-on-first-use style registration, with some third party trust (sometimes?). Eg UDAP defines an attestation system so a new client can demonstrate who they are and why the as would trust them.
There is also the idea of no third party attestation, where any client is valid if the RqP can meet the AS policy - which is a very UMAish concept.
There's still a lot of not-uma challenges around identity and general authorization policies eg can ANY physician access my record? what about with a break-the-glass directive? With UMA a patient could consent (or not) ahead of time to ER doctor access to the data.
Potential Future Work Items / Meeting Topics
...
- Internet Identity Workshop 34 is April 26-28 | Mountain View, CA. UMA attendees: Alec, Steve(tentative), George
- Identity North Spring Workshop Apr 4-6
- European Identity Conference May 10-13, 2022 | Berlin
- https://identiverse.com/ June 21-24, 2022 Denver, Colorado.
AOB
Attendees
As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
- Alec
- Steve
Non-voting participants:
- Nancy
- Scott
- Chris
- Hanfei
- Lenore
Regrets: