<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">For starters, the decision wasn’t about a single RS having a single AS, but a single Resource having a single AS. A resource server (RS) can have many resources.<div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Dec 21, 2015, at 5:59 PM, Aaron Seib <<a href="mailto:aaron.seib@nate-trust.org" class="">aaron.seib@nate-trust.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><meta name="Generator" content="Microsoft Word 14 (filtered medium)" class=""><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style class=""><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div lang="EN-US" link="blue" vlink="purple" class=""><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">I am hoping that this is helpful to others. <o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">I think we are a work group divided by a common language at this point and maybe if we could get some concrete terms in place that relate to something for those of us who are at a loss when it comes to how some of the terms being used in various ways by different participants on the call (in what seem to be different ways probably because of the inexperience with the terms on my part anyhow) we might be able to accelerate a common set of terms.<o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">I wrote this to try to ascertain if my understanding of the discussion about assuming a single AS for a given RS was correct and why. I also wanted to try to peel back the onion as far as the difference between an RS that related to multiple people (called Bulk Access for some unknowable reason as far as I am concerned) versus an RS that is constrained to a single person. And to see if I am even in the right neighborhood when it comes to understanding the relationship between a URI and the use of the Term Resource Server.<o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Please annotate, hyperlink, cross out or otherwise correct the attached and help me learn.<o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Thank you,<o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Aaron<o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Aaron Seib, CEO<o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">@CaptBlueButton <o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> (o) 301-540-2311<o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">(m) 301-326-6843<o:p class=""></o:p></span></div><div class="MsoNormal"><a href="x-msg://4/nate-trust.org" class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none" class=""><image001.jpg></span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""><o:p class=""></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></div><div class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> Openid-specs-heart [<a href="mailto:openid-specs-heart-bounces@lists.openid.net" class="">mailto:openid-specs-heart-bounces@lists.openid.net</a>] <b class="">On Behalf Of </b>Sarah Squire<br class=""><b class="">Sent:</b> Monday, December 21, 2015 5:00 PM<br class=""><b class="">To:</b> <a href="mailto:openid-specs-heart@lists.openid.net" class="">openid-specs-heart@lists.openid.net</a><br class=""><b class="">Subject:</b> [Openid-specs-heart] Draft HEART Meeting Notes 2015-12-21<o:p class=""></o:p></span></div><div class="MsoNormal"><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Attendees:</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Debbie Bucci</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Sarah Squire</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin Richer</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve Maler</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen Marshall</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron Seib</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Kenneth Salyards</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Brandon Smith</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Adrian Gropper</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Thomas Sullivan</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Dale Moberg</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><b class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Group consensus decision: we will restrict HEART to use cases where one resource is only protected by one authorization server</span></b><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I’ll be working on my use case for quick discussion in January.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Debbie:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Should we talk about one or more authorization servers?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">It seems like sometimes HEART gets bogged down in things that would be better served by a policy group.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I was trying to find the boundaries between specs and policy.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">The API task force is dependent on the HEART group</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">We need to consider the practical operations to move toward a better standardized technology</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">is there a difference between our approach to an individual as opposed to more than one person? We just need to serialize it.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">What do you mean by serialize it? The fact that it is being transmitted means that it’s by definition serialization.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I just meant we should go through the list one thing as a time.</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Are you talking about separating the data so that it’s about one person?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">That’s the way I understand a person would do it.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">We could take the approach that if we’re patient-centric, then back channel transfer of data about multiple-people. Should multiple people be out of scope?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Debbie:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Except when the multiple people are “my family.”</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">It’s in scope in our existing use cases.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Adrian:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Once we allow for multiple patients in a resource, a lot of people who are not as sophisticated are going to bundle discovery. The caregiver has nothing to do with discovery. As soon as you get to the user having role-based access, then there’s a discovery process.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Sarah:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Why wouldn’t you know what’s on the list?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Adrian:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">If there’s a list, you need discovery</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">There’s no discovery</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Adrian:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">From the client’s perspective, how does it know which authorization server to talk to?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Sarah:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">There’s only one authorization server involved in this transaction</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">How do we comply with laws saying that medical records of wives should not be disclosed to abusive husbands?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Sarah:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">By virtue of this system being patient-centered, the patient can control access to her data.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">The resource server can deny an access token for any reason, so you could do it that way.