<div dir="ltr"><div><div><div><div>The HEART profiles stack needs to support a good user experience and the significant possibility that patients will have access to the API based on "HIPAA patient right of access" as initially clarified by OCR in the Sept 2013 "right to access" memo. This issue is central to the newly formed API Task Force co chaired by Josh Mandel. The slides from their initial meeting yesterday are at <a href="https://www.healthit.gov/FACAS/sites/faca/files/APITF_Kickoff_2015-11-30%20Final.pptx" target="_blank">https://www.healthit.gov/FACAS/sites/faca/files/APITF_Kickoff_2015-11-30%20Final.pptx</a> and well worth reading. <br><br></div>The HEART profiles don't need to wait until the API Task Force acts or when OCR decides to issue an API-specific "right to access" memo. HEART can, and I would suggest must, write the initial profiles to enable "patient right of access" and a good user experience. Our work is important to inform and complement the HL7 FHIR and Argonaut work.<br><br></div>HEART cannot assume that only "developers" have a right to create and register FHIR authorization servers and clients. Undoubtedly there will be registries or certification authorities for some clients and this may or may not be the subject of future HEART profiles, but the initial HEART profiles need to enable a good user experience under "patient right of access". <br><br></div>What this means, is that the initial HEART profiles MUST support dynamic authorization server and dynamic client registration and apparently reference the OpenID Certification for OP Dynamic. Simply referencing OpenID Connect, is helpful to the extent that it helps improve the user experience through the discovery features of OIDC but it is not sufficiently specific to be a useful profile. <br><br></div>Adrian<br><div><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 1, 2015 at 7:42 PM, Justin Richer <span dir="ltr"><<a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">I agree with John. There are things that are required to be disabled in HEART that are required to be present in the baseline Connect, and probably vice versa.<div><br></div><div>But ultimately it’s much too early to fret about that part of the conversation. We’ll burn that bridge when we come to it.<span class="HOEnZb"><font color="#888888"><br><div><br></div><div> — Justin</div></font></span><div><div class="h5"><div><br><div><blockquote type="cite"><div>On Dec 1, 2015, at 5:53 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>> wrote:</div><br><div>
<div style="word-wrap:break-word">I think HEART implementations will be able to pass a profile of the connect certification.<div><br></div><div>Some things like being required to support http basic authentication, may not be appropriate to test fro HEART deployments if they MUST have that turned off and only use asymmetric </div><div>authentication as an example. </div><div><br></div><div>So it may be that a compliant HEART provider will not pass the Connect Dynamic profile.</div><div><br></div><div>HEART hasn’t made any decisions about conformance or deployment testing, so it is a bit premature to speculate. </div><div><br></div><div>However if I must it will probably require a new profile, much like the GSMA has created for Mobile Connect. That one is something that we need to keep from diverging.</div><div><br></div><div>John B.</div><div><br><div><blockquote type="cite"><div>On Dec 1, 2015, at 6:15 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:</div><br><div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)">I think it would be a sign of a significant problem if implementations of the HEART OpenID Connect profile can’t pass the pertinent OpenID Connect certifications. If people think that that is going to be the case, we should call out the reasons why as early as possible and jointly review them in the HEART and Connect working groups and see what can be done to remedy the situation. Remedies could involve spec work, certification work, or both.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)">I don’t think that any of us want to have to have to explain to people why implementations of the HEART OpenID Connect profile can’t pass the pertinent OpenID Connect certifications. Code reuse is fine as far as it goes, but if we have to go there, it’s a sign of a significant failure on the part of the OpenID Foundation as a whole, at least as I see it.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)">Hopefully there will be no impediments and all of this will have been an academic discussion, but if there are blocking issues, we need to get ahead of it as soon as possible – before the HEART specs go to Implementer’s Draft review.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> Best wishes,<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> -- Mike<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><a name="1516023cd561bf49__MailEndCompose"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> </span></a></div><span></span><div><div style="border-style:solid none none;border-top-color:rgb(225,225,225);border-top-width:1pt;padding:3pt 0in 0in"><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif"><span> </span>Justin Richer [<a href="mailto:jricher@mit.edu" target="_blank">mailto:jricher@mit.edu</a>]<span> </span><br><b>Sent:</b><span> </span>Tuesday, December 1, 2015 12:25 PM<br><b>To:</b><span> </span>Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>><br><b>Cc:</b><span> </span>Adrian Gropper <<a href="mailto:agropper@healthurl.com" target="_blank">agropper@healthurl.com</a>>; <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br><b>Subject:</b><span> </span>Re: [Openid-specs-heart] HEART Profiles - OpenID Connect Certification<u></u><u></u></span></div></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">I actually think the conformance will be separate even in the OIDC case, but that’s not something that this group has decided yet and so it’s not something we can say for sure one way or the other.