[Openid-specs-heart] HEART Agenda 2015-07-27

Eve Maler eve.maler at forgerock.com
Mon Jul 27 05:44:18 UTC 2015


Adrian, I'm just reviewing that bit now. In #4, "Alice then authorizes her
PCP’s EHR (which now acts *as an authorization server* [*that's mention
number 2*]) to update her PHR (which now acts as a client) every time the
PCP’s EHR has new medical information (this information is a protected
resource) about Alice." That mention is either a) weird, because the EHR
would be acting as a resource server, rather than an authorization server,
if it's generating data that the PHR is being a client for, or b) perhaps
sensible, if we're freely mixing OAuth and UMA authorization servers in the
same use case and we've got both here. In the latter case, I think we're
going to have to get down to brass tacks and mention technologies
throughout to remove ambiguity.

The 15 comments are, in fact, the result of notes taken during calls, and
aren't questions pending any decisions. (As an aside, I would love to
reformat the use case at some point to mark the core and peripheral parts
more cleanly, but will wait on that...) So I don't think we're required to
resolve them before proceeding.


*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
Join our ForgeRock.org OpenUMA <http://forgerock.org/openuma/> community!

On Sun, Jul 26, 2015 at 7:52 PM, Adrian Gropper <agropper at healthurl.com>
wrote:

> I look forward to the discussion.
>
> The shared doc has some 15 comments. Can these be resolved before the call
> or will they need some other process for resolution?
>
> I would like to propose the following topic for discussion around this
> use-case:
>
> The use-case, as it's written, presumes that there are as many
> Authorization Servers as there are Relying Parties (2). Is this consistent
> with the HEART charter? Is it practical? Is it necessary for some reason?
>
> Adrian
>
> On Sun, Jul 26, 2015 at 9:33 PM, Debbie Bucci <debbucci at gmail.com> wrote:
>
>> *Agenda :*
>>
>>    - Visual Roll call
>>    - OAuth  Semantics/Approach - Eve Maler
>>    - AOB
>>
>>
>> Note  to  health subject matter experts - fair warning that we are going
>> to get in the technical weeds tomorrow.   We plan to go slow - so please
>> join and ask questions.  Its important for everyone to have a base
>> understanding.
>>
>> We will continue to focus on the Alice Enrolls with PCP use case but pull
>> back a bit and instead of focusing on OAUTH scopes - talk more about the
>> semantic  approach we should take; separate the general security
>> layer/requirements from FHIR.
>>
>> Google Doc reference:
>> https://docs.google.com/document/d/1IvbdWerdvMuA1dQ-KQvVKqIBrAas7FoenNVUtgpqYrw/edit#heading=h.z5kasfweex6t
>>
>> We plan to start promptly at 4:00 and final wrap up at 4:55.   We do hope
>> you will join us.
>>
>>
>> _______________________________________________
>> Openid-specs-heart mailing list
>> Openid-specs-heart at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>
>>
>
>
> --
> Adrian Gropper MD
> Ensure Health Information Privacy. Support Patient Privacy Rights.
> *http://patientprivacyrights.org/donate-2/*
> <http://patientprivacyrights.org/donate-2/>
>
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150726/3fe2b755/attachment.html>


More information about the Openid-specs-heart mailing list