<div dir="ltr"><div><div>Hi Aaron, Thanks for highlighting the important issue of discovery.<br><br>Discovery means: the user doesn't know who will be on the list.
That puts a lot of responsibility on the RS to do the right thing. In
HIEs for example, they insist the user is a practicing physician because
they want to reduce their liability if someone's name pops up on a list
that the user should not have seen.<br><br>I meant RO (resource owner), It makes no sense for the RS to send a notice to themselves.<br><br></div>Yes, RqP is the Requesting Party which is the party that controls the Client that is accessing the AS and the RS. The RqP might be the patient subject (the RO) themselves using an app or PHR but that case would be handled by OAuth. (We call that the Alice-to-Alice case). UMA is interesting because it allows the RqP user to be someone other than Alice therefore enabling true health information exchange. This is what makes HEART so useful and our HEART Profiles so important.<br><br></div>Adrian<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 11, 2015 at 4:53 PM, Aaron Seib <span dir="ltr"><<a href="mailto:aaron.seib@nate-trust.org" target="_blank">aaron.seib@nate-trust.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="purple" lang="EN-US"><div><span class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi – I meant to ask you last week. When you say Discovery in the first bullet I am not sure I know what you mean. Can you expand on that for me? I think I get everything except that below.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I don’t know why we are trying to be so cryptic on the work group. This is unfortunate. <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p></span><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">You use RO below and I think it might be a typo but have to confirm. Is it meant to have been </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">something else</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">?<u></u><u></u></span></p><span class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What is RqP an abbreviation of? Requesting Party?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p></span><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-heart [<a href="mailto:openid-specs-heart-bounces@lists.openid.net" target="_blank">mailto:openid-specs-heart-bounces@lists.openid.net</a>] <b>On Behalf Of </b>Adrian Gropper<br><b>Sent:</b> Friday, December 11, 2015 3:37 PM<span class=""><br><b>To:</b> Moehrke, John (GE Healthcare)<br><b>Cc:</b> <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br></span><b>Subject:</b> Re: [Openid-specs-heart] "Scope" of sharing and purpose of use<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><div><span class=""><div><p class="MsoNormal" style="margin-bottom:12.0pt">Let me attempt at mediation :-)<u></u><u></u></p></div></span><div><p class="MsoNormal" style="margin-bottom:12.0pt">- We're talking about resources that have a single subject (the patient) Resources with more than one subject, such as a patient list are a completely different matter <span style="background:yellow">because they involve discovery</span><span style="color:#1f497d"> (I don’t get this? Discovery of what? The identity of each person in the list?)</span>. The special case of a mom with 2 kids can simply, if inelegantly, be handled by polling for each of the subjects. There's no discovery involved.<u></u><u></u></p></div><span class=""><div><p class="MsoNormal" style="margin-bottom:12.0pt">- The major difference between OAuth and UMA is that in UMA the resource is under the control of a separate legal entity. Therefore, when a client (and the client's user) shows up to request the resource, the client may present claims or attributes to either or both the resource server (RS) and/or the authorization server (AS). To say this another way: In UMA there's some kind of legal agreement between the resource server and the authorization server. In OAuth there is none because they are the same.<u></u><u></u></p></div></span><div><p class="MsoNormal" style="margin-bottom:12.0pt">- The sharing of control between the RS and the AS is subject to institutional, local, and federal controls. All of the situations that John listed boil down to "good faith" and "notice" to the <span style="background:yellow">RO</span> when the resource server acts on the instructions of the AS based on the actual attributes of the client (C)<i><span style="color:#1f497d"> by client attributes do you mean attributes of MSHV or of the User of MSHV, Aaron Seib?</span></i> and the client's user (RqP<span style="color:#1f497d"> – this is Aaron Seib, right? What does RqP stand for?</span>).<u></u><u></u></p></div><div><p class="MsoNormal">Adrian<u></u><u></u></p></div></div><div><div class="h5"><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On Fri, Dec 11, 2015 at 3:01 PM, Moehrke, John (GE Healthcare) <<a href="mailto:John.Moehrke@med.ge.com" target="_blank">John.Moehrke@med.ge.com</a>> wrote:<u></u><u></u></p><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi Eve,</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It is clear that there is a communications problem between those that are comfortable in the language of speaking about OAuth/UMA, and those that are comfortable in the language of speaking about Healthcare Access Control needs. I can read every word you have said, but I have no idea what you said.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I think one of our problems is that we keep skipping from use-cases where the “user” is the “patient” trying to access their own data; and use-cases where the “user” is a clinician trying to help the “patient”. There are many MORE use-cases including parents, children, guardians. There are many MORE use-cases around researchers, public-health, billing, payers. And there are a huge variety of all of these. There are authorization mechanisms that stem from direct authorization by the patient, to indirect because of context, and the ultimate for healthcare ‘because their life is in jeopardy and I am a licensed clinician that can save their life’. Followed by many medical-ethical traps like having a personal discussion about a particularly tragic test result before the lab fact is directly exposed.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We need to solve all of these, however to solve any one would be helpful.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">John</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Eve Maler [mailto:<a href="mailto:eve.maler@forgerock.com" target="_blank">eve.maler@forgerock.com</a>] <br><b>Sent:</b> Friday, December 11, 2015 11:43 AM<br><b>To:</b> Moehrke, John (GE Healthcare)<br><b>Cc:</b> <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br><b>Subject:</b> "Scope" of sharing and purpose of use</span><u></u><u></u></p><div><div><p class="MsoNormal"> <u></u><u></u></p><div><p class="MsoNormal">Hi John-- (I changed the subject line and deleted older parts of the thread.)<u></u><u></u></p><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">When you say "scope" here, I suspect you mean "scope" of the sharing use case, rather than something like an OAuth or UMA scope, so I'm just checking. So a "single-patient scope" means that the only human we're paying attention to in the use case is the patient, and "any application with users that are authorized to multiple patients" seems to mean a use case that involves party-to-party sharing, with multiple humans involved. However, you follow the latter with "would need to get multiple scopes", so I'm not sure. Note that "getting multiple scopes" as a technical construct doesn't have anything to do with sharing with an autonomous third party.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">FWIW, here is how I think, at a high level, about <b>configuring the delegation of rights to access resources</b>. It's all about <b>parts of speech</b>.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">OAuth lets a user (patient) do this configuration at run time while using a client app, by opting in to the authorization server's issuance of an access token to that app. By contrast, UMA lets a user (patient) do this configuration anytime, generally by instructing the authorization server to check whether some combination of the client app and the requesting party using the app meet various requirements (policy). So OAuth is kind of an attenuated version of UMA wrt the constraints on delegation of access rights.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:"Courier New"">system subject verb object adjective</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Courier New"">OAuth client ID OAuth scopes (implicitly some endpoints) n/a</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Courier New""> (and always Alice)</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Courier New"">UMA claims-based eg Bob, UMA scopes over... UMA resource sets claims-based e.g. TPO,</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Courier New""> client ID/type, etc. time limitations, etc.</span><u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">It's possible to conflate purpose-of-use into the UMA scopes system, but it's as awkward as conflating (ordinarily implicit) resource sets into the OAuth scopes system (resource1.read, resource1.write, etc.), which is why OAuth has invented the audience parameter to try and solve the problem of a single authorization server protecting several APIs. This is why I suggest using a claims-based system above.<u></u><u></u></p></div><div><div><div><div><div><div><p><b>Eve Maler<br></b>ForgeRock Office of the CTO | VP Innovation & Emerging Technology<br>Cell <a href="tel:%2B1%20425.345.6756" target="_blank">+1 425.345.6756</a> | Skype: xmlgrrl | Twitter: @xmlgrrl<br>Join our <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__forgerock.org_openuma_&d=CwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=B4hg7NQHul-cxfpT_e9Lh49ujUftqzJ6q17C2t3eI64&m=PHeMeoVZ7WGQVkHh4j1pjEo3WjxiOtW0zWBvptezqXM&s=BWKe_zUfK7VyJCEdTSN-5cG7TelP0b1X-x3kyeaODmk&e=" target="_blank">ForgeRock.org OpenUMA</a> community!<u></u><u></u></p></div></div></div></div></div><p class="MsoNormal"> <u></u><u></u></p><div><p class="MsoNormal">On Mon, Dec 7, 2015 at 2:00 PM, Moehrke, John (GE Healthcare) <<a href="mailto:John.Moehrke@med.ge.com" target="_blank">John.Moehrke@med.ge.com</a>> wrote:<u></u><u></u></p><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The discussion on the call today was too hard to break into. Even for a big mouth like me.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I am okay with limiting our next couple of profiles to single patient scopes. As much of the email discussion has pointed out patient controlled access is our primary scope, and logically (if not technically) this is easy to understand with scopes that are single patient. </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Yes this means that any application with users that are authorized to multiple patients would need to get multiple scopes; so be it. For now… For Enterprise use, this is troubling; but for most uses that happen from outside of an enterprise or between enterprises this limitation is not unreasonable. The most common APIs in healthcare for this are already patient centric. So it is not a big problem.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The user experience does not need to be impacted by this profiled limitation</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The future does not need to be impacted by this profiled limitation.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Which means that one viewpoint for scope can be the identity of the patient that one is asking for access to. This is not the only scope we will ever support; but is one method that would satisfy some use-cases today.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Another view on scope, that I have been involved with in other groups, is to use a high-level vocabulary that is used often in the Access Control policy – PurposeOfUse. This vocabulary is items like: Treatment, Payment, Research, Emergency, etc…</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">To go deeper than these two vectors through scopes in a general purpose healthcare access control infrastructure is futile.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Next level deeper in scopes would come from workflow centric implementation guides. That is a specification that is defining a workflow, could define a scope(s) for that workflow.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">John</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p></div></div><p class="MsoNormal" style="margin-bottom:12.0pt">_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dheart&d=CwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=B4hg7NQHul-cxfpT_e9Lh49ujUftqzJ6q17C2t3eI64&m=PHeMeoVZ7WGQVkHh4j1pjEo3WjxiOtW0zWBvptezqXM&s=b-IeKH8ALrT6jaP_pgYHavTt27UVQVYtlz9y5w5CRak&e=" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><u></u><u></u></p></div><p class="MsoNormal"> <u></u><u></u></p></div></div></div></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><u></u><u></u></p></div><p class="MsoNormal"><br><br clear="all"><br>-- <u></u><u></u></p><div><div><div><div><div><div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Adrian Gropper MD<br><br><span style="font-family:"Arial","sans-serif";color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!<br>HELP us fight for the right to control personal health data.<br>DONATE: <a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span> <u></u><u></u></p></div></div></div></div></div></div></div></div></div></div></div><div class="MsoNormal" style="text-align:center" align="center"><hr style="color:#a0a0a0" align="center" size="1" noshade width="100%"></div><span class=""><p class="MsoNormal">No virus found in this message.<br>Checked by AVG - <a href="http://www.avg.com" target="_blank">www.avg.com</a><br>Version: 2016.0.7294 / Virus Database: 4483/11158 - Release Date: 12/11/15<u></u><u></u></p></span></div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span><span style="font-family:"Arial",sans-serif;color:#1f497d"></span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d"></span>
</div></div></div></div></div></div></div></div>
</div>