<u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">However, that doesn’t imply that the conformance tests or tools will be rewritten from scratch. Code re-use is still very powerful without formal cross-reference.<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> — Justin<u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div><div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">On Dec 1, 2015, at 3:20 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" style="color:purple;text-decoration:underline" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)">I assume that what you’re actually saying, Justin, is that OpenID Connect certification wouldn’t be appropriate for the OAuth or UMA profiles but that at least some Connect conformance profiles would be applicable for the OpenID Connect HEART profile. I say that, because I doubt that HEART would want reproduce all the tests verifying standard OpenID Connect conformance. Is that correct or is there something I’m not understanding?</span><u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> </span><u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> Thanks,</span><u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> -- Mike</span><u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)"> </span><u></u><u></u></div><div><div style="border-style:solid none none;border-top-color:rgb(225,225,225);border-top-width:1pt;padding:3pt 0in 0in"><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif"><span> </span>Openid-specs-heart [<a href="mailto:openid-specs-heart-bounces@lists.openid.net" style="color:purple;text-decoration:underline" target="_blank">mailto:openid-specs-heart-bounces@lists.openid.net</a>]<span> </span><b>On Behalf Of<span> </span></b>Justin Richer<br><b>Sent:</b><span> </span>Tuesday, December 1, 2015 9:26 AM<br><b>To:</b><span> </span>Adrian Gropper <<a href="mailto:agropper@healthurl.com" style="color:purple;text-decoration:underline" target="_blank">agropper@healthurl.com</a>><br><b>Cc:</b><span> </span><a href="mailto:openid-specs-heart@lists.openid.net" style="color:purple;text-decoration:underline" target="_blank">openid-specs-heart@lists.openid.net</a><br><b>Subject:</b><span> </span>Re: [Openid-specs-heart] HEART Profiles - OpenID Connect Certification</span><u></u><u></u></div></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">On Dec 1, 2015, at 12:11 PM, Adrian Gropper <<a href="mailto:agropper@healthurl.com" style="color:purple;text-decoration:underline" target="_blank">agropper@healthurl.com</a>> wrote:<u></u><u></u></div><div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">This is a subthread specific to the OIDC Certification issues in the 3 profiles currently up for discussion.<u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">OIDC certification has nothing to do with HEART compliance, except that possible future HEART certification systems will follow that model. We’re not requiring compliance with OIDC Certification, especially not for the Oauth2 profile.<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br><br><br><u></u><u></u></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">I'm trying to understand the HEART profile for OAuth 2.0 has numerous mentions of OpenID Connect including:<u></u><u></u></div><div><div style="margin-left:30pt"><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">"The authorization server MUST provide an OpenID Connect service discovery endpoint listing the components relevant to the OAuth protocol:"<u></u><u></u></div></div></div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">as it relates to real-world implementations of an authorization server in the context of the HEART Use Cases.<u></u><u></u></div></div></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Again, I ask you to point out the “numerous mentions” and why those are problems as I’ve already explained why we’re using the discovery service from OIDC.<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br><br><br><u></u><u></u></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:12pt;font-family:'Times New Roman',serif">The OpenID Certification page<span> </span><a href="http://openid.net/certification/" style="color:purple;text-decoration:underline" target="_blank">http://openid.net/certification/</a><span> </span>lists both Google and MITREid Connect. The key difference seems to be that OP Dynamic is not implemented by Google.<u></u><u></u></p></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">In the context of building a resource owner's authorization server like HIE of One, the AS wants to make it easy and clear as it decides to add trusted OPs to its OP whitelist.<span> </span><br><br>Adding Google as an OP is certainly fussy. The steps involve access by the RO to a Credentials Page on their OP as detailed<span> </span><a href="https://developers.google.com/identity/protocols/OpenIDConnect?hl=en" style="color:purple;text-decoration:underline" target="_blank">https://developers.google.com/identity/protocols/OpenIDConnect?hl=en</a><span> </span>This is hardly a good user experience for a consumer that simply want to tell her authorization server to trust Google as a source of user authentication.<span> </span><u></u><u></u></div></div></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Agreed, but that’s something to bug Google about. It also means that you’ll be shipping your client credentials around with each copy of “HIE Of One” if you don’t want the individual copies to re-register by hand. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Furthermore, Google doesn’t support the private_key_jwt method required by HEART at the moment anyway, so it’s a bit of a moot point.