[Openid-specs-heart] Draft HEART Meeting Notes 2016-05-02

Sarah Squire sarah at engageidentity.com
Mon May 2 20:38:08 UTC 2016 

Attending:

Cait Ryan

Tom Sullivan

Justin Richer

Sarah Squire

Dale Moberg

Debbie Bucci

Glen Marshall

Eve Maler

Scott Shorter

Nancy Lush

Thompson Boyd

Jin Wen

Kathleen Connor

Jim Kragh

Eve presented the current status of the use case. It now has technical
preconditions. We now have “sharing scenarios” rather than “use case
steps.” Eve read through some newer parts of the use case.

Eve

We do have some sections that need discussion. Alice’s physician requires a
lot of Alice’s information and she wants to introduce her PHR to provide
that. The administrator will tell Alice about the resources and scopes they
need. We need to figure out who this sharing is directed to. Target?
Audience? Subject?

Debbie

There’s been a lot of talk about what a developer would call these things,
but has anyone done research about consumers? Which boxes they would check
and what they would understand?

Glen

I don’t know if consumers understand them at all, particularly in an
emergency situation.

Debbie

There are consent directives and advanced directives

Eve

We could make this specific to the purpose we are looking at. What I’ve
chosen for starters is more in line with a proactive “share” button, rather
than Alice being reactive to being asked for information. Dr. Bob’s office
requests access in a verbal way, and Alice’s side shares her information in
a technical way. Another way to do it would be for Dr. Bob to try to get
access to Alice’s information, and have her approve it.

Access approval approach:

Pro:

Alice only needs to provision something simple

Con:

Requires Alice to interact after the fact

Requires the doctor to know what they want

Tom:

This could be called a handshake. It implies initial trust.

Justin:

So, are we talking about client registration and discovery?

Eve:

Yes

Justin:

Can we just call it that?

Debbie:

So if you have hundreds of patients, would providers have to manage
hundreds of client credentials? Should we talk about that?

Eve had to leave, so the discussion was tabled. Justin presented the
refreshed version of the working group drafts.

Justin:

The major change here is to point out that HEART servers only have to be
HEART-compliant when talking to other HEART-compliant parties. This allows
multi-purpose servers to talk to non-HEART-compliant parties for other
purposes.

We have also made audience and subject optional. This is to prevent
possible privacy-compromising leakage of that information.

Sarah Squire
Engage Identity
http://engageidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160502/cffeebac/attachment.html>

More information about the Openid-specs-heart mailing list