[Openid-specs-heart] Persistence of Credentials

Aaron Seib aaron.seib at nate-trust.org
Mon Jun 29 23:05:04 UTC 2015

Glen – can you help me understand what you are asking.  


Should HEART have a constraint on persistence of end-user credentials.


Maybe I am being captain obvious here or I am really stupid (or I am procrastinating on a writing assignment I was giving that isn’t jumping out of my head the way I wish it would) but why on earth would we be considering the persistence of user attributes in this domain?


Not only do many of the attributes\credentials you list change over time there is no reason that I can imagine why we need to store such information at a EMR\PHR when we have modern credential management processes.  

Again, ready for my beating as I wasn’t on the call and am procrastinating on a writing assignment.  J


Are there proponents of this idea?  It just seems like another place for sensitive data to be breached from to me.  The only reason you might do it is that it is a convenience to the consumer and he granted you permission to store it, right?  I wouldn’t call that a credential anymore.  I might be using the language differently.




Aaron Seib, CEO

(o) 301-540-2311

(m) 301-326-6843


From: Openid-specs-heart [mailto:openid-specs-heart-bounces at lists.openid.net] On Behalf Of Glen Marshall [SRS]
Sent: Monday, June 29, 2015 4:43 PM
To: Debbie Bucci; openid-specs-heart at lists.openid.net
Subject: [Openid-specs-heart] Persistence of Credentials


In today's call I asked a question regarding the persistence of end-user identification credentials.  Some of the ones being discussed, e.g., driver's license, credit card, e-mail address, etc., have a significant likelihood of changing between patient visits.  End-users are also likely to fail to remember what credentials were used previously.

Given this, should HEART have a constraint on the persistence of end-user credentials?

There may be similar issues with client systems maintaining current credentials. 

Glen F. Marshall
Security Risk Solutions, Inc.
698 Fishermans Bend
Mount Pleasant, SC 29464
Tel: (610) 644-2452
Mobile: (610) 613-3084
gfm at securityrs.com

On 6/28/15 08:42, Debbie Bucci wrote:

When: 1 PM PST/4 PM EST 

Where: Gotomeeting – https://global.gotomeeting.com/join/785234357

US phone number:  <tel:%2B1%20%28619%29%20550-0003> +1 (619) 550-0003. Access Code 785-234-357



Agenda :

·        Roll call 

·         PHR or Patient Portal (client)  to PCP or Patient portal (protected resource)  Introduction

·        AOB


For tomorrow's call,  I would like us to focus on the following assumption/fact: The PHR is already recognized by the PCP prior to the patient's engagement.   

What are the sequence flows, scopes and policy decisions that need be prearranged/agreed upon to support the following during the patient registration process:

*	Update the patient portal from her PHR.
*	Update her PHR from the patient portal
*	Sync the patient portal with her PHR.


Openid-specs-heart mailing list
Openid-specs-heart at lists.openid.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150629/263f64ff/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3142 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150629/263f64ff/attachment.jpg>

More information about the Openid-specs-heart mailing list