[Openid-specs-heart] Draft HEART Meeting Notes 2017-03-27

Sarah Squire sarah at engageidentity.com
Mon Mar 27 20:38:09 UTC 2017


Debbie:

I think we’re headed in a pretty good direction with sensitive data and
confidentiality codes. The addition of several codes adds a layer that
we’ve been missing.

Eve:

So we have this notion of scopes that “cross-cut” resources. What Justin
has spec’d includes a very short list of core cross-cutting scopes, along
with the ability to point to other outside scopes through some registry
process. UMA is smarter about resources than OAuth. They are associated
directly to a specific resource, so they only need the action part of the
scope, and then in order to account for the cross-cutting scopes, it may
use those in addition. All other scopes are subsumed under the
cross-cutting scopes. They do have to be attached to resource, but the way
they’re applied by Alice is “as wished.”

Debbie:

Is anybody else familiar with 42 CFR  Part 2? My understanding is there is
a new final rule to be released soon? It’s possible there will be resource
servers that need to worry about confidentiality of resources and they may
require that to access some data.

Nancy:

It requires patient consent for the release of substance abuse records.
Then policy comes into play, so we need to know what organization we’re
dealing with.

Debbie:

So it may be that we’re helping with low-hanging fruit in a general way.

Eve:

We might want to give more thought to introspection, because it means we
have audit logs about what permissions were given to a token.

Nancy:

We need to be careful not to leak the existence of substance abuse data by
the existence of scopes. We can advertise that we support those scopes, but
not whether they apply to a particular user or resource.

Eve:

Right. We’re only advertising the ability to redact.

Nancy:

Is Alice saying I’m willing to share my substance abuse? Or is she saying
she will share everything but?

Eve:

She chooses to share things having to do with her substance abuse or not.

Sarah:

Right, so if you think of an average OAuth authorization screen, you would
see like name, emails, documents. In this case, you’d see name, emails,
documents, and “include substance abuse information” and if that last box
is unchecked, then all emails and documents would be shared except the ones
having to do with substance abuse.

Nancy:

Right, so looking at that UX, I’m not sure that “sensitive data” would mean
anything to an end user.

There are a wide variety of codes, and some of them are better defined than
others.

Debbie:

I think this is a good start.

Eve:

The system should also be able to change these codes as they change in
different healthcare standards. So I don’t think this should be normative.
I think it should be optional and we should give examples.

Debbie:
Does anyone else have business to bring up? Let’s call it a day.

Sarah Squire
Engage Identity
http://engageidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20170327/6f533224/attachment.html>


More information about the Openid-specs-heart mailing list