UMA telecon 2022-04-06

Owned by Alec Laws
Last updated: Apr 07, 2022
3 min read

UMA telecon 2022-04-06

Date and Time

Agenda

Minutes

Roll call

  • Quorum: No

Approve minutes

Deferred

Julie Use-case Report

Have resolved current comments, link to V0.3 Working Group Draft: Notes, drafts, and WIP

Do we have a goal to finalize the publication? Now that we have a WG draft, we've shared the 


Comments from Tom

In general there is no accepted vocabulary for several assertions that were made in the doc' for example:

scope - new ones are alluded to but not named.

claims request - only the vaguest sort of example where given - missing real meat on the bones.

AuthZ server - no real definitions at all.

My solution would be to focus on the purpose of the data exchange and then the content would be predetermined. based on FHIR categorizations.

for example

data request by optometrist

data required by ophthalmologist

data required by physical therapist

data required by pharmacist


We will add some more explicit commentary up front about what we have in/out of scope for this report, eg the assumption that high assurance identities are available and used in any healthcare exchange solution. Most of these terms are already well defined, so we have tried to refer the reader to more authoritative sources instead of redefining ourselves (eg the actual OAuth, HEART and UMA specs)

scope: not intending to speak about specific scopes. Have mentioned scopes as that is the OAuth mechanism to restrict data. Is the suggestion for more explicit discussion of specific scopes?

claims request: not our intention to discuss specifics of identity, policy or claims gathering

authZ server: there is a short definition in section 4, and say we inherit the definition from OAuth. Are there key items missing?


UMA and Other Standards (UDAP, etc)

This sheets starts to organize the comparison

https://docs.google.com/spreadsheets/d/1UWxhLoLFsVNmHulGvyS_3vx5hF9u2reFXT3gxc3bRnY/edit#gid=0


Where do we want to take this report? We showed it to the HEART group which has started a similar initiation to compare all the health care specs and show how they work together



Correlated Authorization Updates

https://github.com/umalabs/correlated-authorization

Please check it out if you have some time



European Identity Conference  May 10-13, 2022 | Berlin

At minimum we've been asked for 5-10mins of an UMA WG update. Requires people who are in-person since there's no virtual presentation options (At least for the Kantara workshop)
We can take more time to discuss other topics. 


AOB


Carin is running a health identity poc: https://www.carinalliance.com/our-work/digitalidentity/ 


UMA as a trust framework: UMA compliance implies a more dynamic wide ecosystem, even though it's not required. 

There is a move to more dynamic trust-on-first-use style registration, with some third party trust (sometimes?). Eg UDAP defines an attestation system so a new client can demonstrate who they are and why the as would trust them. 
There is also the idea of no third party attestation, where any client is valid if the RqP can meet the AS policy - which is a very UMAish concept. 

There's still a lot of not-uma challenges around identity and general authorization policies eg can ANY physician access my record? what about with a break-the-glass directive? With UMA a patient could consent (or not) ahead of time to ER doctor access to the data. 


Potential Future Work Items / Meeting Topics

  • UMA vs (OAuth, OIDC, GNAP, UDAP, ....) 
    • compare protocols & features (eg a product comparison type matrix with (tick) and (error) 's)
  • Confluence clean up, archive old items and promote the latest & greatest
  • Review of the email-poc correlated authorization specification
  • A financial use-case report (following the Julie healthcare template)
    • either open banking or pensions dashboard
    • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)


Upcoming Conferences



Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

  • Alec
  • Steve

Non-voting participants:

  • Nancy
  • Scott
  • Chris
  • Hanfei
  • Lenore

Regrets: