[Openid-specs-heart] Alice's health resource set
Debbie Bucci
debbucci at gmail.com
Tue Aug 2 18:16:36 UTC 2016
Lost me again Adrian -
We should also not ignore the Client-to-AS first flow. This is the
preferred flow from a privacy engineering perspective. (see other thread
with Justin). In the majority of cases of HIE, the Client has a
relationship with Alice already (this is typical of HIPAA TPO consent) or
the Client has found Alice via a "Relationship Locator Service" which is a
directory operated by the state or some private entity like CommonWell.
When the Client matches with Alice in the RLS, does the RLS return a list
of RSs or a pointer to Alice's AS?
The most privacy-preserving thing would be for RLSs to return pointers to
Alice's AS and in the future this is what Alice might insist on if she is
still given a choice to opt-in or opt-out of HIE. Alice does have that
choice today in the US. In other countries, not-so-much.
Are you suggesting the AS is some sort of proxy for all data - I don't
think you were saying that. At some point the Client would need a
relationship with the RS as well - correct? Is the Client to AS flow a
separate spec? Would you please provide the link? Looking at UMA 1.01 -
client needs a permission ticket first - that is generated from AS - to RS
to client (?)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160802/39076a84/attachment.html>
More information about the Openid-specs-heart
mailing list