[Openid-specs-heart] Draft HEART Meeting Notes 2017-05-15

Mon May 15 20:52:35 UTC 2017

Justin:

Today we’re talking about the purpose of use claim which was proposed by
Nancy and added to the UMA spec and then removed recently. The question is
whether to put it back in and how.

There is a difference between making the request, which is transactional in
nature, and having the ability to ask for something. These are about having
the ability to ask for something, which doesn’t fit the model. This is not
a good fit.

Nancy:

Would you recommend something like break-the-glass where it’s in claim and
scope?

Justin:

Yeah, then if there needed to be some type of claim that mapped to that,
that would be fine.

Debbie:

If a patient wants to say how they share their data, wouldn’t that be
purpose of use? If they set their preferences like in UMA?

Justin:

Yes, but how is that expressed?

Nancy:

I think there are times when the authorization is acting on the patient’s
consent, so the patient can share her records for the purpose of research.
If it’s a narrow ecosystem, it could be that they want a person to have a
particular role.

Adrian:

Would the purpose of use be presented to the AS or the RS?

Justin:

The way we had it before, it was presented to the AS because it was a claim.

Adrian:

And you had an issue with that?

Justin:

Yeah, it doesn’t make any sense.

Luis:

You could imagine a grant grid where Alice says which data she grants to
which class of users.

Justin:

Well, people can add their own schema to do that without us putting it in
the specification.

There may be something to this class of users, and I think we’re scratching
the surface of that with the er claim, but I don’t think we have enough
commonality of data to standardize this.

Nancy:

I still think we should keep it as a scope.

Sarah:

Keep in mind that people can do it, even if we don’t include it in the
specification. And if they do, they would still have to talk to each other
about what they mean by “purpose of use.” So us standardizing that claim
doesn’t really buy them much.

Justin:

So it sounds like we should leave it out for now, but let people try out
the implementer’s drafts and include purpose of use if it turns out to be a
consistent need. Debbie, do you agree, as the chair?

Debbie:

Yes, but I think we should add a note to let people know we’re thinking
about it.

Justin:

I think a note would be a good idea. I can add that.

I think that wraps it up for today.

Sarah Squire
Engage Identity
http://engageidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20170515/83259b70/attachment.html>