<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br><br><br><u></u><u></u></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">I presume that OPs that implement OP Dynamic such as MITREid Connect improve the fussy Google user experience. Let's consider a hospital called NPE (the resource server) that is willing to act as source of user authentication for access to their HEART-compliant API.<span> </span><br>1 - Alice (RO) would start by logging in to the NPE (RS) patient portal<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">2 - Alice would provide the RS with something like a URI or an email address that enables the HEART-compliant RS to discover Alice's HEART-compliant AS (HIE of One).<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">3 - Alice's AS would put up some kind of authorization form listing NPE as a willing OP Dynamic identity provider for any provider that NPE is willing to take responsibility for authenticating.<u></u><u></u></div></div><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:12pt;font-family:'Times New Roman',serif">4 - If Alice approves, this authorization form, then NPE is added to her AS whitelist of OPs.<u></u><u></u></p></div></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">That would work, but I don’t think it’s a full information flow. I know you’re not trying to show details here but I think that’s going to be required for this proposed system to be real. Best way to do that? Build it and run it! Also, it doesn’t mean that it’s whitelisted, it just means that it’s usable after being discovered and registered. This can all be done alongside statically registered systems, too. A whitelist means that users aren’t prompted for decisions, but if someone else on Alice’s OP logs in, you’d want to prompt them.<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br><br><br><u></u><u></u></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">If we're all together this far, we come up with some clarifying questions:<u></u><u></u></div></div></div></div></div></div></blockquote><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">A - Why doesn't any well-known name on the OpenID Certified list implement OP Dynamic?<u></u><u></u></div></div></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">They have a belief that they don’t have to: all the RPs will come to them and they can control the dynamic. There are spurious justifications for this at most providers.<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br><br><br><u></u><u></u></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">B - If HIE of One could get the Django help we need to implement OP Dynamic would the sequence 1-4 above be testable against<span> </span><a href="http://healthauth.org/" style="color:purple;text-decoration:underline" target="_blank">healthauth.org</a><span> </span>with (alice/wonderland)?<u></u><u></u></div></div></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Probably.<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br><br><br><u></u><u></u></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">C - When RSs implement the HEART profiles as currently proposed, will it be possible for Alice's AS to combine the authorization for NPE OP registration and NPE resource registration into a single form such as: <u></u><u></u></div></div></div></div></div></div></blockquote><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br><image.png><br>?<u></u><u></u></div></div></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">The short answer is yes. You’re conflating the form and the functionality that it provides. One form can trigger many things with the right server. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> — Justin<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br><br><br><u></u><u></u></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Adrian<u></u><u></u></div></div><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></p></div><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></p></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br><br>--<span> </span><u></u><u></u></div><div><div><div><div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Adrian Gropper MD<br><br><span style="font-family:Arial,sans-serif;color:rgb(31,73,125)">PROTECT YOUR FUTURE - RESTORE Health Privacy!<br>HELP us fight for the right to control personal health data.<br>DONATE:<span> </span><a href="http://patientprivacyrights.org/donate-2/" style="color:purple;text-decoration:underline" target="_blank"><span style="color:rgb(5,99,193)">http://patientprivacyrights.org/donate-2/</span></a></span><u></u><u></u></div></div></div></div></div></div></div></div></div></div></div></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net" style="color:purple;text-decoration:underline" target="_blank">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" style="color:purple;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><u></u><u></u></div></div></blockquote></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> <u></u><u></u></div></div></div></blockquote></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">_______________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Openid-specs-heart mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important"><a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a></span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important"><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a></span></div></blockquote></div><br></div></div></div></blockquote></div><br></div></div></div></div></div><br>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span><span style="font-family:"Arial",sans-serif;color:#1f497d"></span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d"></span>
</div></div></div></div></div></div></div></div>
</div>