UMA telecon 2022-04-06
UMA telecon 2022-04-06
Date and Time
- Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
- Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
United States: +1 (224) 501-3316, Access Code: 485-071-053
- See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar
Agenda
- Approve minutes since UMA telecon 2022-03-31
- Julie Use-case Report - review feedback
- UMA and Other Standards (UDAP, etc)
- Correlated Authorization
- Kantara Workshop at European Identity Conference
- AOB
Minutes
Roll call
- Quorum: No
Approve minutes
- Approve minutes of UMA telecon 2022-03-31
Deferred
Julie Use-case Report
Have resolved current comments, link to V0.3 Working Group Draft: Notes, drafts, and WIP
Do we have a goal to finalize the publication? Now that we have a WG draft, we've shared the
Comments from Tom
In general there is no accepted vocabulary for several assertions that were made in the doc' for example: scope - new ones are alluded to but not named. claims request - only the vaguest sort of example where given - missing real meat on the bones. AuthZ server - no real definitions at all. My solution would be to focus on the purpose of the data exchange and then the content would be predetermined. based on FHIR categorizations. for example data request by optometrist data required by ophthalmologist data required by physical therapist data required by pharmacist
We will add some more explicit commentary up front about what we have in/out of scope for this report, eg the assumption that high assurance identities are available and used in any healthcare exchange solution. Most of these terms are already well defined, so we have tried to refer the reader to more authoritative sources instead of redefining ourselves (eg the actual OAuth, HEART and UMA specs)
scope: not intending to speak about specific scopes. Have mentioned scopes as that is the OAuth mechanism to restrict data. Is the suggestion for more explicit discussion of specific scopes?
claims request: not our intention to discuss specifics of identity, policy or claims gathering
authZ server: there is a short definition in section 4, and say we inherit the definition from OAuth. Are there key items missing?
UMA and Other Standards (UDAP, etc)
This sheets starts to organize the comparison
https://docs.google.com/spreadsheets/d/1UWxhLoLFsVNmHulGvyS_3vx5hF9u2reFXT3gxc3bRnY/edit#gid=0
Where do we want to take this report? We showed it to the HEART group which has started a similar initiation to compare all the health care specs and show how they work together
Correlated Authorization Updates
https://github.com/umalabs/correlated-authorization
Please check it out if you have some time
European Identity Conference May 10-13, 2022 | Berlin
At minimum we've been asked for 5-10mins of an UMA WG update. Requires people who are in-person since there's no virtual presentation options (At least for the Kantara workshop)
We can take more time to discuss other topics.
AOB
Carin is running a health identity poc: https://www.carinalliance.com/our-work/digitalidentity/
UMA as a trust framework: UMA compliance implies a more dynamic wide ecosystem, even though it's not required.
There is a move to more dynamic trust-on-first-use style registration, with some third party trust (sometimes?). Eg UDAP defines an attestation system so a new client can demonstrate who they are and why the as would trust them.
There is also the idea of no third party attestation, where any client is valid if the RqP can meet the AS policy - which is a very UMAish concept.
There's still a lot of not-uma challenges around identity and general authorization policies eg can ANY physician access my record? what about with a break-the-glass directive? With UMA a patient could consent (or not) ahead of time to ER doctor access to the data.
Potential Future Work Items / Meeting Topics
- UMA vs (OAuth, OIDC, GNAP, UDAP, ....)
- compare protocols & features (eg a product comparison type matrix with
and 
's)
- compare protocols & features (eg a product comparison type matrix with
- Confluence clean up, archive old items and promote the latest & greatest
- Review of the email-poc correlated authorization specification
- A financial use-case report (following the Julie healthcare template)
- either open banking or pensions dashboard
- openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
Upcoming Conferences
- Internet Identity Workshop 34 is April 26-28 | Mountain View, CA. UMA attendees: Alec, Steve(tentative), George
- Identity North Spring Workshop Apr 4-6
- European Identity Conference May 10-13, 2022 | Berlin
- https://identiverse.com/ June 21-24, 2022 Denver, Colorado.
Attendees
As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
- Alec
- Steve
Non-voting participants:
- Nancy
- Scott
- Chris
- Hanfei
- Lenore
Regrets: