Done. Some of the items are in progress.
Adrian, Sal, and Josh Mandel got together and did a bit of work. Josh presented to the Blue Button+ group last week. Sal is working on the UMA parts of the presentation. Also, Adrian met yesterday with the White House CTO in his Patient Privacy Rights role. There's high interest in demonstrating BB+ with HIEs, which are in high gear right now. PPR is promoting patient-mediated exchange. One of the HIE projects is likely to target BB+, which is already OAuth2-friendly. The management of consent is a problem waiting to be solved. They're going to be hunting for software to support these use cases; this is why Nick has joined us today. (See the Implementations wiki page.)
No one on the call was in attendance.
Eve and Thomas will be around. Come to the Kantara Tuesday night event! Also, there's a Kantara breakfast on Tuesday morning.
Ken Klingenstein oversees the Scalable Privacy project that has gotten an NSTIC grant. Part of this discussion involves Idemix and U-Prove. There's interest in understanding how UMA could help with the NSTIC scenarios.
Antonio, age thirteen, wants to enter an online chat room that is specifically for adolescents, between the ages of twelve and seventeen. His parents give him permission to get a digital credential from his school His school also acts as an attribute provider: it validates that he is between the age of twelve and seventeen without actually revealing his name, birth date or any other information about him. The credential employs privacy-enhancing technology to validate Antonio’s age without informing the school that he is using the credential. Antonio can speak anonymously but with confidence that the other participants are between the ages of twelve and seventeen. (p. 11)
Age is a PII that the individual would like to control. This suggests that perhaps UMA can provide a means of this control.
The school is being used as a trustworthy third-party attribute provider. UMA can provide brokering of access to a resource server holding this information.
Providing information about being "old enough" is a higher-skill goal beyond just providing Antonio's age. Eve's take: UMA doesn't preclude this but doesn't solve it directly in any particular way. Thomas notes that the AM could, at the app (not protocol) level, serve as an aggregator or a judge of third-party attributes coming from resource servers connected to it. Look at the example of kids traveling around England and France: An engine would be needed to calculate the kid's "old enough" quotient according to French law vs. English law. (Hey, will we see a resurgence of AI languages of the past to solve this?)
Not directly relevant but indirectly so: The old UMA "Custodian" scenario. (This would be where Antonio is 12, not 13, and thus according to COPPA laws can't consent.)
See also the online personal loan case study for how person-to-self sharing can work in practice. Essentially, Alice sets policies ahead of time that mention herself (claims only she can prove). The wireframes in this case study show how this can work.
If the AS and RS were not colocated, then there would be elements of AS-RS introduction and communication that would need to be covered. See the personal cloud subscription case study for these elements (but note that it's person-to-person sharing).
Note that enterprises are likelier to have a formal policy store, so that the UMA AS could start to become a more formal client of a PIP interface. The PIP could be XACML-based or anything else.
AI: Thomas: Write up threat model text for the core spec based on the discussion in the 2013-01-31 meeting. Due sometime after RSA!
Regrets:
Next Meetings