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">If we had a case where there were multiple ASs, it would be possible to have a resource server prepared to interpret all of those rules, some of which may be mutually exclusive. There is no grammar for the combinatoric aspects of multiple ASs.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">There is a project working on that called XACML. It doesn’t work at all.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">XACML doesn’t handle policies coming out of left field like the domestic violence policy.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Adrian:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Why not work with the UMA we have now rather than involving this complicated problem?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I agree. What I was trying to get to is that there is a class of use cases that we shouldn’t be dealing with.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I agree there’s a class of use cases that we don’t have the right tools for. </span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">In clinical research, we often grab bulk data, so solving for that is helpful.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Adrian:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Is there something about UMA 1.0.1 that works for the single authorization server use case</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I cannot figure out from this conversation what the multiple records use case is a problem.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">If a bulk request includes resources with multiple authorization servers, we don’t know which AS to talk to. If we define the bulk access record so that there’s only one AS, it works fine. Or if there’s an implicit AS it’s fine. Throughout all of this, we need to be very clear on the nature of the API that’s being protected when we’re designing security profiles.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">If data is restricted but then aggregated, is that still UMA?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">That’s out of scope. That’s a cache consistency problem.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">But we can do it with chained delegation.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Debbie:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Do they have to be in the same domain?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">They just have to be in the same ecosystem</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">We’re talking about data portability of metadata. A resource set identifier is metadata that’s sensitive information that an AS knows about a user. You’d have to share it with another AS to be portable across networks. So we’re talking about something that I’ve worked on. It’s good that we’re talking about it. It’s not trivial for privacy or portability.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Sarah:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">It sounds like it’s not fully baked enough to be within scope for HEART, correct?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Correct.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Adrian:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Can we restrict HEART to use cases where a resource is only protected by one authorization server?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I agree.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Eve:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I think that’s really reasonable. We know about IT that’s creaky. We shouldn’t be profiling anything that isn’t in the protocols we’re profiling.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Debbie:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">In doing implementations, we might be able to inform standards an update profiles.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Sarah:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Just to be clear, we are all in agreement that we will restrict HEART to use cases where a resource is only protected by one authorization server?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Within the domain? In the IRB case, we would have an authorization server.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">That’s fine as long as we use separate resources.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I agree.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Debbie:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">The data might be replicated and the IRB might acknowledge that the patient has it’s own authorization server, but may replicate those authorizations locally.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Let’s not try to address keeping data in sync.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">So we have two resource types defined, one for an individual, and another for multiple individuals in one data set</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Glen:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Right, and that could be authorization for subsequent access.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Adrian:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">But there’s only ever one authorization server associated with one resource</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Resources that are addressable.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">I run an Accountable Care Organization. I have three pieces of software. Each is a separate data source. I can aggregate them and protect them with one AS. I can’t protect one set of data with three ASs.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Aaron:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">FHIR has single and bulk resource types. Are they in the FHIR specs?</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Sarah:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Just do a text search for “user” and “patient”</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Justin:</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Actually, they are in the SMART on FHIR, not the vanilla FHIR specs.</span><o:p class=""></o:p></div><div class="MsoNormal"><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">Adrian:</span><o:p class=""></o:p></div><div class="MsoNormal"><span style="font-size: 11pt; font-family: Arial, sans-serif;" class="">SMART is trying to work out the EHR to EHR use cases. We can help as we make progress on that.</span><o:p class=""></o:p></div><div class=""><div class="MsoNormal"><span style="font-size: 11pt; font-family: Arial, sans-serif;" class=""><br clear="all" class=""></span><o:p class=""></o:p></div><div class=""><div class=""><div class=""><div class=""><div class="MsoNormal"><span style="color:#888888" class="">Sarah Squire<o:p class=""></o:p></span></div></div><div class=""><div class="MsoNormal"><span style="color:#888888" class="">Engage Identity<o:p class=""></o:p></span></div></div><div class=""><div class="MsoNormal"><span style="color:#888888" class=""><a href="http://engageidentity.com/" target="_blank" class=""><span style="color:#1155CC" class="">http://engageidentity.com</span></a><o:p class=""></o:p></span></div></div></div></div></div></div></div><div class="MsoNormal" align="center" style="text-align:center"><hr size="1" width="100%" noshade="" style="color:#A0A0A0" align="center" class=""></div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">No virus found in this message.<br class="">Checked by AVG - <a href="http://www.avg.com/" class="">www.avg.com</a><br class="">Version: 2016.0.7294 / Virus Database: 4489/11199 - Release Date: 12/17/15<o:p class=""></o:p></p></div></div><span id="cid:5B6836C7-FEFD-4764-935A-370AD778AD1B@richer.local"><Seib's grasp of the discussion so today.docx></span>_______________________________________________<br class="">Openid-specs-heart mailing list<br class=""><a href="mailto:Openid-specs-heart@lists.openid.net" class="">Openid-specs-heart@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-heart<br class=""></div></blockquote></div><br class=""></div></body></html>