<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I just did a youtube search on “How does WebFinger Work” but I didn’t get any matches.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What I did find was this video: vhttps://www.youtube.com/watch?v=9UHxLZj3qOo<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><img width=647 height=225 id="Picture_x0020_2" src="cid:image002.png@01D1EB51.B4743CD0"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The video makes it seem pretty straight forward. Given an email address that a Consumer supplies that is linked to their choice of AS we could get there but I think there is a step missing.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Am I picturing this correctly when I start with a precondition and think of the process being a App would have a place where they ask the consumer if they already have an AS configured what is the email address they use for the identifier and if not they ask the consumer to select an AS and configure it with their privacy preferences. The precondition naturally being that the someonw has federated the ‘registry (my word)’ that this look up runs against so that the right AS can be discovered? When it finds the right source for the given identifier it returns this in the video:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><img width=629 height=244 id="Picture_x0020_3" src="cid:image003.png@01D1EB53.1866FAB0"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If that essentially what </span>OpenID Connect is doing? Acting as the federator?<span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Aaron Seib, CEO<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@CaptBlueButton <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> (o) 301-540-2311<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(m) 301-326-6843<o:p></o:p></span></p><p class=MsoNormal><a href="nate-trust.org"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=205 height=48 id="Picture_x0020_1" src="cid:image001.jpg@01D1EB50.87BAEAA0" alt="cid:image001.jpg@01D10761.5BE2FE00"></span></a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> agropper@gmail.com [mailto:agropper@gmail.com] <b>On Behalf Of </b>Adrian Gropper<br><b>Sent:</b> Sunday, July 31, 2016 2:20 PM<br><b>To:</b> Aaron Seib, NATE<br><b>Cc:</b> openid-specs-heart@lists.openid.net; Dixie Baker<br><b>Subject:</b> Re: [Openid-specs-heart] Notification in HEART and/or UMA<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Thanks, Aaron - I think you get it just fine - how we explain it may still be a challenge - see inline<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Sun, Jul 31, 2016 at 9:50 AM, Aaron Seib, NATE <<a href="mailto:aaron.seib@nate-trust.org" target="_blank">aaron.seib@nate-trust.org</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Adrian,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This is a very useful description of the HEART work: “HEART is all about giving everyone a choice of authorization server in the FHIR context.”<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I think it would be a great way to start a presentation about HEART that would provide a better understanding of what the project is about.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Before we move onto the rest of the thread here – which I think is just as important to understanding what is being proposed - can we deconstruct the meaning of two components of this sentence?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span>What does it mean to ‘give everyone a choice of authorization server’?<o:p></o:p></p></div></div><div><p class=MsoNormal>It means that when I begin a relationship with a service provider they don't expect to tell me who my email provider should be. I get to choose Google or an email from my college or run my own mail server and the service provider just has to deal with that. By giving the person the choice of authorization server, the service provider has to make contact in the Inbox that's convenient to the person. Imagine if every merchant and service provider could tell you where to sign-in to check your messages from them. Oh, this is exactly how "secure messages" from our EHRs work today, never mind, you don't have to imagine. <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span>What does it mean to do so ‘in the FHIR Context’?<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal>FHIR is a standard for EHR interoperability. When a standard is available a service provider has the choice of using it or not. Email for example is an available standard but hospitals don't choose to use it even though the Office for Civil Rights has said unequivocally that patients have a right to request contact by plain insecure email. (There's still some kind of legal or regulatory challenge to be mounted on that front - but I digress.) Direct email was another standard that hospitals have chosen not to implement in a consumer-friendly way. Now we have the FHIR standard. We need to learn from our experience and the JASONs and the API Task Force and make sure that the FHIR implementations _can't_ discriminate between HIPAA covered endpoints and patient-controlled endpoints. If we make HEART work for patient-directed exchange and the hospitals pull another Direct maneuver, it needs to be obvious to the regulators and politicians. <br> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Next, I thought that this statement was very useful: ‘When she (<i>Alice</i>) engages with a FHIR service provider as a patient Alice provides three pieces of information:<o:p></o:p></p><p><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span>an identity<o:p></o:p></p><p><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span>a notification address<o:p></o:p></p><p style='margin-bottom:12.0pt'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span>a resource registration address<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>I want to make sure I understand what you mean when you later describe a potentially ideal solution as ‘Alice to provide an identity that automagically links to her Notification and Authorization addresses.”<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>If I am reading it correctly – I think you are asking if an email address supplied by Alice would be sufficient for the identity – I just want to make sure I understand the question. If I am keeping up there would be some way that Alice associates this email address with her choice of Authorization server (that a FHIR based resource server could use to resolve her privacy preferences) and incidentally be where the FHIR based Resource Server would send notifications about the disclosures it made based on her privacy preferences found in the Authorization Server of her choice in association with the email address she chooses.<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal>Yes. It's a standard called WebFinger that is already in OpenID Connect. HEART can build on WebFinger. There are other identity-related standards we can consider if necessary. <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Thank you – this would be the kind of detail that I think we could share with a folks like NATE’s members et al.<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal style='margin-bottom:12.0pt'>I think HEART's patient-directed exchange is a huge opportunity for may of NATE's members. Somebody will need to make and sell those authorization servers :-)<o:p></o:p></p></div><div><p class=MsoNormal>Adrian <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Aaron<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Aaron Seib, CEO</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@CaptBlueButton </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> (o) <a href="tel:301-540-2311" target="_blank">301-540-2311</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(m) <a href="tel:301-326-6843" target="_blank">301-326-6843</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="http://nate-trust.org" target="_blank"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=205 height=48 id="_x0000_i1025" src="cid:image001.jpg@01D1EB50.87BAEAA0" alt="cid:image001.jpg@01D10761.5BE2FE00"></span></a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Openid-specs-heart [mailto:<a href="mailto:openid-specs-heart-bounces@lists.openid.net" target="_blank">openid-specs-heart-bounces@lists.openid.net</a>] <b>On Behalf Of </b>Adrian Gropper<br><b>Sent:</b> Saturday, July 30, 2016 1:47 PM<br><b>To:</b> <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br><b>Cc:</b> Dixie Baker<br><b>Subject:</b> [Openid-specs-heart] Notification in HEART and/or UMA</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><div><div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>A new thread to consider Danny's very important reminder of how HEART will deal with Notification. <br><br>From Alice's perspective, when she engages with a FHIR service provider as a patient Alice provides three pieces of information:<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- an identity<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- a notification address<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>- a resource registration address<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>That's a lot to ask. We're all used to providing an email address as an identity and a notification endpoint. We're also used to the typical OAuth authorization screen that sometimes appears after we use a federated identity such as Gmail. What we're not used-to, yet, is being given a choice of OAuth authorization server the same way we have a choice of notification address. HEART is all about giving everyone a choice of authorization server in the FHIR context. It's the essence of being patient-centered and why the HEART charter says: "build, buy, or outsource" the AS.<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>The ideal situation IMHO would be for Alice to provide an identity that automagically links to her Notification and Authorization addresses. If that identity is an email address, then we have a simple, voluntary, and well-established way to explain HEART and to bootstrap the rest of the patient registration or consent to health information exchange process. Is there any realistic alternative to email? <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>It's not clear at this time whether UMA will add a Notification endpoint to the UMA spec. If it does, then HEART can just use that. If it doesn't then HEART will need to deal with Notification some other way. Either way, HEART will need to explain to FHIR resource servers how they are expected to bootstrap discovery of Alice's authorization server and, incidentally, her Notification address.<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Adrian<o:p></o:p></p><div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br> <o:p></o:p></p></div></div></div></div></div></div></div></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>