UMA telecon 2018-10-11

Date and Time

Thursdays 9am PT
- Screenshare and dial-in: https://global.gotomeeting.com/join/857787301
- See UMA calendar for additional details: http://kantara.atlassian.net/wiki/display/uma/Calendar

Agenda

Roll call
Shift Oct 18 WG call a half-hour later?
- Eve has a partial conflict
- Prabath scheduled to do a demo of WSO2 implementation
Approve minutes of UMA telecon 2018-09-20 and UMA telecon 2018-10-04
Update on PIPC/captive insurance discussions
Update on interop testing activities
Consider publishing a draft business model tech doc
Discuss Adrian's notification use cases
AOB

Minutes

Roll call

Quorum was not reached.

Shift Oct 18 WG call a half-hour later?

Let's shift the call, and plan to record the demo, at least.

AI: Eve: Move the Oct 18 call a half-hour later, and cancel the Oct 25 call due to IIW. (DONE)

Preparing for IIW

George is attending IIW and is giving his UMA 101 talk. Eve will provide the UMA2 masterclass slides from Identiverse in case those are helpful. Also see the Legal Role slide deck for the Origo Pensions Dashboard (step 1 and step 2) use case, which is advanced POC stage now, and they're looking to deploy pretty soon.

AI: Eve: Send Identiverse UMA2 masterclass slides to George. (DONE)

As a reminder, the masterclass slide PDF and video are linked from the UMA wiki home page.

Adrian and Bjorn are also attending. Adrian will be showing the latest version of his patient-centered health record work, which is built around UMA. They have been making progress at Emory Healthcare in Atlanta. Medicare also exposes an OAuth-protected endpoint based on FHIR. The discussion has been around the privacy and security implications of just registering a client app as OAuth-enabled, not UMA-enabled. This implementation is also using uPort credentials and OIDC. The UMA AS can handle requesting party identities (claims to satisfy policy conditions) of either sort. One requires standing up an OIDC IdP and the other doesn't.

Will enough UMA2 implementers be at IIW that a session to discuss matrix interop testing done to date and plans for the future make sense? Food for thought.

Approve minutes

Approve minutes of UMA telecon 2018-09-20 and UMA telecon 2018-10-04: Deferred.

Update on PIPC/captive insurance discussions

Healthcare and "insure-tech" both would potentially benefit from UMA as a framework for PIPC.

The Vermont AG is interested in applications and solutions to concretize the law. The new docs we've been talking about today would be useful for a meeting with him, so he's in the audience. Eve is free for such meetings in the next couple of weeks.

Update on interop testing activities

Would Trustee (the new name for HIE of One) like to take part in the pairwise interop testing? For starters, Adrian or Michael could get in touch with Mike Schwartz or Will Lowe at Gluu. Or if there is a wiki page with instructions, that may be best.

The next thing we need is a canonical set of tests.

Consider publishing a draft business model tech doc

Could we just produce the slides as a PDF or something? It certainly seems possible to do that, but maybe "additional words" would be helpful for the right audiences to understand. And a simpler version for newbies would probably be helpful, breaking things down – maybe a single worked example. Then we could add a new report with the multiple use cases, building on the draft technical spec as a basis. Conveying benefits is always the top challenge in these materials. And it seems there are many subtle disincentives in various healthcare ecosystems that discourage adoption. One advantage in the healthcare sector is the presence of an open API, FHIR. Increasingly, financial services is gaining a similar advantage with open APIs.

Discuss Adrian's notification use cases

Deferred.

Continuing... More to say about the following use cases?

2 - Alice (RO) needs to be notified by the RS that the Client presented to the RS is deemed inadequate for automated registration and Alice herself, not Alice’s AS, must acknowledge the warning by the RS in order for the Client access to proceed. (This is the current interpretation of HIPAA for patient-directed exchange)

This notification type has strong timeliness requirements.

3 - Alice (RO) needs to be notified by the AS that a RqP has presented with a query for registered resources. (This is where someone other than Alice invites the RqP to access her resources without specifying a particular resource).

See 38:00 in the Google TechTalk video for a demo of this from way back. We have additional implementations, probably with a variety of approaches: API endpoints, web hooks, etc. We may want to compare approaches and see if there's any motivation to standardize for interop.

4 - An RS or an RqP wants to notify Alice of something but they only have the service endpoint of Alice’s AS. (Alice is using the AS as a blind drop the way she might use a dating app)

Attendees

As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)

Domenico
Maciej
Eve

Non-voting participants:

David
Bjorn
George
Nancy
Adrian

Regrets:

Andi
Cigdem

Browser not supported