[Openid-specs-heart] DRAFT meeting minutes January 26, 2015

Debbie Bucci debbucci at gmail.com
Wed Jan 28 15:08:58 UTC 2015 

Roll call/stats:  There were 21 on the call, 11/19 were voting members 4
additional IPRs this week



Meeting notes approval by John Bradley



HEART Timeline  (Deb Bucci) The charter says 12-18 months for completion  -
that includes profiles implemented with working reference and
implementations in the wild.



Tentative schedule:

Now until April

•          Identify use cases

•          Technology level set

•          Divide Use cases into obvious groupings – see if can be resolved
with existing Profile work

•          Discuss existing pilot/demonstration – reference
implementations  that may inform profile

•          F2F @ HIMSS

May – Aug

•          Release first round of profiles

•          Start /encourage pilots

•          Dig into the more complex use cases

Sept – Dec

•          Work through the more complex us case – possibly identify gaps
in standards

•          Release second round of profiles

Jan – ?

•          Access and regroup



Common Terminology - (Eve Maler) Eve introduced various terms that would be
used within the different profiles and highlighted some the commonalities
and difference.

·       IdP = identity provider

·       RP = relying party

·       user = user trying to achieve single sign-on (SSO)

·       RO = resource owner (user trying to achieve controlled sharing –
could be same as SSO user)

·       AS = authorization server (could be the same as IdP)

·       RS = resource server (could be the same as AS)

·       C = client

·       RqP = requesting party (user trying to achieve authorized access –
could be same as RO)



Comment from the discussion

•          OAuth has no IDP or PR – Client(API) – focus is to get to the
service

•          UMA introduces controlled sharing with someone else – introduced
Alice to Bob sharing – requesting party

•          There are clear use case where multi-parties doing authn/authz
job

•          Software or person may have multiple roles example – enable
sharing

•          Could apply to a Person/patient caregiver or provider.  Think of
Person as one class of user/resource.  This enables reuse to support other
use cases such as moving information between provider to provider – or
referrals without having to create new profiles.





Use Case Format (Deb and Eve)  - Deb provided and except from the ACE Use
case format for discussion as a possible format to gather use case
http://datatracker.ietf.org/doc/draft-ietf-ace-usecases/?include_text=1



Feedback on doc:



The format is useful until it gets in the way of the work and should be
viewed with the appropriate lens.  Its as good to get started to develop
common terms etc but less useful to tightly bind with the profile creation
process.



Our approach going forward:

Deb will work with OIDF to understand how to access the wiki space and we
will define a template for those who wish to use it.   Suggested elements



Capture /classifying

•          Who are the actors

•          What data

•          What are the sticking points

•          Potential problems

•          Limitations



Where possible try to neutrally state the problem.

Write use cases from multiple perspectives

Identify Use cases for multiple purposes

Use cases past mustard with subject matter experts. As we collect them, we
should vet them with authoritative sources.

Not necessary to be technology specific – write in plain English and
capture wants and goals



Suggested Initial Use cases:



Kathleen Connor has been the lead on the Privacy on FHIR use case/story
board.  That work has been vetted with clinicians within the VA.   Perhaps
we can put her on the spot for next week



Further explore the use cases Justin Richer introduced that are tied to
the  Secure RESTful Interface Profile –
http://secure-restful-interface-profile.github.io/pages/



Explore the Restful Health Exchange (RHEX) use case developed for the
Federal Health Architecture (FHA) a couple of years ago



Blue Button Restful API (is that the same as SMART?)  Use case



Virtual Clipboard is a potential candidate but that work is just
beginning.  Catherine Shulten will focus on her work with Virtual Patient
Registration



Eve suggested we should explore the National Cybersecurity Center of
Exellence (NCCOE) mobile PHR use case



Adrian Gropper is working on a High Security Use case



Deb Bucci will work with (? Did not capture who mentioned) on a home
healthcare use case.







We will take 15 minutes over the next few weeks for technology level set



•          OAUTH – 2/2

•          OpenID Connect – 2/9

•          UMA 2/16
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150128/66d05758/attachment.html>

More information about the Openid-specs-heart mailing list