UMA telecon 2018-04-12

Date and Time

Thursdays 9am PT
- Screenshare and dial-in: https://global.gotomeeting.com/join/857787301
- See UMA calendar for additional details: http://kantara.atlassian.net/wiki/display/uma/Calendar

Agenda

Roll call
Approve minutes
- Approve minutes of UMA telecon 2018-03-01, UMA telecon 2018-03-29
IIW report
Legal formal model
AOB

Minutes

Roll call

Quorum was reached.

Approve minutes

Approve minutes of UMA telecon 2018-03-01, UMA telecon 2018-03-29: Deferred.

IIW report

It had a big turnout, ~260 registered and ~240 at the peak of attendance. A blockchain 101 was offered and not needed, so that was different from a couple of years ago. There was somewhat more focus from that perspective. Lots and lots of blockchain identity people attended. Mike's blog post after the fact on "SSO vs. SSI" (on a subject on which he also convened a session) reflected on some of the hot topics that got discussed on Twitter afterwards. (The diagrams in this tweet are also good.) Mike is plumbing (and Adrian has done in HIE of One) some use cases around pushed claim tokens that are in the form of decentralized IDs (DIDs). The moment that anyone is using cloud Agents, we have privacy problems back again that SSI is supposed to solve. Shame that conversations these deep didn't happen there. Justin held a session called "What do you hate about OAuth?" A similar session perhaps could usefully could have been held! A lot of the work in security is preventing a MITM, which is where TLS comes in.

In any case, this WG can be complementary in many ways with such technology, and doesn't have to have any kind of official stance on SSI's architecture or marketing.

Legal formal model

Eve did a session at IIW on the draft model, which is now being revised.

The formal business model is designed to enable:

The auditing of technical artifacts (such as tokens) in a privacy-sensitive way during a run of the protocol to be able to prove the claimed consent/permission/delegation/licensing happened
How the artifacts can link out to the relevant legal devices (contracts and licenses)
Determining patterns of which artifacts need to be dissolved (e.g., tokens to revoke) and then remade (issued) to serve various complex business use cases

Cigdem has a use case where you have a flood network of devices. A household has these devices deployed. Data generated by the devices may involve personal data. Predictions made from this data might also involve personal data, but where it's derived or inferred, it's not "owned" by the data subject but rather an enterprise admin due to the way GDPR works (so this would be a Legal Person as Resource Rights Administrator – our new candidate name – and thus the resource owner).

Does derived data include algorithms performed over data? Mark believes so. In the case of OPAL (Thomas's Open Algorithms work) and where the ro uses UMA to ask specifically for an algorithm to be performed over data she does own (so the rs has the algorithm and the c has the original data and retains rights in the data as it is transformed), we'd want the relevant legal devices to ensure that the RSO retains rights in the algorithm IP (OPAL talks about making these algorithms open source/openly inspectable), and the DS retains rights in their data and the resulting transformed data (even though GDPR seems not to require this).

There's work going on to see if cancer patients could be paid every time their data is used for research.

The Revised Uniform Fiduciary Access to Digital Assets (RUFADA) Act defines requirements for what we think of as "digital death"; it mandates an "online tool" (Authorization Server/Operator?) that enables the ability for a "user" (Data Subject?) to choose a "designated recipient" (Resource Rights Administrator?) for administering access to their digital assets held by a "custodian" (Resource Server Operator?) when they die; that recipient might (RRA again?) or might not (Requesting Party?) be the same as their "personal representative" (or executor or whatever). Tim is writing up the use case and Eve will put it into visual terms.

All are invited to submit business use cases that we can publish as a catalogue.

Mark mentioned that he's spoken to the FB privacy team about the digital death challenge; he'll make intros with Eve.

Attendees

As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)

Domenico
Eve
Mike
Cigdem

Non-voting participants:

Justin
Colin
Scott
Mark
George
Bjorn
Thomas

Regrets:

Tim
Andi

Browser not supported