[Openid-specs-heart] Draft HEART Meeting Notes 2017-05-15

Mon May 15 22:22:43 UTC 2017

Some “Purpose of Use” text has been added as an appendix to both the FHIR/OAuth and FHIR/UMA drafts. Please review this text to see if it’s sufficient.

 — Justin

> On May 15, 2017, at 4:52 PM, Sarah Squire <sarah at engageidentity.com> wrote:
> 
> Justin:
> Today we’re talking about the purpose of use claim which was proposed by Nancy and added to the UMA spec and then removed recently. The question is whether to put it back in and how.
> 
> There is a difference between making the request, which is transactional in nature, and having the ability to ask for something. These are about having the ability to ask for something, which doesn’t fit the model. This is not a good fit.
> 
> Nancy:
> Would you recommend something like break-the-glass where it’s in claim and scope?
> 
> Justin:
> Yeah, then if there needed to be some type of claim that mapped to that, that would be fine.
> 
> Debbie:
> If a patient wants to say how they share their data, wouldn’t that be purpose of use? If they set their preferences like in UMA?
> 
> Justin:
> Yes, but how is that expressed?
> 
> Nancy:
> I think there are times when the authorization is acting on the patient’s consent, so the patient can share her records for the purpose of research. If it’s a narrow ecosystem, it could be that they want a person to have a particular role. 
> 
> Adrian:
> Would the purpose of use be presented to the AS or the RS?
> 
> Justin:
> The way we had it before, it was presented to the AS because it was a claim.
> 
> Adrian:
> And you had an issue with that?
> 
> Justin:
> Yeah, it doesn’t make any sense.
> 
> Luis:
> You could imagine a grant grid where Alice says which data she grants to which class of users.
> 
> Justin:
> Well, people can add their own schema to do that without us putting it in the specification.
> 
> There may be something to this class of users, and I think we’re scratching the surface of that with the er claim, but I don’t think we have enough commonality of data to standardize this.
> 
> Nancy:
> I still think we should keep it as a scope.
> 
> Sarah:
> Keep in mind that people can do it, even if we don’t include it in the specification. And if they do, they would still have to talk to each other about what they mean by “purpose of use.” So us standardizing that claim doesn’t really buy them much.
> 
> Justin:
> So it sounds like we should leave it out for now, but let people try out the implementer’s drafts and include purpose of use if it turns out to be a consistent need. Debbie, do you agree, as the chair?
> 
> Debbie:
> Yes, but I think we should add a note to let people know we’re thinking about it.
> 
> Justin:
> I think a note would be a good idea. I can add that.
> 
> I think that wraps it up for today.
> 
> Sarah Squire
> Engage Identity
> http://engageidentity.com <http://engageidentity.com/>_______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20170515/ce8bc486/attachment.html>