UMA telecon 2013-08-22

UMA telecon 2013-08-22

Date and Time

Agenda

  • Reminder: no meeting next week! Meet again Sep 5 (Thomas as chair pro tem)
  • Action item review
  • Interop planning
    • Leverage FHIR API (or some other standard API)?
    • uma-dev list?
  • Neil McEvoy on healthcare considerations
  • Demo video scripting
    • Plan first recording session
    • Discuss healthcare script and relation to solving health use cases from BB+ and elsewhere
    • OIDC-specific spiral to support an eventual OIDC-specific video or other material?
  • Cloud Authz TC inputs
    • Interest in XACML "co-profiling"?
  • UMAWG on Twitter
  • Dyn client reg status in the OAuth WG
  • AOB

Minutes

REMINDER: No meeting next week!

Action item review

Done; see that page. We looked at the GPII status. Eve recommends that if a GPII claim profile or other profile is written, let her know so she can list it on our Third-Party Profiles wiki page.

Interop planning

  • Leverage FHIR API (or some other standard API)?

  • uma-dev list?

The UMA-dev list is here. Everyone who wants to participate in the interop activities and/or talk about development questions should join!

George comments that it could be generally useful to pick a stock API subset as a target for RS's to implement. Eve wonders: Do we need to standardize scopes too, or let that be free? The latter might test more functionality around resource set registration in more "true" fashion, but might it stress out client development too much? UMA doesn't expose scopes to clients the way plain OAuth does. Keith notes that the GPII scenario involves a preferences server with its own API as well. Eve suggests that we pick an API that is complex enough to show differential scope handling, but simple enough not to require too much effort on the part of any client app developers, and RESTful for that reason.

What's at stake here is just the API design, not hosting the endpoints. Every RS that takes part in the interop would host its own. What about using the SmartPDS API? Maciej will ask Jacek to update and share the documentation for it so we can take a look.

The interop room can accommodate 30 people. Hotels will be the trickiest part for those traveling from afar, so if you're attending in person, book early!

Neil McEvoy on healthcare considerations

Neil recently started a "Cloud Identity" Kantara group, where they're working to put together a cohesive story around this topic. The topic is pretty open-ended. They're working on a white paper and such. He's also active in promoting cloud computing in key industries such as healthcare. He's run recent events on e-health, partnering with organizations such as Toronto's Global E-Health. As people become more "self-managing" in their own healthcare treatment, for example using "tricorders" to track and monitor their health status, the health and personal cloud topics sort of merge. And now there are standards being worked on around things like artificial pancreases! Folks working on this need to know about OAuth and UMA types of solutions around security. Eve notes that some healthcare providers have expressed to her, surprisingly, that they'd be willing to consume a feed of quantified-self data about their patients. Neil notes that the enterprise and patient-centric worlds are sort of separate for now. Ultimately, with all those feeds, there would be gigabytes of big data that the current systems don't have systems or capacity to handle. He sees a lot of interest in using all this cool patient data, in a sort of "open-source clinical trial" fashion.

Adrian advises some patients that have implanted defibrillators and other implants. Medtronic and others are resisting sharing data from these sources. Regarding UMA, to the extent that patients understand the "sovereignty" of the implanted device, wouldn't UMA want to play in that league? This perhaps relates to the "Device-Managed Access" use case we've discussed. In different countries and cultures, Neil notes that there may be different expectations of ownership around throttling/stopping access by a cloud service or the CDC or whatever to the data generated by such a device. This is something Adrian is working with the FTC and the ONC on standards for notice about health data usage.

Eve ran through the list of UMA scenarios that seem to be of interest in the health IT space:

  • Patient-to-self sharing
  • Patient-to-doctor sharing
  • Patient monitoring of access by third parties without necessarily being able to revoke access (e.g. the feed from an implanted device to a cloud service)
  • Patient monitoring specifically of access to deidentified versions of data by third parties such as the CDC
  • Producing authoritative evidence of patient's consent directives governing data sharing at a point in time

Demo video scripting

  • Plan first recording session
  • Discuss healthcare script and relation to solving health use cases from BB+ and elsewhere
  • OIDC-specific spiral to support an eventual OIDC-specific video or other material?

Maciej says that it's possible to "re-skin" the sample apps to serve different (lightweight) scenarios, e.g. for healthcare. Neil notes some recent interest in mobile apps developed against such APIs.

UMAWG on Twitter

If you're interested to take part in adding stuff to the UMAWG Twitter feed, let Eve know and she'll send you an invitation to the Meshfire tool!

Dyn client reg status in the OAuth WG

George is attending the meeting on this later today and we'll hope for an update after that.

Cloud Authz TC inputs

  • Interest in XACML "co-profiling"?

Keith and Eve will try to tackle this soon.

Attendees

  • Eve
  • Andrew
  • George
  • Keith
  • Sal
  • Lukasz
  • Maciej
  • Neil
  • Adrian

Regrets:

  • Marc Dobrinic

Next Meetings

  • No meeting on Thursday, August 29 - summer!
  • Focus meeting on Thursday, September 5, at 9am PT (time chart) - Eve regrets, Thomas willing to be chair pro tem
  • Focus meeting on Thursday, September 12, at 9am PT (time chart)
  • TBS...
  • Interop event at MIT on Oct 31-Nov 1

Â