UMA telecon 2018-03-29
UMA telecon 2018-03-29
Date and Time
- Thursdays 9am PT
- Screenshare and dial-in: https://global.gotomeeting.com/join/857787301
- See UMA calendar for additional details: http://kantara.atlassian.net/wiki/display/uma/Calendar
Agenda
- Roll call
- Approve minutes
- Approve minutes of UMA telecon 2018-03-01
- Legal formal model
- IIW session ideas
- AOB
Minutes
Roll call
Quorum was reached.
Approve minutes
Approve minutes of UMA telecon 2018-03-01: Deferred.
Legal formal model
The "UMA Legal role definitions" slide deck is here. Eve will give access to any UMA WG participant.
Discussion about the parties, especially the agents: Are we factoring in the question of the sources of identity? UMA at the technical layer is agnostic as to the source: local, federated, whatever. It could be self-sovereign, as HIE of One does. But what about the quality of the identity? Shouldn't that be a matter for the business layer? Yes; each deployment should be able to build on our "meta-layer" to specify its requirements in order to manage liability. The Origo implementation uses identity assurance in exactly this manner.
So could an organization be the Data Subject Agent for an individual Data Subject? In the NZ case, that's how the "headless user" worked. In fact, if a human administrator for the government agency creates the account and policy for elderly citizen Aroha, then they could be an Agent for the Data Subject Agent, but presumably at some point that's out of the view of the original Data Subject. Can the government be an RSO? In the Origo case, they are one of them.
Additional scenarios:
1. ASO acts as an RSO and runs all rs == OAuth-ish
2. ASO acts as a CO and runs all c == no 3rd party client ecosystem
3. DS/DSA is an I, AAA ASO, and as dedicated to that single ro (“personal as”)
4. (Could add many others here to account for federated identity)
In the chat:
- in the real world today, at which point does Mom/Dad become a Data Subject Agent to child? Is it at the point where they exit the hospital or registers the baby?
- Is EquiFax my Data-Subject-Agent?
- So the NZ Gov becomes the RO, ASO, Data-Subject0-Agent
- This almost means that there will never be Data-Subject-Agent because all the current holders of my data will say they are the RO.
- @Tim: would it be useful to try map the UMA Legal entities with the Uniform Fiduciary Access entities? They call RO as "Person". Person" means an individual, estate, business or nonprofit entity, public corporation, government or governmental subdivision, agency, instrumentality, or other legal entity...
- @Adrian: you can always extract potions of the UMA legal whitepaper for your use-case.
- What law have some states passed? States as in EU, UK or as in U.S. States?
- The RUFADA law
IIW session ideas
Thomas plans to convene a session on his decentralized OAuth I-D. This also relates to the topic above, which perhaps deserves a dedicated session.
Upcoming schedule
The Friday legal meeting schedule is on hold for now.
We won't meet on Thu Apr 5 because of IIW, nor Thu Apr 19 because of RSA.
Attendees
As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)
- Domenico
- Sal
- Eve
- Mike
Non-voting participants:
- Thomas
- Justin
- Tim
- Adrian
Regrets:
- Maciej
Guests:
- Brad Arlen (CEO of OneMe, privacy-as-a-service startup)
- James Willett (of OneMe)