...
This can come up for financial data, and also for legal accountability over access to health data in break-the-glass situations. E.g., Alice might want to have a policy that says Bob has to have LOA3 when accessing her data, so she can find him and sue him if something goes wrong. Mike's profile enables revocation of the AAT, not just the relevant permission in the RPT, if the AAT were issued on the strength of a too-weak requesting party authentication.
84: UMA endpoint names vs. OAuth endpoint names
tbsWe looked at the written profile and thought that it might need to be abstracted away a bit from OpenID Connect, but otherwise seems like it's probably a good addition. We need to discuss this with a larger group.
Attendees
- Eve
Non-voting participants:
...