[Openid-specs-heart] Alice's health resource set

Debbie Bucci debbucci at gmail.com
Tue Aug 2 18:16:36 UTC 2016


Lost me again Adrian -


We should also not ignore the Client-to-AS first flow. This is the
preferred flow from a privacy engineering perspective. (see other thread
with Justin). In the majority of cases of HIE, the Client has a
relationship with Alice already (this is typical of HIPAA TPO consent) or
the Client has found Alice via a "Relationship Locator Service" which is a
directory operated by the state or some private entity like CommonWell.
When the Client matches with Alice in the RLS, does the RLS return a list
of RSs or a pointer to Alice's AS?

The most privacy-preserving thing would be for RLSs to return pointers to
Alice's AS and in the future this is what Alice might insist on if she is
still given a choice to opt-in or opt-out of HIE. Alice does have that
choice today in the US. In other countries, not-so-much.


 Are you suggesting the AS is some sort of proxy for all data - I don't
think you were saying that.  At some point the Client would need a
relationship with the RS as well - correct?   Is the Client to AS flow a
separate spec?  Would you please provide the link?   Looking at UMA 1.01 -
client needs a permission ticket first - that is generated from AS - to RS
to client (?)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160802/39076a84/attachment.html>


More information about the Openid-specs-heart mailing list