<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
Hi HEART people,</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
I am coming out of my mainly listen-mode participation to ask some questions. By way of introduction, I have been involved with the design and specification of inter-organizational security solutions in the IETF (EDIINT- AS2 for logistics and supply chains),
Rosettanet (choreographed XML exchanges for business processes for high-tech), OASIS/UNCEFACT ebXML(same as rosettanet, but for any organizations), W3C (wsdl, ws-policy, ws-splat for rpc/doc/SOA/whatever), OMG and ISO(Unifi harmonization), UncefactMM/UBL(semantic
compositionality models) GS1(EPCIS, IOT) and similar effots. But only recently addressing the healthcare domain with a focus of improving interoperability at both technical (security/protocol/API) and semantic to promote use of clinical data in Machine Learning
models of “actionable information” Enough with the buzz words.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<font face="Calibri,sans-serif">"</font><span style="color: rgb(0, 0, 0); font-family: Arial; font-size: 15px; line-height: 20px; white-space: pre-wrap;">We are not developing a standard. We are developing
</span><font face="Arial"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;">a profile of a standard.”</span></font></div>
<div><font face="Arial" style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;">"</span></font><span style="color: rgb(0, 0, 0); font-family: Arial; font-size: 15px; line-height: 20px; white-space: pre-wrap;">HEART
is primarily about user-mediated exchange, </span><span style="color: rgb(0, 0, 0); font-family: Arial; font-size: 15px; line-height: 20px; white-space: pre-wrap;">but we can’t ignore clinical data exchange.</span><font face="Arial"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;">”</span></font></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<span style="font-family: Arial; font-size: 15px; line-height: 20px; white-space: pre-wrap;"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Arial; font-size: 15px; line-height: 20px; white-space: pre-wrap;">However, it does not seem we are profiling a standard (a relatively straightforward matter of subsetting a specific standard to trim out optionality,
and mandate the functionality organizational groups need, while remainling interoperable and open to multiple implementations), but instead saying how you want to use:</span></div>
<div><font face="Arial"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;">UMA + FHIR + OAuth2 + JWT + ??? —together within
</span></font><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap; font-family: Arial;">the registration, delegation, data contribution, and related data sharing scenarios. In other words, you want to build a way to apply several existing
standards and have them work together interoperably (like an IETF applicability statement).</span></div>
<div><font face="Arial"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;"><br>
</span></font></div>
<div><font face="Arial"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;">My first question concerns the IETF OAuth group’s RFC 7521 that “…</span></font>provides a framework for the use of assertions with OAuth 2.0 in the form of a new
client authentication mechanism and a new authorization grant type.” <font face="Arial">
<span style="font-size: 16px;"> Is it agreed to include RFC 7521 within our profile? RFC 7523 "</span></font><span style="font-family: Courier; font-size: small;">JSON Web Token (JWT) Profile
</span><font face="Courier" size="2">for OAuth 2.0 Client Authentication and Authorization Grants”
</font><font face="Arial">already specifies a way to use JWT; in my opinion, it would clash with IETF work to fork an alternative approach to using JWT. If you plan to do this, I would be interested in your reasons for doing so.</font></div>
<div><font face="Arial"><br>
</font></div>
<div><font face="Arial">The 7521/7523 profiling approach rapidly cuts down on our scope so that we do not have to worry how to specify using a signed JWT token to get an OAuth2 access token (via the newly defined grant type). If one of the four previously defined OAuth
2 (RFC 6749) grant types are to be used, we would have to explain what the JWT is doing in the process. All the other grant types involve client ids, secrets, usernames and password credentials in various combinations. Would they be combined with a JWT? How?
Why? This seems to be a lot of effort, and personally I need a little motivation for undertaking trying to work through that amount of complexity.</font></div>
<div><font face="Arial"><br>
</font></div>
<div>Now you could use those previous kinds of credentials and grant types in contacting a JWT issuing service (call it an “authentication authority”). Is that a step that needs explicit profiling in this group?</div>
<div><br>
</div>
<div>As far as Eve’s design patterns (organizational, role, individual entity), another way of slicing the designs up is by introducing an idea of “organizational or aggregated organizational security domain”</div>
<div>I work for a company that creates “HIEs— health information exchanges” Some of these HIEs span lab organizations, pharmacies, urgent cares, clinics, optometrists, hospitals etc etc.” Some emerging ones span different types of organizations involved in
different aspects of healthcare — notably provider organizations and payer organizations. Each organization has its own security domain, but the HIE normally has a separate security domain. The main security problem is then defining the “trust bridge” allowing
these distinct security domains to share their data, subject to HIPAA and CFR 42 kinds of privacy constraints.</div>
<div><br>
</div>
<div>To me, both the roles and individuals will be in an organizational context. The organizational context is typically identified by DNS domain names, and has a security domain within which credentials are submitted and checked. Typically the individuals
will have an identifier associated with the organization (e.g,, email address) and role(s). When an individual from security domain A wishes to use resources within security domain B, it gets an organizational token (JWT) issued by domain A and then submits
it to domain B, which can authorize access for the individual. This is a hard security problem to get resolved interoperably. Is this “pattern” one that we should profile? If it is I am all in. But if we are only interested in an individual’s capability to
set policy within a specific security domain, the security problem will lack interoperability in emerging data exchanges accessed via APIs (including FHIR dstuX when it emerges).</div>
<div><br>
</div>
<div>Sorry for the detail but I have been as succinct as is consistent with explaining my questions.</div>
<div><br>
</div>
<div>I will attach a diagram I have used to ask this question to Eve Maler (hi Eve!). Hoping to move us forward in getting clear about our profiling activity. I realize this is not a pure waterfall design pattern (use cases driving everying below), but that
is not agile, and we should all be able to be agile as needed.</div>
<div><br>
</div>
<div>Dale Moberg</div>
<div><br>
</div>
<div><font face="Arial"><br>
</font></div>
<div><font face="Arial"><br>
</font></div>
<div><br>
</div>
<div><font face="Arial"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;"><br>
</span></font></div>
<div><font face="Arial"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;"><br>
</span></font></div>
<div><font face="Arial"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;"><br>
</span></font></div>
<div><font face="Arial"><span style="font-size: 15px; line-height: 20px; white-space: pre-wrap;"><br>
</span></font></div>
</body>
</html>