<p dir="ltr">Open service(s) available that contains the information and metadata that would enable a service to whitelist and/or methods to dynamically add new oidc provider information on the fly is exactly what is needed imo.</p>
<p dir="ltr">If I grant access to Dr Bob's office to access my PHR it seems quite ok to me to accept a credential that Bob is already using for his everyday activities.</p>
<p dir="ltr">It wasn't obvious to me while glancing through the dynamic registration spec (s) ,in which folks on this list were actively engaged/credited in developing , cover these issue. We learned early on that many the specs assume some info is already in hand.</p>
<p dir="ltr">Lessons learned - running a federation definately (!) ; eased the burden on the researcher or consumer for easy access but put a huge burden on operations. </p>
<p dir="ltr">If there are already best practices and techniques in place to handle Metadata and key management then we should point to it. If not I think it's in scope to address some of these painpoints. <br></p>
<p dir="ltr">I glanced at the spec but it's not obvious to me if any of that is there. </p>
<div class="gmail_quote">On May 4, 2016 12:05 AM, "Adrian Gropper" <<a href="mailto:agropper@healthurl.com">agropper@healthurl.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>I don't see any problem here. <br><br>The use of OpenID Connect as a recommended standard for provider authentication at the AS seems obvious and uncontroversial.<br><br></div>Every AS (be it institutional or patient-owned) can choose which ID providers to white-list as an OIDC IdP.. <br><br></div>Every RS can choose to provide OIDC IdP services to the ASs that patients introduce.<br><br></div>A state medical society or HIE can choose to operate an OIDC IdP for their members. In MA, we actually have funding for such a project at the medical society waiting for HEART and related standards to make that practical.<br><br></div><div>Dynamic OIDC Client registration should be required by HEART to make it easy for all AS to participate.<br></div><div><br></div>Adrian<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 3, 2016 at 10:05 AM, Debbie Bucci <span dir="ltr"><<a href="mailto:debbucci@gmail.com" target="_blank">debbucci@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><span style="font-family:"Calibri",sans-serif"></span><font face="Calibri">I was actually focused on the authentication burden by the providers that will want/need to support their patient/consumers. </font></div><div><br></div><div><font face="Calibri">We had discussed a webfinger like flow to enable discover consumer resources as part of the introduction piece ...which in turn may indeed be an OIDC provider-AS for the consumer.</font></div><p><font face="Calibri"><br></font></p><div><br></div><div class="gmail_extra"><br><div class="gmail_quote"><span>On Tue, May 3, 2016 at 9:49 AM, Glen Marshall [SRS] <span dir="ltr"><<a href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div link="#0563C1" vlink="#954F72" lang="EN-US">
<div><span>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Debbie,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">I share your concern. A secure AS registry infrastructure is needed for multiple AS instances, especially at scale.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
</span><p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> I am very leery of the business case for them. In particular, what financial burden should the patients/subjects take-on for the AS(s) they choose, and how
does the consumer evaluate AS product offerings? Also, since the chosen AS URIs can be used to help re-identify patients, we probably need a scheme to pseudonymize them in shared patient EHR & PHR data.<u></u><u></u></span></p><span>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Glen<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;font-size:11pt">Glen F. Marshall<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;font-size:11pt">Consultant<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;font-size:11pt">Security Risk Solutions, Inc.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;font-size:11pt">698 Fishermans Bend<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;font-size:11pt">Mount Pleasant, SC 29464<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;font-size:11pt">Tel: <a href="tel:%28610%29%20644-2452" value="+16106442452" target="_blank">(610) 644-2452</a>
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;font-size:11pt">Mobile: <a href="tel:%28610%29%20613-3084" value="+16106133084" target="_blank">(610) 613-3084</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;font-size:11pt"><a href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;font-size:11pt"><a href="http://www.securityrisksolutions.com/" target="_blank">www.SecurityRiskSolutions.com</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;font-size:11pt">From:</span></b><span style="font-family:"Calibri",sans-serif;font-size:11pt"> Openid-specs-heart [mailto:<a href="mailto:openid-specs-heart-bounces@lists.openid.net" target="_blank">openid-specs-heart-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Debbie Bucci<br>
<b>Sent:</b> Tuesday, May 3, 2016 09:37<br>
<b>To:</b> <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> [Openid-specs-heart] AS authentication<u></u><u></u></span></p><span>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Are there a methods to register additional OIDC Providers as part of the dynamic client registration "dance" or open multiprotocol (sambits ?) registries in place today where OIDC providers can register in advance to aide these type of
interactions? <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The thought of a provider (or researcher) having to authenticate to potentially hundreds of [UMA] AS is worrisome and seems unmanageable at scale.
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Perhaps I'm missing something ... <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</span></span></div>
</div>
</blockquote></div><br></div></div>
<br>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span><span style="font-family:"Arial",sans-serif;color:#1f497d"></span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d"></span>
</div></div></div></div></div></div></div></div>
</div>
</blockquote></div>